International audienceWhen testing a library, developers typically first have to capture the semantics they want to check. They then write the code implementing these tests and find relevant test cases that expose possible misbehaviours. In this work, we present a tool that automatically takes care of these last two steps by automatically generating fuzz testing suites from OCaml interfaces annotated with formal behavioural specifications. We also show some ongoing experiments on the capabilities and limitations of fuzzing applied to real-world libraries

Osborne, Nicolas

Pascutto, Clément

INRIA a CCSD electronic archive server

HAL Id: hal-03328646https://hal.inria.fr/hal-03328646Submitted on 30 Aug 2021HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.Leveraging Formal Specifications to Generate FuzzingSuitesNicolas Osborne, Clément PascuttoTo cite this version:Nicolas Osborne, Clément Pascutto. Leveraging Formal Specifications to Generate Fuzzing Suites.OCaml Users and Developers Workshop, co-located with the 26th ACM SIGPLAN InternationalConference on Functional Programming, Aug 2021, Virtual, United States. ￿hal-03328646￿Leveraging Formal Specifications to Generate Fuzzing SuitesNicolas Osborne1 and Clément Pascutto1,21Tarides, 75005 Paris, Francenicolas.osborne@tarides.com, clement@tarides.com2Université Paris-Saclay, CNRS, ENS Paris-Saclay, Inria, Laboratoire Méthodes Formelles,91190, Gif-sur-Yvette, FranceAbstractWhen testing a library, developers typically first haveto capture the semantics they want to check. They thenwrite the code implementing these tests and find relevanttest cases that expose possible misbehaviours.In this work, we present a tool that automatically takescare of these last two steps by automatically generatingfuzz testing suites from OCaml interfaces annotated withformal behavioural specifications. We also show someongoing experiments on the capabilities and limitationsof fuzzing applied to real-world libraries.1 IntroductionLibrary testing is the most common and accessible ap-proach for ensuring software engineering safety. It typ-ically requires developers to agree on the semantics oftheir programs before writing the code implementingchecks for this semantics, and finally finding relevant testcases that expose possible misbehaviours or trigger edgecases. We present a tool to automate these last two stepsby generating fuzz testing suites out of formal specifica-tions, so developers only have to write down the proper-ties that the implementation should satisfy.This work relies on Gospel [2], a contract-based be-havioural specification language, Monolith [3], a model-based test framework for fuzzing OCaml libraries, andis part of ortac, a runtime assertion checking tool forOCaml. The ortac project is open-source and availableat https://github.com/ocaml-gospel/ortac.At its core, ortac identifies an executable subset ofthe Gospel specifications and translates formulae intoOCaml Boolean expressions. It then wraps the user-written implementation with these runtime checks. Ifthe implementation complies with the specification, theoriginal implementation and the wrapper have the samebehaviour. Otherwise, the wrapped code raises an excep-tion carrying information about the unmet specifications.In this presentation, we will show an example of ourworkflow and explain how the code generation works un-der the hood. We will finish with some experiments onthe capabilities and limitations of fuzzing and applica-tions to real-world libraries.2 Workflow OverviewThe first—and only—task of the developer is to anno-tate their module signature with Gospel comments thathold function contracts and type invariants. Figure 1shows the contents of a file power.mli declaring a func-tion power annotated with a simple Gospel contract.val power : int -> int -> int(*@ r = power x nrequires n >= 0ensures r = pow x n *)Figure 1: Power module interface.Once the user has specified their module interface, theycan call ortac with monolith enabled on the interfacefile. The tool prints the generated code on stdout sothey — or the build system — can redirect it in a file:$ ortac --frontend=monolith power.mli > main.mlAt this point, main.ml contains a complete and cor-rect Monolith program that will exercise the contract ofpower. The user may run it either in random mode or infuzzing mode with afl-fuzz [1]:1# random mode$ ./main# fuzzing mode$ afl-fuzz -i inputs/ -o outputs/ -- ./main @@In both cases, Monolith provides inputs to the an-notated functions and reports errors in the directoryoutputs/crashes in the form of replayable scenarios.To get more information about a misbehaviour, the usercan replay the scenario by passing the corresponding filename to the generated program as an argument. Thisway, the user has access to the failure scenario and allthe errors reported by ortac on these specific inputs,highlighting the broken specifications.$ ./main outputs/crashes/<filename>File "power.mli", lines 1-4, characters 0-26:Runtime error in function ‘power’:- the post-condition‘r = pow x n’was violated.3 Under the Hood: a Frontendfor ortacThe architecture of ortac is designed such that its corecan be specialised by a frontend in order to extend itsdefault behaviour. Our fuzzing frontend specialises it inthree different ways to integrate it with Monolith. Fig-ure 2 presents the structure of the generated code.Prelude (specialised runtime)Reference module (wrapped implementation)Candidate module (original implementation)Generators for user-defined typesPrinters for user-defined typesMonolith specs for user-defined typesMonolith declarations and mainFigure 2: Organisation of the generated code.A specialised runtime. We provide the final codewith a specialised runtime, adapting the defaultortac-runtime to Monolith error reporting. For exam-ple, if a precondition is unmet, we do not report an er-ror but rather ignore this scenario. Our runtime alsoprovides generators and printers that Monolith does notprovide natively.Reference and candidate implementations.Monolith is a model based test framework; it requirestwo modules with the same signature, a Reference anda Candidate. We use the original implementation asthe Candidate, and the wrapper generated by ortac asthe Reference, as it contains the information about theexpected behaviour.Monolith declarations. The last part of the programregisters the functions in the interface and their types sothat Monolith can exercise them. Our frontend generatesthese declarations automatically from the typing infor-mation by constructing printers and random generatorsfor user-defined types.4 Conclusion and Future WorkThe ortac tool and its monolith frontend are under ac-tive development to extend the support for user-definedOCaml types and Gospel specifications. We also planto continue the experiments on real-world libraries in or-der to explore further the capabilities and limitations ofortac combined with fuzzing.References[1] afl-fuzz — American fuzzy lop. https://lcamtuf.coredump.cx/afl/.[2] Arthur Charguéraud, Jean-Christophe Filliâtre,Cláudio Lourenço, and Mário Pereira. GOSPEL -Providing OCaml with a Formal Specification Lan-guage. In FM 2019 - 23rd International Symposiumon Formal Methods, October 2019.[3] François Pottier. Strong automated testing of OCamllibraries. In Journées Francophones des Langages Ap-plicatifs (JFLA), February 2021.2

Leveraging Formal Specifications to Generate Fuzzing Suites

https://hal.inria.fr/hal-03328646v1/file/OCaml_2021.pdf

Leveraging Formal Specifications to Generate Fuzzing Suites

Abstract

Similar works

Full text

Available Versions

INRIA a CCSD electronic archive server