Tmin 0.03

Tmin is a fuzzing test case optimizer tool.
Tmin is a fuzzing test case optimizer tool. A quick and simple tool to minimize the size and syntax of complex test cases in automated security testing.

The tool is somewhat related to delta, a more featured general-purpose optimizer - but is meant specifically for dealing with unknown or complex data formats (without the need to tokenize and re-serialize testcases), for hands-off detection of security fault conditions, and for easy integration with UI testing harnesses.

It is also capable of reducing the complexity of alphabets used on datasets that cannot be further trimmed down in size.

Usage details

The utility expects a file named testcase.in to be present in the current directory, and will write a minimal testcase to testcase.small. To optimize a test case for a target application, you can simply run:

./tmin /path/to/program

In this mode, tmin will run /path/to/program in every cycle, feed a modified test case to program's stdin, and examine the exit status; the program exiting on a signal such as SIGSEGV will be interpreted as the test case still working, whereas a clean execution will be understood as the test case failing. You may also use a -x command-line switch to change the logic and treat non-zero return codes as fault conditions likewise, and -w file to save data to a specified location to be read by the tested application, instead of supplying it on stdin.

For remote testing, tmin supports a -s command-line switch. In this mode, the behavior of the specified program is ignored, and the utility waits for SIGUSR1 (clean execution) and SIGUSR2 (fault condition) signal sent to tmin process instead. Two common examples include:

./tmin -s -w local_file.txt /bin/true

./tmin -s nc 127.0.0.1 1234


As shown here, nc may be used as an easy wrapper for interaction with network services; and /bin/true may be used as a "decoy" target program when writing to local files.

In -s mode, the testing harness must prompt the tested application to read tmin output, analyze the outcome, and then send an appropriate signal to the utility. An example of how to do all this when testing a HTML filter or other browser-based technology is given in tmin/web-example subdirectory.

Functionality demo

$ cat testcase.in
This is a lengthy and annoying hello world testcase.

$ cat testme.sh
#!/bin/bash

grep "el..*wo" || exit 0
exit 1

$ ../tmin -x ./testme.sh
tmin - complex testcase minimizer, version 0.03-beta (lcamtuf@google.com)
[*] Stage 0: loading 'testcase.in' and validating fault condition...
[*] Stage 1: recursive truncation (round 1, input = 53/53)
[*] Stage 1: recursive truncation (round 2, input = 27/53)
[*] Stage 1: recursive truncation (round 3, input = 14/53)
[*] Stage 1: recursive truncation (round 4, input = 10/53)
[*] Stage 1: recursive truncation (round 5, input = 8/53)
[*] Stage 1: recursive truncation (round 6, input = 7/53)
[*] Stage 2: block skipping (round 1, input = 7/53)
[*] Stage 2: block skipping (round 2, input = 6/53)
[*] Stage 2: block skipping (round 3, input = 5/53)
[*] Stage 3: alphabet normalization (round 1, charset = 5/5)
[*] Stage 3: alphabet normalization (round 2, charset = 5/5)
[*] Stage 4: character normalization (round 1, characters = 4/5)
[*] All done - writing output to 'testcase.small'...

== Final statistics==
Original size : 53 bytes
Optimized size : 5 bytes (-90.57%)
Chars replaced : 1 (1.89%)
Efficiency : 9 good / 49 bad
Round counts : 1:6 2:3 3:2 4:1

$ cat testcase.small
el0wo

last updated on:
June 10th, 2008, 10:34 GMT
price:
FREE!
developed by:
Michal Zalewski
license type:
The Apache License 2.0 
category:
ROOT \ Programming \ Quality Assurance and Testing

FREE!

In a hurry? Add it to your Download Basket!

user rating 11

UNRATED
2.4/5
 

0/5

1 Screenshot
Tmin

Add your review!

SUBMIT