Dharma - A generation-based, context-free grammar fuzzer

A generation-based, context-free grammar fuzzer.

Requirements

None

Examples

Generate a single test-case.

% ./dharma.py -grammars grammars/webcrypto.dg

Generate a single test case with multiple grammars.

% ./dharma.py -grammars grammars/canvas2d.dg grammars/mediarecorder.dg

Generating test-cases as files.

% ./dharma.py -grammars grammars/webcrypto.dg -storage . -count 5

Generate test-cases, send each over WebSocket to Firefox, observe the process for crashes and bucket them.

% ./dharma.py -server -grammars grammars/canvas2d.dg -template grammars/var/templates/html5/default.html
% ./framboise.py -setup inbound64-release -debug -worker 4 -testcase ~/dev/projects/fuzzers/dharma/grammars/var/index.html

Benchmark the generator.

% time ./dharma.py -grammars grammars/webcrypto.dg -count 10000 > /dev/null

Grammar Cheetsheet

Comment

%%% comment

Controls

%const% name := value

Sections

%section% := value
%section% := variable
%section% := variance

Extension methods

%range%(0-9)
%range%(0.0-9.0)
%range%(a-z)
%range%(!-~)
%range%(0x100-0x200)

%repeat%(+variable+)
%repeat%(+variable+, ", ")

%uri%(path)
%uri%(lookup_key)

%block%(path)

%choice%(foo, "bar", 1)

Assigning values

digit :=
    %range%(0-9)

sign :=
    +
    -

value :=
    +sign+%repeat%(+digit+)

Using values

+value+

Assigning variables

variable :=
    @variable@ = new Foo();

Using variables

value :=
    !variable!.bar();

Referencing values from common.dg

value :=
    attribute=+common:number+

Calling javascript library functions

foo :=
    Random.pick([0,1]);

Download Dharma