{
 "cells": [
  {
   "cell_type": "markdown",
   "id": "7efdd183",
   "metadata": {},
   "source": [
    "# The Fuzzing Book"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "16691489",
   "metadata": {},
   "source": [
    "## Sitemap\n",
    "While the chapters of this book can be read one after the other, there are many possible paths through the book. In this graph, an arrow _A_ → _B_ means that chapter _A_ is a prerequisite for chapter _B_. You can pick arbitrary paths in this graph to get to the topics that interest you most:\n"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "id": "aa848db3",
   "metadata": {
    "execution": {
     "iopub.execute_input": "2024-04-28T10:52:33.832146Z",
     "iopub.status.busy": "2024-04-28T10:52:33.831809Z",
     "iopub.status.idle": "2024-04-28T10:52:33.840104Z",
     "shell.execute_reply": "2024-04-28T10:52:33.839609Z"
    }
   },
   "outputs": [],
   "source": [
    "# ignore\n",
    "from IPython.display import SVG"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "id": "d827f4fa",
   "metadata": {
    "execution": {
     "iopub.execute_input": "2024-04-28T10:52:33.842995Z",
     "iopub.status.busy": "2024-04-28T10:52:33.842774Z",
     "iopub.status.idle": "2024-04-28T10:52:33.859928Z",
     "shell.execute_reply": "2024-04-28T10:52:33.859523Z"
    }
   },
   "outputs": [
    {
     "data": {
      "image/svg+xml": [
       "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"1482pt\" height=\"622pt\" viewBox=\"0.00 0.00 1481.88 622.00\">\n",
       "<g id=\"graph0\" class=\"graph\" transform=\"scale(1 1) rotate(0) translate(4 618)\">\n",
       "<polygon fill=\"white\" stroke=\"none\" points=\"-4,4 -4,-618 1477.88,-618 1477.88,4 -4,4\"/>\n",
       "<!-- Fuzzer -->\n",
       "<g id=\"node1\" class=\"node\">\n",
       "<title>Fuzzer</title>\n",
       "<g id=\"a_node1\"><a xlink:href=\"Fuzzer.ipynb\" xlink:title=\"Fuzzing: Breaking Things with Random Inputs (Fuzzer)\n",
       "\n",
       "In this chapter, we'll start with one of the simplest test generation techniques.  The key idea of random text generation, also known as fuzzing, is to feed a string of random characters into a program in the hope to uncover failures.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1009.62,-534 873.62,-534 873.62,-472 1015.62,-472 1015.62,-528 1009.62,-534\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1009.62,-534 1009.62,-528\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1015.62,-528 1009.62,-528\"/>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-516.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing: Breaking</text>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-498.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Things</text>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-480.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">with Random Inputs</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage -->\n",
       "<g id=\"node2\" class=\"node\">\n",
       "<title>Coverage</title>\n",
       "<g id=\"a_node2\"><a xlink:href=\"Coverage.ipynb\" xlink:title=\"Code Coverage (Coverage)\n",
       "\n",
       "In the previous chapter, we introduced basic fuzzing – that is, generating random inputs to test programs.  How do we measure the effectiveness of these tests?  One way would be to check the number (and seriousness) of bugs found; but if bugs are scarce, we need a proxy for the likelihood of a test to uncover a bug.  In this chapter, we introduce the concept of code coverage, measuring which parts of a program are actually executed during a test run.  Measuring such coverage is also crucial for test generators that attempt to cover as much code as possible.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"599,-352 498.25,-352 498.25,-316 605,-316 605,-346 599,-352\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"599,-352 599,-346\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"605,-346 599,-346\"/>\n",
       "<text text-anchor=\"middle\" x=\"551.62\" y=\"-329.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Code Coverage</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Fuzzer&#45;&gt;Coverage -->\n",
       "<g id=\"edge1\" class=\"edge\">\n",
       "<title>Fuzzer-&gt;Coverage</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M873.14,-486.36C827.57,-475.14 767.86,-458.12 717.62,-436 668.87,-414.53 617.1,-381.12 584.59,-358.67\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"586.99,-356.07 576.79,-353.22 582.99,-361.82 586.99,-356.07\"/>\n",
       "</g>\n",
       "<!-- SearchBasedFuzzer -->\n",
       "<g id=\"node3\" class=\"node\">\n",
       "<title>SearchBasedFuzzer</title>\n",
       "<g id=\"a_node3\"><a xlink:href=\"SearchBasedFuzzer.ipynb\" xlink:title=\"Search-Based Fuzzing (SearchBasedFuzzer)\n",
       "\n",
       "Sometimes we are not only interested in fuzzing as many as possible diverse program inputs, but in deriving specific test inputs that achieve some objective, such as reaching specific statements in a program. When we have an idea of what we are looking for, then we can search for it. Search algorithms are at the core of computer science, but applying classic search algorithms like breadth or depth first search to search for tests is unrealistic, because these algorithms potentially require us to look at all possible inputs. However, domain-knowledge can be used to overcome this problem. For example, if we can estimate which of several program inputs is closer to the one we are looking for, then this information can guide us to reach the target quicker – this information is known as a heuristic. The way heuristics are applied systematically is captured in meta-heuristic search algorithms. The &quot;meta&quot; denotes that these algorithms are generic and can be instantiated differently to different problems. Meta-heuristics often take inspiration from processes observed in nature. For example, there are algorithms mimicking evolutionary processes, swarm intelligence, or chemical reactions. In general, they are much more efficient than exhaustive search approaches such that they can be applied to vast search spaces – search spaces as vast as the domain of program inputs are no problem for them.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"872.5,-432 726.75,-432 726.75,-396 878.5,-396 878.5,-426 872.5,-432\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"872.5,-432 872.5,-426\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"878.5,-426 872.5,-426\"/>\n",
       "<text text-anchor=\"middle\" x=\"802.62\" y=\"-409.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Search-Based Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Fuzzer&#45;&gt;SearchBasedFuzzer -->\n",
       "<g id=\"edge2\" class=\"edge\">\n",
       "<title>Fuzzer-&gt;SearchBasedFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M894.96,-471.57C877.04,-460.59 857.13,-448.39 840.39,-438.14\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"842.59,-435.38 832.24,-433.14 838.93,-441.35 842.59,-435.38\"/>\n",
       "</g>\n",
       "<!-- Grammars -->\n",
       "<g id=\"node4\" class=\"node\">\n",
       "<title>Grammars</title>\n",
       "<g id=\"a_node4\"><a xlink:href=\"Grammars.ipynb\" xlink:title=\"Fuzzing with Grammars (Grammars)\n",
       "\n",
       "In the chapter on &quot;Mutation-Based Fuzzing&quot;, we have seen how to use extra hints – such as sample input files – to speed up test generation.  In this chapter, we take this idea one step further, by providing a specification of the legal inputs to a program.  Specifying inputs via a grammar allows for very systematic and efficient test generation, in particular for complex input formats.  Grammars also serve as the base for configuration fuzzing, API fuzzing, GUI fuzzing, and many more.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"986.75,-436 896.5,-436 896.5,-392 992.75,-392 992.75,-430 986.75,-436\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"986.75,-436 986.75,-430\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"992.75,-430 986.75,-430\"/>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-418.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing with</text>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-400.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Grammars</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Fuzzer&#45;&gt;Grammars -->\n",
       "<g id=\"edge3\" class=\"edge\">\n",
       "<title>Fuzzer-&gt;Grammars</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M944.62,-471.57C944.62,-463.83 944.62,-455.47 944.62,-447.62\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"948.13,-447.76 944.63,-437.76 941.13,-447.76 948.13,-447.76\"/>\n",
       "</g>\n",
       "<!-- SymbolicFuzzer -->\n",
       "<g id=\"node5\" class=\"node\">\n",
       "<title>SymbolicFuzzer</title>\n",
       "<g id=\"a_node5\"><a xlink:href=\"SymbolicFuzzer.ipynb\" xlink:title=\"Symbolic Fuzzing (SymbolicFuzzer)\n",
       "\n",
       "One of the problems with traditional methods of fuzzing is that they fail to exercise all the possible behaviors that a system can have, especially when the input space is large. Quite often the execution of a specific branch of execution may happen only with very specific inputs, which could represent a minimal fraction of the input space. The traditional fuzzing methods relies on chance to produce inputs they need. However, relying on randomness to generate values that we want is a bad idea when the space to be explored is huge. For example, a function that accepts a string, even if one only considers the first $10$ characters, already has $2^{80}$ possible inputs. If one is looking for a specific string, random generation of values will take a few thousand years even in one of the super computers.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1128.62,-432 1010.62,-432 1010.62,-396 1134.62,-396 1134.62,-426 1128.62,-432\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1128.62,-432 1128.62,-426\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1134.62,-426 1128.62,-426\"/>\n",
       "<text text-anchor=\"middle\" x=\"1072.62\" y=\"-409.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Symbolic Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Fuzzer&#45;&gt;SymbolicFuzzer -->\n",
       "<g id=\"edge4\" class=\"edge\">\n",
       "<title>Fuzzer-&gt;SymbolicFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M989.39,-471.57C1005.24,-460.8 1022.83,-448.85 1037.73,-438.72\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1039.54,-441.72 1045.85,-433.2 1035.61,-435.93 1039.54,-441.72\"/>\n",
       "</g>\n",
       "<!-- FuzzingInTheLarge -->\n",
       "<g id=\"node6\" class=\"node\">\n",
       "<title>FuzzingInTheLarge</title>\n",
       "<g id=\"a_node6\"><a xlink:href=\"FuzzingInTheLarge.ipynb\" xlink:title=\"Fuzzing in the Large (FuzzingInTheLarge)\n",
       "\n",
       "In the past chapters, we have always looked at fuzzing taking place on one machine for a few seconds only.  In the real world, however, fuzzers are run on dozens or even thousands of machines; for hours, days and weeks; for one program or dozens of programs.  In such contexts, one needs an infrastructure to collect failure data from the individual fuzzer runs, and to aggregate such data in a central repository.  In this chapter, we will examine such an infrastructure, the FuzzManager framework from Mozilla.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1286.5,-432 1152.75,-432 1152.75,-396 1292.5,-396 1292.5,-426 1286.5,-432\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1286.5,-432 1286.5,-426\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1292.5,-426 1286.5,-426\"/>\n",
       "<text text-anchor=\"middle\" x=\"1222.62\" y=\"-409.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing in the Large</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Fuzzer&#45;&gt;FuzzingInTheLarge -->\n",
       "<g id=\"edge5\" class=\"edge\">\n",
       "<title>Fuzzer-&gt;FuzzingInTheLarge</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1015.86,-479.71C1059.07,-466.18 1113.85,-449.04 1156.17,-435.8\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1156.98,-439.21 1165.48,-432.88 1154.89,-432.53 1156.98,-439.21\"/>\n",
       "</g>\n",
       "<!-- MutationFuzzer -->\n",
       "<g id=\"node8\" class=\"node\">\n",
       "<title>MutationFuzzer</title>\n",
       "<g id=\"a_node8\"><a xlink:href=\"MutationFuzzer.ipynb\" xlink:title=\"Mutation-Based Fuzzing (MutationFuzzer)\n",
       "\n",
       "Most randomly generated inputs are syntactically invalid and thus are quickly rejected by the processing program.  To exercise functionality beyond input processing, we must increase chances to obtain valid inputs.  One such way is so-called mutational fuzzing – that is, introducing small changes to existing inputs that may still keep the input valid, yet exercise new behavior.  We show how to create such mutations, and how to guide them towards yet uncovered code, applying central concepts from the popular AFL fuzzer.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"604.25,-276 493,-276 493,-232 610.25,-232 610.25,-270 604.25,-276\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"604.25,-276 604.25,-270\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"610.25,-270 604.25,-270\"/>\n",
       "<text text-anchor=\"middle\" x=\"551.62\" y=\"-258.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Mutation-Based</text>\n",
       "<text text-anchor=\"middle\" x=\"551.62\" y=\"-240.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;MutationFuzzer -->\n",
       "<g id=\"edge7\" class=\"edge\">\n",
       "<title>Coverage-&gt;MutationFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M551.62,-315.69C551.62,-307.46 551.62,-297.33 551.62,-287.73\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"555.13,-287.95 551.63,-277.95 548.13,-287.95 555.13,-287.95\"/>\n",
       "</g>\n",
       "<!-- MutationAnalysis -->\n",
       "<g id=\"node9\" class=\"node\">\n",
       "<title>MutationAnalysis</title>\n",
       "<g id=\"a_node9\"><a xlink:href=\"MutationAnalysis.ipynb\" xlink:title=\"Mutation Analysis (MutationAnalysis)\n",
       "\n",
       "In the chapter on coverage, we showed how one can identify which parts of the program are executed by a program, and hence get a sense of the effectiveness of a set of test cases in covering the program structure.  However, coverage alone may not be the best measure for the effectiveness of a test, as one can have great coverage without ever checking a result for correctness.  In this chapter, we introduce another means for assessing the effectiveness of a test suite: After injecting mutations – artificial faults – into the code, we check whether a test suite can detect these artificial faults.  The idea is that if it fails to detect such mutations, it will also miss real bugs.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"294.25,-272 171,-272 171,-236 300.25,-236 300.25,-266 294.25,-272\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"294.25,-272 294.25,-266\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"300.25,-266 294.25,-266\"/>\n",
       "<text text-anchor=\"middle\" x=\"235.62\" y=\"-249.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Mutation Analysis</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;MutationAnalysis -->\n",
       "<g id=\"edge8\" class=\"edge\">\n",
       "<title>Coverage-&gt;MutationAnalysis</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M497.88,-320.46C449.79,-309.15 377.39,-291.89 314.62,-276 313.63,-275.75 312.63,-275.49 311.63,-275.24\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"312.71,-271.9 302.16,-272.8 310.97,-278.68 312.71,-271.9\"/>\n",
       "</g>\n",
       "<!-- GrammarCoverageFuzzer -->\n",
       "<g id=\"node10\" class=\"node\">\n",
       "<title>GrammarCoverageFuzzer</title>\n",
       "<g id=\"a_node10\"><a xlink:href=\"GrammarCoverageFuzzer.ipynb\" xlink:title=\"Grammar Coverage (GrammarCoverageFuzzer)\n",
       "\n",
       "Producing inputs from grammars gives all possible expansions of a rule the same likelihood.  For producing a comprehensive test suite, however, it makes more sense to maximize variety – for instance, by not repeating the same expansions over and over again.  In this chapter, we explore how to systematically cover elements of a grammar such that we maximize variety and do not miss out individual elements.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1101.25,-272 972,-272 972,-236 1107.25,-236 1107.25,-266 1101.25,-272\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1101.25,-272 1101.25,-266\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1107.25,-266 1101.25,-266\"/>\n",
       "<text text-anchor=\"middle\" x=\"1039.62\" y=\"-249.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Grammar Coverage</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;GrammarCoverageFuzzer -->\n",
       "<g id=\"edge9\" class=\"edge\">\n",
       "<title>Coverage-&gt;GrammarCoverageFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M605.34,-327.86C684.36,-319.78 836.33,-302.27 963.62,-276 965.22,-275.67 966.82,-275.33 968.44,-274.97\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"968.81,-278.48 977.76,-272.8 967.23,-271.66 968.81,-278.48\"/>\n",
       "</g>\n",
       "<!-- ProbabilisticGrammarFuzzer -->\n",
       "<g id=\"node11\" class=\"node\">\n",
       "<title>ProbabilisticGrammarFuzzer</title>\n",
       "<g id=\"a_node11\"><a xlink:href=\"ProbabilisticGrammarFuzzer.ipynb\" xlink:title=\"Probabilistic Grammar Fuzzing (ProbabilisticGrammarFuzzer)\n",
       "\n",
       "Let us give grammars even more power by assigning probabilities to individual expansions.  This allows us to control how many of each element should be produced, and thus allows us to target our generated tests towards specific functionality.  We also show how to learn such probabilities from given sample inputs, and specifically direct our tests towards input features that are uncommon in these samples.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"466.75,-196 346.5,-196 346.5,-152 472.75,-152 472.75,-190 466.75,-196\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"466.75,-196 466.75,-190\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"472.75,-190 466.75,-190\"/>\n",
       "<text text-anchor=\"middle\" x=\"409.62\" y=\"-178.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Probabilistic</text>\n",
       "<text text-anchor=\"middle\" x=\"409.62\" y=\"-160.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Grammar Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;ProbabilisticGrammarFuzzer -->\n",
       "<g id=\"edge10\" class=\"edge\">\n",
       "<title>Coverage-&gt;ProbabilisticGrammarFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M498.09,-325.43C443.97,-316.56 365.8,-299.95 347.62,-276 335.8,-260.42 339.76,-249.91 347.62,-232 352.25,-221.46 359.9,-212.01 368.27,-203.97\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"370.5,-206.68 375.67,-197.43 365.86,-201.44 370.5,-206.68\"/>\n",
       "</g>\n",
       "<!-- ConcolicFuzzer -->\n",
       "<g id=\"node12\" class=\"node\">\n",
       "<title>ConcolicFuzzer</title>\n",
       "<g id=\"a_node12\"><a xlink:href=\"ConcolicFuzzer.ipynb\" xlink:title=\"Concolic Fuzzing (ConcolicFuzzer)\n",
       "\n",
       "In the chapter on information flow, we have seen how one can use dynamic taints to produce more intelligent test cases than simply looking for program crashes. We have also seen how one can use the taints to update the grammar, and hence focus more on the dangerous methods.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"946,-112 833.25,-112 833.25,-76 952,-76 952,-106 946,-112\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"946,-112 946,-106\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"952,-106 946,-106\"/>\n",
       "<text text-anchor=\"middle\" x=\"892.62\" y=\"-89.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Concolic Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;ConcolicFuzzer -->\n",
       "<g id=\"edge11\" class=\"edge\">\n",
       "<title>Coverage-&gt;ConcolicFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M579.14,-315.62C593.05,-305.57 609.16,-291.79 619.62,-276 651.47,-227.95 615.2,-191.02 657.62,-152 713.2,-100.9 750.56,-135.01 823.62,-116 824.29,-115.83 824.95,-115.65 825.62,-115.48\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"826.44,-118.88 835.16,-112.86 824.6,-112.13 826.44,-118.88\"/>\n",
       "</g>\n",
       "<!-- DynamicInvariants -->\n",
       "<g id=\"node13\" class=\"node\">\n",
       "<title>DynamicInvariants</title>\n",
       "<g id=\"a_node13\"><a xlink:href=\"DynamicInvariants.ipynb\" xlink:title=\"Mining Function Specifications (DynamicInvariants)\n",
       "\n",
       "When testing a program, one not only needs to cover its several behaviors; one also needs to check whether the result is as expected.  In this chapter, we introduce a technique that allows us to mine function specifications from a set of given executions, resulting in abstract and formal descriptions of what the function expects and what it delivers.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"468.62,-276 356.62,-276 356.62,-232 474.62,-232 474.62,-270 468.62,-276\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"468.62,-276 468.62,-270\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"474.62,-270 468.62,-270\"/>\n",
       "<text text-anchor=\"middle\" x=\"415.62\" y=\"-258.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Mining Function</text>\n",
       "<text text-anchor=\"middle\" x=\"415.62\" y=\"-240.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Specifications</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;DynamicInvariants -->\n",
       "<g id=\"edge12\" class=\"edge\">\n",
       "<title>Coverage-&gt;DynamicInvariants</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M521.44,-315.69C504.25,-305.83 482.33,-293.26 462.9,-282.11\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"464.74,-279.13 454.32,-277.19 461.25,-285.2 464.74,-279.13\"/>\n",
       "</g>\n",
       "<!-- PythonFuzzer -->\n",
       "<g id=\"node14\" class=\"node\">\n",
       "<title>PythonFuzzer</title>\n",
       "<g id=\"a_node14\"><a xlink:href=\"PythonFuzzer.ipynb\" xlink:title=\"Testing Compilers (PythonFuzzer)\n",
       "\n",
       "In this chapter, we will make use of grammars and grammar-based testing to systematically generate program code – for instance, to test a compiler or an interpreter. Not very surprisingly, we use Python and the Python interpreter as our domain.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"786.38,-272 666.88,-272 666.88,-236 792.38,-236 792.38,-266 786.38,-272\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"786.38,-272 786.38,-266\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"792.38,-266 786.38,-266\"/>\n",
       "<text text-anchor=\"middle\" x=\"729.62\" y=\"-249.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Testing Compilers</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;PythonFuzzer -->\n",
       "<g id=\"edge13\" class=\"edge\">\n",
       "<title>Coverage-&gt;PythonFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M591.13,-315.69C617.19,-304.27 651.56,-289.21 679.54,-276.95\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"680.78,-280.22 688.54,-273 677.97,-273.81 680.78,-280.22\"/>\n",
       "</g>\n",
       "<!-- WhenToStopFuzzing -->\n",
       "<g id=\"node15\" class=\"node\">\n",
       "<title>WhenToStopFuzzing</title>\n",
       "<g id=\"a_node15\"><a xlink:href=\"WhenToStopFuzzing.ipynb\" xlink:title=\"When To Stop Fuzzing (WhenToStopFuzzing)\n",
       "\n",
       "In the past chapters, we have discussed several fuzzing techniques.  Knowing what to do is important, but it is also important to know when to stop doing things.  In this chapter, we will learn when to stop fuzzing – and use a prominent example for this purpose: The Enigma machine that was used in the second world war by the navy of Nazi Germany to encrypt communications, and how Alan Turing and I.J. Good used fuzzing techniques to crack ciphers for the Naval Enigma machine.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"147.25,-272 0,-272 0,-236 153.25,-236 153.25,-266 147.25,-272\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"147.25,-272 147.25,-266\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"153.25,-266 147.25,-266\"/>\n",
       "<text text-anchor=\"middle\" x=\"76.62\" y=\"-249.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">When To Stop Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Coverage&#45;&gt;WhenToStopFuzzing -->\n",
       "<g id=\"edge14\" class=\"edge\">\n",
       "<title>Coverage-&gt;WhenToStopFuzzing</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M498.04,-326.84C422.61,-317.79 280.98,-299.41 161.62,-276 159.73,-275.63 157.81,-275.24 155.88,-274.84\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"156.69,-271.44 146.17,-272.75 155.21,-278.28 156.69,-271.44\"/>\n",
       "</g>\n",
       "<!-- GrammarFuzzer -->\n",
       "<g id=\"node18\" class=\"node\">\n",
       "<title>GrammarFuzzer</title>\n",
       "<g id=\"a_node18\"><a xlink:href=\"GrammarFuzzer.ipynb\" xlink:title=\"Efficient Grammar Fuzzing (GrammarFuzzer)\n",
       "\n",
       "In the chapter on grammars, we have seen how to use grammars for very effective and efficient testing.  In this chapter, we refine the previous string-based algorithm into a tree-based algorithm, which is much faster and allows for much more control over the production of fuzz inputs.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1029.25,-356 906,-356 906,-312 1035.25,-312 1035.25,-350 1029.25,-356\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1029.25,-356 1029.25,-350\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1035.25,-350 1029.25,-350\"/>\n",
       "<text text-anchor=\"middle\" x=\"970.62\" y=\"-338.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Efficient Grammar</text>\n",
       "<text text-anchor=\"middle\" x=\"970.62\" y=\"-320.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Grammars&#45;&gt;GrammarFuzzer -->\n",
       "<g id=\"edge17\" class=\"edge\">\n",
       "<title>Grammars-&gt;GrammarFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M951.73,-391.69C954.25,-384.12 957.15,-375.43 959.91,-367.16\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"963.21,-368.32 963.05,-357.72 956.57,-366.1 963.21,-368.32\"/>\n",
       "</g>\n",
       "<!-- Intro_Testing -->\n",
       "<g id=\"node7\" class=\"node\">\n",
       "<title>Intro_Testing</title>\n",
       "<g id=\"a_node7\"><a xlink:href=\"Intro_Testing.ipynb\" xlink:title=\"Introduction to Software Testing (Intro_Testing)\n",
       "\n",
       "Before we get to the central parts of the book, let us introduce essential concepts of software testing.  Why is it necessary to test software at all?  How does one test software?  How can one tell whether a test has been successful?  How does one know if one has tested enough?  In this chapter, let us recall the most important concepts, and at the same time get acquainted with Python and interactive notebooks.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"999.12,-614 884.12,-614 884.12,-570 1005.12,-570 1005.12,-608 999.12,-614\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"999.12,-614 999.12,-608\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1005.12,-608 999.12,-608\"/>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-596.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Introduction to</text>\n",
       "<text text-anchor=\"middle\" x=\"944.62\" y=\"-578.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Software Testing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Intro_Testing&#45;&gt;Fuzzer -->\n",
       "<g id=\"edge6\" class=\"edge\">\n",
       "<title>Intro_Testing-&gt;Fuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M944.62,-569.94C944.62,-562.61 944.62,-554.11 944.62,-545.7\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"948.13,-545.92 944.63,-535.92 941.13,-545.92 948.13,-545.92\"/>\n",
       "</g>\n",
       "<!-- GreyboxFuzzer -->\n",
       "<g id=\"node16\" class=\"node\">\n",
       "<title>GreyboxFuzzer</title>\n",
       "<g id=\"a_node16\"><a xlink:href=\"GreyboxFuzzer.ipynb\" xlink:title=\"Greybox Fuzzing (GreyboxFuzzer)\n",
       "\n",
       "In the previous chapter, we have introduced mutation-based fuzzing, a technique that generates fuzz inputs by applying small mutations to given inputs. In this chapter, we show how to guide these mutations towards specific goals such as coverage. The algorithms in this chapter stem from the popular American Fuzzy Lop (AFL) fuzzer, in particular from its AFLFast and AFLGo flavors. We will explore the greybox fuzzing algorithm behind AFL and how we can exploit it to solve various problems for automated vulnerability detection.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"604.38,-192 490.88,-192 490.88,-156 610.38,-156 610.38,-186 604.38,-192\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"604.38,-192 604.38,-186\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"610.38,-186 604.38,-186\"/>\n",
       "<text text-anchor=\"middle\" x=\"550.62\" y=\"-169.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Greybox Fuzzing</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- MutationFuzzer&#45;&gt;GreyboxFuzzer -->\n",
       "<g id=\"edge15\" class=\"edge\">\n",
       "<title>MutationFuzzer-&gt;GreyboxFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M551.35,-231.69C551.24,-223.09 551.11,-213.05 550.99,-203.82\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"554.49,-203.81 550.87,-193.86 547.5,-203.9 554.49,-203.81\"/>\n",
       "</g>\n",
       "<!-- GrammarMiner -->\n",
       "<g id=\"node24\" class=\"node\">\n",
       "<title>GrammarMiner</title>\n",
       "<g id=\"a_node24\"><a xlink:href=\"GrammarMiner.ipynb\" xlink:title=\"Mining Input Grammars (GrammarMiner)\n",
       "\n",
       "So far, the grammars we have seen have been mostly specified manually – that is, you (or the person knowing the input format) had to design and write a grammar in the first place.  While the grammars we have seen so far have been rather simple, creating a grammar for complex inputs can involve quite some effort.  In this chapter, we therefore introduce techniques that automatically mine grammars from programs – by executing the programs and observing how they process which parts of the input.  In conjunction with a grammar fuzzer, this allows us to \n",
       "1. take a program, \n",
       "2. extract its input grammar, and \n",
       "3. fuzz it with high efficiency and effectiveness, using the concepts in this book.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1093.12,-116 1002.12,-116 1002.12,-72 1099.12,-72 1099.12,-110 1093.12,-116\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1093.12,-116 1093.12,-110\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1099.12,-110 1093.12,-110\"/>\n",
       "<text text-anchor=\"middle\" x=\"1050.62\" y=\"-98.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Mining Input</text>\n",
       "<text text-anchor=\"middle\" x=\"1050.62\" y=\"-80.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Grammars</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarCoverageFuzzer&#45;&gt;GrammarMiner -->\n",
       "<g id=\"edge25\" class=\"edge\">\n",
       "<title>GrammarCoverageFuzzer-&gt;GrammarMiner</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1068,-235.53C1081.15,-225.71 1095.45,-212.18 1102.62,-196 1110.56,-178.13 1109.69,-170.23 1102.62,-152 1098.75,-142 1092.21,-132.68 1085.06,-124.6\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1087.64,-122.23 1078.2,-117.43 1082.58,-127.07 1087.64,-122.23\"/>\n",
       "</g>\n",
       "<!-- ConfigurationFuzzer -->\n",
       "<g id=\"node25\" class=\"node\">\n",
       "<title>ConfigurationFuzzer</title>\n",
       "<g id=\"a_node25\"><a xlink:href=\"ConfigurationFuzzer.ipynb\" xlink:title=\"Testing Configurations (ConfigurationFuzzer)\n",
       "\n",
       "The behavior of a program is not only governed by its data.  The configuration of a program – that is, the settings that govern the execution of a program on its (regular) input data, as set by options or configuration files – just as well influences behavior, and thus can and should be tested.  In this chapter, we explore how to systematically test and cover software configurations.  By automatically inferring configuration options, we can apply these techniques out of the box, with no need for writing a grammar.  Finally, we show how to systematically cover combinations of configuration options, quickly detecting unwanted interferences.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1087.75,-196 985.5,-196 985.5,-152 1093.75,-152 1093.75,-190 1087.75,-196\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1087.75,-196 1087.75,-190\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1093.75,-190 1087.75,-190\"/>\n",
       "<text text-anchor=\"middle\" x=\"1039.62\" y=\"-178.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Testing</text>\n",
       "<text text-anchor=\"middle\" x=\"1039.62\" y=\"-160.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Configurations</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarCoverageFuzzer&#45;&gt;ConfigurationFuzzer -->\n",
       "<g id=\"edge26\" class=\"edge\">\n",
       "<title>GrammarCoverageFuzzer-&gt;ConfigurationFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1039.62,-235.69C1039.62,-227.46 1039.62,-217.33 1039.62,-207.73\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1043.13,-207.95 1039.63,-197.95 1036.13,-207.95 1043.13,-207.95\"/>\n",
       "</g>\n",
       "<!-- Carver -->\n",
       "<g id=\"node26\" class=\"node\">\n",
       "<title>Carver</title>\n",
       "<g id=\"a_node26\"><a xlink:href=\"Carver.ipynb\" xlink:title=\"Carving Unit Tests (Carver)\n",
       "\n",
       "So far, we have always generated system input, i.e. data that the program as a whole obtains via its input channels.  If we are interested in testing only a small set of functions, having to go through the system can be very inefficient.  This chapter introduces a technique known as carving, which, given a system test, automatically extracts a set of unit tests that replicate the calls seen during the system test.  The key idea is to record such calls such that we can replay them later – as a whole or selectively.  On top, we also explore how to synthesize API grammars from carved unit tests; this means that we can synthesize API tests without having to write a grammar at all.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"937.25,-36 814,-36 814,0 943.25,0 943.25,-30 937.25,-36\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"937.25,-36 937.25,-30\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"943.25,-30 937.25,-30\"/>\n",
       "<text text-anchor=\"middle\" x=\"878.62\" y=\"-13.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Carving Unit Tests</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarCoverageFuzzer&#45;&gt;Carver -->\n",
       "<g id=\"edge27\" class=\"edge\">\n",
       "<title>GrammarCoverageFuzzer-&gt;Carver</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1077.47,-235.69C1093.22,-226.35 1109.84,-213.16 1118.62,-196 1130.13,-173.52 1113.94,-77.89 1108.62,-72 1088.15,-49.32 1013.47,-35.08 954.69,-27.14\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"955.42,-23.7 945.05,-25.88 954.51,-30.64 955.42,-23.7\"/>\n",
       "</g>\n",
       "<!-- GUIFuzzer -->\n",
       "<g id=\"node27\" class=\"node\">\n",
       "<title>GUIFuzzer</title>\n",
       "<g id=\"a_node27\"><a xlink:href=\"GUIFuzzer.ipynb\" xlink:title=\"Testing Graphical User Interfaces (GUIFuzzer)\n",
       "\n",
       "In this chapter, we explore how to generate tests for Graphical User Interfaces (GUIs), abstracting from our previous examples on Web testing.  Building on general means to extract user interface elements and activate them, our techniques generalize to arbitrary graphical user interfaces, from rich Web applications to mobile apps, and systematically explore user interfaces through forms and navigation elements.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1394.25,-196 1277,-196 1277,-152 1400.25,-152 1400.25,-190 1394.25,-196\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1394.25,-196 1394.25,-190\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1400.25,-190 1394.25,-190\"/>\n",
       "<text text-anchor=\"middle\" x=\"1338.62\" y=\"-178.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Testing Graphical</text>\n",
       "<text text-anchor=\"middle\" x=\"1338.62\" y=\"-160.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">User Interfaces</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarCoverageFuzzer&#45;&gt;GUIFuzzer -->\n",
       "<g id=\"edge28\" class=\"edge\">\n",
       "<title>GrammarCoverageFuzzer-&gt;GUIFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1103.47,-235.51C1107.92,-234.31 1112.34,-233.13 1116.62,-232 1166.34,-218.84 1222.45,-204.44 1265.81,-193.4\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1266.54,-196.83 1275.37,-190.97 1264.82,-190.05 1266.54,-196.83\"/>\n",
       "</g>\n",
       "<!-- APIFuzzer -->\n",
       "<g id=\"node29\" class=\"node\">\n",
       "<title>APIFuzzer</title>\n",
       "<g id=\"a_node29\"><a xlink:href=\"APIFuzzer.ipynb\" xlink:title=\"Fuzzing APIs (APIFuzzer)\n",
       "\n",
       "So far, we have always generated system input, i.e. data that the program as a whole obtains via its input channels.  However, we can also generate inputs that go directly into individual functions, gaining flexibility and speed in the process.  In this chapter, we explore the use of grammars to synthesize code for function calls, which allows you to generate program code that very efficiently invokes functions directly.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"640.38,-112 550.88,-112 550.88,-76 646.38,-76 646.38,-106 640.38,-112\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"640.38,-112 640.38,-106\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"646.38,-106 640.38,-106\"/>\n",
       "<text text-anchor=\"middle\" x=\"598.62\" y=\"-89.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing APIs</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- ProbabilisticGrammarFuzzer&#45;&gt;APIFuzzer -->\n",
       "<g id=\"edge32\" class=\"edge\">\n",
       "<title>ProbabilisticGrammarFuzzer-&gt;APIFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M461.52,-151.58C487.74,-140.76 519.5,-127.66 545.84,-116.78\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"547.09,-120.06 554.99,-113.01 544.42,-113.59 547.09,-120.06\"/>\n",
       "</g>\n",
       "<!-- GreyboxGrammarFuzzer -->\n",
       "<g id=\"node17\" class=\"node\">\n",
       "<title>GreyboxGrammarFuzzer</title>\n",
       "<g id=\"a_node17\"><a xlink:href=\"GreyboxGrammarFuzzer.ipynb\" xlink:title=\"Greybox Fuzzing with Grammars (GreyboxGrammarFuzzer)\n",
       "\n",
       "In this chapter, we introduce important extensions to our syntactic fuzzing techniques, all leveraging syntactic parts of existing inputs.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"809.12,-116 664.12,-116 664.12,-72 815.12,-72 815.12,-110 809.12,-116\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"809.12,-116 809.12,-110\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"815.12,-110 809.12,-110\"/>\n",
       "<text text-anchor=\"middle\" x=\"739.62\" y=\"-98.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Greybox Fuzzing with</text>\n",
       "<text text-anchor=\"middle\" x=\"739.62\" y=\"-80.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Grammars</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GreyboxFuzzer&#45;&gt;GreyboxGrammarFuzzer -->\n",
       "<g id=\"edge16\" class=\"edge\">\n",
       "<title>GreyboxFuzzer-&gt;GreyboxGrammarFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M592.57,-155.69C617.45,-145.42 649.46,-132.21 677.25,-120.74\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"678.37,-124.07 686.28,-117.02 675.7,-117.6 678.37,-124.07\"/>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;GrammarCoverageFuzzer -->\n",
       "<g id=\"edge18\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;GrammarCoverageFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M989.48,-311.69C997.94,-302.13 1007.98,-290.77 1016.85,-280.74\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1019.27,-283.29 1023.28,-273.48 1014.03,-278.65 1019.27,-283.29\"/>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;PythonFuzzer -->\n",
       "<g id=\"edge23\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;PythonFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M905.72,-311.99C871.26,-300.84 829.01,-287.17 794.54,-276.01\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"795.67,-272.7 785.08,-272.95 793.52,-279.36 795.67,-272.7\"/>\n",
       "</g>\n",
       "<!-- Parser -->\n",
       "<g id=\"node19\" class=\"node\">\n",
       "<title>Parser</title>\n",
       "<g id=\"a_node19\"><a xlink:href=\"Parser.ipynb\" xlink:title=\"Parsing Inputs (Parser)\n",
       "\n",
       "In the chapter on Grammars, we discussed how grammars can be\n",
       "used to represent various languages. We also saw how grammars can be used to\n",
       "generate strings of the corresponding language. Grammars can also perform the\n",
       "reverse. That is, given a string, one can decompose the string into its\n",
       "constituent parts that correspond to the parts of grammar used to generate it\n",
       "– the derivation tree of that string. These parts (and parts from other similar\n",
       "strings) can later be recombined using the same grammar to produce new strings.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"948.25,-272 849,-272 849,-236 954.25,-236 954.25,-266 948.25,-272\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"948.25,-272 948.25,-266\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"954.25,-266 948.25,-266\"/>\n",
       "<text text-anchor=\"middle\" x=\"901.62\" y=\"-249.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Parsing Inputs</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;Parser -->\n",
       "<g id=\"edge19\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;Parser</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M951.77,-311.69C943.31,-302.13 933.27,-290.77 924.4,-280.74\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"927.22,-278.65 917.97,-273.48 921.98,-283.29 927.22,-278.65\"/>\n",
       "</g>\n",
       "<!-- GeneratorGrammarFuzzer -->\n",
       "<g id=\"node20\" class=\"node\">\n",
       "<title>GeneratorGrammarFuzzer</title>\n",
       "<g id=\"a_node20\"><a xlink:href=\"GeneratorGrammarFuzzer.ipynb\" xlink:title=\"Fuzzing with Generators (GeneratorGrammarFuzzer)\n",
       "\n",
       "In this chapter, we show how to extend grammars with functions – pieces of code that get executed during grammar expansion, and that can generate, check, or change elements produced.  Adding functions to a grammar allows for very versatile test generation, bringing together the best of grammar generation and programming.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"756.75,-196 666.5,-196 666.5,-152 762.75,-152 762.75,-190 756.75,-196\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"756.75,-196 756.75,-190\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"762.75,-190 756.75,-190\"/>\n",
       "<text text-anchor=\"middle\" x=\"714.62\" y=\"-178.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing with</text>\n",
       "<text text-anchor=\"middle\" x=\"714.62\" y=\"-160.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Generators</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;GeneratorGrammarFuzzer -->\n",
       "<g id=\"edge20\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;GeneratorGrammarFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M905.9,-311.54C883.72,-302.49 859.5,-290.63 839.62,-276 818.81,-260.68 821.06,-249.02 801.62,-232 789.49,-221.37 775.23,-211.22 761.81,-202.51\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"763.83,-199.64 753.51,-197.25 760.08,-205.56 763.83,-199.64\"/>\n",
       "</g>\n",
       "<!-- Reducer -->\n",
       "<g id=\"node21\" class=\"node\">\n",
       "<title>Reducer</title>\n",
       "<g id=\"a_node21\"><a xlink:href=\"Reducer.ipynb\" xlink:title=\"Reducing Failure-Inducing Inputs (Reducer)\n",
       "\n",
       "By construction, fuzzers create inputs that may be hard to read.  This causes issues during debugging, when a human has to analyze the exact cause of the failure.  In this chapter, we present techniques that automatically reduce and simplify failure-inducing inputs to a minimum in order to ease debugging.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1357.62,-276 1239.62,-276 1239.62,-232 1363.62,-232 1363.62,-270 1357.62,-276\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1357.62,-276 1357.62,-270\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1363.62,-270 1357.62,-270\"/>\n",
       "<text text-anchor=\"middle\" x=\"1301.62\" y=\"-258.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Reducing Failure-</text>\n",
       "<text text-anchor=\"middle\" x=\"1301.62\" y=\"-240.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Inducing Inputs</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;Reducer -->\n",
       "<g id=\"edge21\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;Reducer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1035.57,-320.11C1085.78,-309.84 1157.22,-294.56 1228.4,-276.5\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1229.07,-279.94 1237.89,-274.07 1227.34,-273.16 1229.07,-279.94\"/>\n",
       "</g>\n",
       "<!-- FuzzingWithConstraints -->\n",
       "<g id=\"node22\" class=\"node\">\n",
       "<title>FuzzingWithConstraints</title>\n",
       "<g id=\"a_node22\"><a xlink:href=\"FuzzingWithConstraints.ipynb\" xlink:title=\"Fuzzing with Constraints (FuzzingWithConstraints)\n",
       "\n",
       "In previous chapters, we have seen how Grammar-Based Fuzzing allows us to efficiently generate myriads of syntactically valid inputs.\n",
       "However, there are semantic input features that cannot be expressed in a context-free grammar, such as\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1215.75,-276 1125.5,-276 1125.5,-232 1221.75,-232 1221.75,-270 1215.75,-276\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1215.75,-276 1215.75,-270\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1221.75,-270 1215.75,-270\"/>\n",
       "<text text-anchor=\"middle\" x=\"1173.62\" y=\"-258.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Fuzzing with</text>\n",
       "<text text-anchor=\"middle\" x=\"1173.62\" y=\"-240.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Constraints</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;FuzzingWithConstraints -->\n",
       "<g id=\"edge22\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;FuzzingWithConstraints</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1026.36,-311.58C1053.84,-301.03 1086.98,-288.29 1114.85,-277.58\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1115.76,-280.98 1123.84,-274.13 1113.25,-274.45 1115.76,-280.98\"/>\n",
       "</g>\n",
       "<!-- WebFuzzer -->\n",
       "<g id=\"node23\" class=\"node\">\n",
       "<title>WebFuzzer</title>\n",
       "<g id=\"a_node23\"><a xlink:href=\"WebFuzzer.ipynb\" xlink:title=\"Testing Web Applications (WebFuzzer)\n",
       "\n",
       "In this chapter, we explore how to generate tests for Graphical User Interfaces (GUIs), notably on Web interfaces.  We set up a (vulnerable) Web server and demonstrate how to systematically explore its behavior – first with handwritten grammars, then with grammars automatically inferred from the user interface.  We also show how to conduct systematic attacks on these servers, notably with code and SQL injection.\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"1467.88,-276 1381.38,-276 1381.38,-232 1473.88,-232 1473.88,-270 1467.88,-276\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1467.88,-276 1467.88,-270\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"1473.88,-270 1467.88,-270\"/>\n",
       "<text text-anchor=\"middle\" x=\"1427.62\" y=\"-258.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Testing Web</text>\n",
       "<text text-anchor=\"middle\" x=\"1427.62\" y=\"-240.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Applications</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- GrammarFuzzer&#45;&gt;WebFuzzer -->\n",
       "<g id=\"edge24\" class=\"edge\">\n",
       "<title>GrammarFuzzer-&gt;WebFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1035.55,-328.29C1113.41,-321.65 1247.76,-307.04 1370.01,-276.41\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1370.76,-279.84 1379.58,-273.97 1369.03,-273.05 1370.76,-279.84\"/>\n",
       "</g>\n",
       "<!-- Parser&#45;&gt;ProbabilisticGrammarFuzzer -->\n",
       "<g id=\"edge29\" class=\"edge\">\n",
       "<title>Parser-&gt;ProbabilisticGrammarFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M848.6,-240.89C833.48,-237.7 816.95,-234.47 801.62,-232 663.91,-209.84 623.97,-223.41 484.21,-196.35\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"485.05,-192.95 474.57,-194.44 483.7,-199.82 485.05,-192.95\"/>\n",
       "</g>\n",
       "<!-- Parser&#45;&gt;GreyboxGrammarFuzzer -->\n",
       "<g id=\"edge30\" class=\"edge\">\n",
       "<title>Parser-&gt;GreyboxGrammarFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M866.5,-235.72C848.27,-225.7 826.38,-211.92 809.62,-196 788.09,-175.54 769.28,-147.47 756.59,-126.11\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"759.67,-124.44 751.63,-117.53 753.61,-127.94 759.67,-124.44\"/>\n",
       "</g>\n",
       "<!-- InformationFlow -->\n",
       "<g id=\"node28\" class=\"node\">\n",
       "<title>InformationFlow</title>\n",
       "<g id=\"a_node28\"><a xlink:href=\"InformationFlow.ipynb\" xlink:title=\"Tracking Information Flow (InformationFlow)\n",
       "\n",
       "We have explored how one could generate better inputs that can penetrate deeper into the program in question. While doing so, we have relied on program crashes to tell us that we have succeeded in finding problems in the program. However, that is rather simplistic. What if the behavior of the program is simply incorrect, but does not lead to a crash? Can one do better?\">\n",
       "<polygon fill=\"white\" stroke=\"black\" points=\"961,-196 818.25,-196 818.25,-152 967,-152 967,-190 961,-196\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"961,-196 961,-190\"/>\n",
       "<polyline fill=\"none\" stroke=\"black\" points=\"967,-190 961,-190\"/>\n",
       "<text text-anchor=\"middle\" x=\"892.62\" y=\"-178.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Tracking Information</text>\n",
       "<text text-anchor=\"middle\" x=\"892.62\" y=\"-160.7\" font-family=\"Patua One, Helvetica, sans-serif\" font-size=\"14.00\" fill=\"#b03a2e\">Flow</text>\n",
       "</a>\n",
       "</g>\n",
       "</g>\n",
       "<!-- Parser&#45;&gt;InformationFlow -->\n",
       "<g id=\"edge31\" class=\"edge\">\n",
       "<title>Parser-&gt;InformationFlow</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M899.63,-235.69C898.68,-227.46 897.51,-217.33 896.4,-207.73\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"899.9,-207.48 895.27,-197.94 892.94,-208.28 899.9,-207.48\"/>\n",
       "</g>\n",
       "<!-- GeneratorGrammarFuzzer&#45;&gt;APIFuzzer -->\n",
       "<g id=\"edge33\" class=\"edge\">\n",
       "<title>GeneratorGrammarFuzzer-&gt;APIFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M682.93,-151.69C667.71,-141.45 649.42,-129.15 633.77,-118.63\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"635.93,-115.87 625.68,-113.19 632.02,-121.68 635.93,-115.87\"/>\n",
       "</g>\n",
       "<!-- WebFuzzer&#45;&gt;GUIFuzzer -->\n",
       "<g id=\"edge37\" class=\"edge\">\n",
       "<title>WebFuzzer-&gt;GUIFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M1403.31,-231.69C1393.49,-223.09 1382.02,-213.03 1371.49,-203.8\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"1373.88,-201.24 1364.05,-197.29 1369.27,-206.51 1373.88,-201.24\"/>\n",
       "</g>\n",
       "<!-- InformationFlow&#45;&gt;ConcolicFuzzer -->\n",
       "<g id=\"edge35\" class=\"edge\">\n",
       "<title>InformationFlow-&gt;ConcolicFuzzer</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M892.62,-151.69C892.62,-143.09 892.62,-133.05 892.62,-123.82\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"896.13,-123.86 892.63,-113.86 889.13,-123.86 896.13,-123.86\"/>\n",
       "</g>\n",
       "<!-- InformationFlow&#45;&gt;GrammarMiner -->\n",
       "<g id=\"edge34\" class=\"edge\">\n",
       "<title>InformationFlow-&gt;GrammarMiner</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M935.8,-151.69C954.71,-142.35 977.09,-131.3 997.04,-121.45\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"998.45,-124.66 1005.87,-117.09 995.36,-118.38 998.45,-124.66\"/>\n",
       "</g>\n",
       "<!-- APIFuzzer&#45;&gt;Carver -->\n",
       "<g id=\"edge36\" class=\"edge\">\n",
       "<title>APIFuzzer-&gt;Carver</title>\n",
       "<path fill=\"none\" stroke=\"black\" d=\"M643.69,-75.54C647.37,-74.29 651.05,-73.09 654.62,-72 703.33,-57.17 759.04,-43.97 802.72,-34.46\"/>\n",
       "<polygon fill=\"black\" stroke=\"black\" points=\"803.32,-37.91 812.36,-32.38 801.85,-31.07 803.32,-37.91\"/>\n",
       "</g>\n",
       "</g>\n",
       "</svg>"
      ],
      "text/plain": [
       "<IPython.core.display.SVG object>"
      ]
     },
     "execution_count": 2,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "# ignore\n",
    "SVG(filename='PICS/Sitemap.svg')"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "c8d8fb3a",
   "metadata": {},
   "source": [
    "## [Table of Contents](index.ipynb)\n",
    "\n",
    "\n",
    "### <a href=\"01_Intro.ipynb\" title=\"Part I: Whetting Your Appetite (01_Intro)&#10;&#10;In this part, we introduce the topics of the book.\">Part I: Whetting Your Appetite</a>\n",
    "\n",
    "* <a href=\"Tours.ipynb\" title=\"Tours through the Book (Tours)&#10;&#10;This book is massive.  With more than 20,000 lines of code and 150,000 words of text, a printed version would cover more than 1,200 pages of text.  Obviously, we do not assume that everybody wants to read everything.\">Tours through the Book</a>\n",
    "* <a href=\"Intro_Testing.ipynb\" title=\"Introduction to Software Testing (Intro_Testing)&#10;&#10;Before we get to the central parts of the book, let us introduce essential concepts of software testing.  Why is it necessary to test software at all?  How does one test software?  How can one tell whether a test has been successful?  How does one know if one has tested enough?  In this chapter, let us recall the most important concepts, and at the same time get acquainted with Python and interactive notebooks.\">Introduction to Software Testing</a>\n",
    "\n",
    "### <a href=\"02_Lexical_Fuzzing.ipynb\" title=\"Part II: Lexical Fuzzing (02_Lexical_Fuzzing)&#10;&#10;This part introduces test generation at the lexical level, that is, composing sequences of characters.\">Part II: Lexical Fuzzing</a>\n",
    "\n",
    "* <a href=\"Fuzzer.ipynb\" title=\"Fuzzing: Breaking Things with Random Inputs (Fuzzer)&#10;&#10;In this chapter, we&#x27;ll start with one of the simplest test generation techniques.  The key idea of random text generation, also known as fuzzing, is to feed a string of random characters into a program in the hope to uncover failures.\">Fuzzing: Breaking Things with Random Inputs</a>\n",
    "* <a href=\"Coverage.ipynb\" title=\"Code Coverage (Coverage)&#10;&#10;In the previous chapter, we introduced basic fuzzing – that is, generating random inputs to test programs.  How do we measure the effectiveness of these tests?  One way would be to check the number (and seriousness) of bugs found; but if bugs are scarce, we need a proxy for the likelihood of a test to uncover a bug.  In this chapter, we introduce the concept of code coverage, measuring which parts of a program are actually executed during a test run.  Measuring such coverage is also crucial for test generators that attempt to cover as much code as possible.\">Code Coverage</a>\n",
    "* <a href=\"MutationFuzzer.ipynb\" title=\"Mutation-Based Fuzzing (MutationFuzzer)&#10;&#10;Most randomly generated inputs are syntactically invalid and thus are quickly rejected by the processing program.  To exercise functionality beyond input processing, we must increase chances to obtain valid inputs.  One such way is so-called mutational fuzzing – that is, introducing small changes to existing inputs that may still keep the input valid, yet exercise new behavior.  We show how to create such mutations, and how to guide them towards yet uncovered code, applying central concepts from the popular AFL fuzzer.\">Mutation-Based Fuzzing</a>\n",
    "* <a href=\"GreyboxFuzzer.ipynb\" title=\"Greybox Fuzzing (GreyboxFuzzer)&#10;&#10;In the previous chapter, we have introduced mutation-based fuzzing, a technique that generates fuzz inputs by applying small mutations to given inputs. In this chapter, we show how to guide these mutations towards specific goals such as coverage. The algorithms in this chapter stem from the popular American Fuzzy Lop (AFL) fuzzer, in particular from its AFLFast and AFLGo flavors. We will explore the greybox fuzzing algorithm behind AFL and how we can exploit it to solve various problems for automated vulnerability detection.\">Greybox Fuzzing</a>\n",
    "* <a href=\"SearchBasedFuzzer.ipynb\" title=\"Search-Based Fuzzing (SearchBasedFuzzer)&#10;&#10;Sometimes we are not only interested in fuzzing as many as possible diverse program inputs, but in deriving specific test inputs that achieve some objective, such as reaching specific statements in a program. When we have an idea of what we are looking for, then we can search for it. Search algorithms are at the core of computer science, but applying classic search algorithms like breadth or depth first search to search for tests is unrealistic, because these algorithms potentially require us to look at all possible inputs. However, domain-knowledge can be used to overcome this problem. For example, if we can estimate which of several program inputs is closer to the one we are looking for, then this information can guide us to reach the target quicker – this information is known as a heuristic. The way heuristics are applied systematically is captured in meta-heuristic search algorithms. The &quot;meta&quot; denotes that these algorithms are generic and can be instantiated differently to different problems. Meta-heuristics often take inspiration from processes observed in nature. For example, there are algorithms mimicking evolutionary processes, swarm intelligence, or chemical reactions. In general, they are much more efficient than exhaustive search approaches such that they can be applied to vast search spaces – search spaces as vast as the domain of program inputs are no problem for them.\">Search-Based Fuzzing</a>\n",
    "* <a href=\"MutationAnalysis.ipynb\" title=\"Mutation Analysis (MutationAnalysis)&#10;&#10;In the chapter on coverage, we showed how one can identify which parts of the program are executed by a program, and hence get a sense of the effectiveness of a set of test cases in covering the program structure.  However, coverage alone may not be the best measure for the effectiveness of a test, as one can have great coverage without ever checking a result for correctness.  In this chapter, we introduce another means for assessing the effectiveness of a test suite: After injecting mutations – artificial faults – into the code, we check whether a test suite can detect these artificial faults.  The idea is that if it fails to detect such mutations, it will also miss real bugs.\">Mutation Analysis</a>\n",
    "\n",
    "### <a href=\"03_Syntactical_Fuzzing.ipynb\" title=\"Part III: Syntactic Fuzzing (03_Syntactical_Fuzzing)&#10;&#10;This part introduces test generation at the syntactical level, that is, composing inputs from language structures.\">Part III: Syntactic Fuzzing</a>\n",
    "\n",
    "* <a href=\"Grammars.ipynb\" title=\"Fuzzing with Grammars (Grammars)&#10;&#10;In the chapter on &quot;Mutation-Based Fuzzing&quot;, we have seen how to use extra hints – such as sample input files – to speed up test generation.  In this chapter, we take this idea one step further, by providing a specification of the legal inputs to a program.  Specifying inputs via a grammar allows for very systematic and efficient test generation, in particular for complex input formats.  Grammars also serve as the base for configuration fuzzing, API fuzzing, GUI fuzzing, and many more.\">Fuzzing with Grammars</a>\n",
    "* <a href=\"GrammarFuzzer.ipynb\" title=\"Efficient Grammar Fuzzing (GrammarFuzzer)&#10;&#10;In the chapter on grammars, we have seen how to use grammars for very effective and efficient testing.  In this chapter, we refine the previous string-based algorithm into a tree-based algorithm, which is much faster and allows for much more control over the production of fuzz inputs.\">Efficient Grammar Fuzzing</a>\n",
    "* <a href=\"GrammarCoverageFuzzer.ipynb\" title=\"Grammar Coverage (GrammarCoverageFuzzer)&#10;&#10;Producing inputs from grammars gives all possible expansions of a rule the same likelihood.  For producing a comprehensive test suite, however, it makes more sense to maximize variety – for instance, by not repeating the same expansions over and over again.  In this chapter, we explore how to systematically cover elements of a grammar such that we maximize variety and do not miss out individual elements.\">Grammar Coverage</a>\n",
    "* <a href=\"Parser.ipynb\" title=\"Parsing Inputs (Parser)&#10;&#10;In the chapter on Grammars, we discussed how grammars can be&#10;used to represent various languages. We also saw how grammars can be used to&#10;generate strings of the corresponding language. Grammars can also perform the&#10;reverse. That is, given a string, one can decompose the string into its&#10;constituent parts that correspond to the parts of grammar used to generate it&#10;– the derivation tree of that string. These parts (and parts from other similar&#10;strings) can later be recombined using the same grammar to produce new strings.\">Parsing Inputs</a>\n",
    "* <a href=\"ProbabilisticGrammarFuzzer.ipynb\" title=\"Probabilistic Grammar Fuzzing (ProbabilisticGrammarFuzzer)&#10;&#10;Let us give grammars even more power by assigning probabilities to individual expansions.  This allows us to control how many of each element should be produced, and thus allows us to target our generated tests towards specific functionality.  We also show how to learn such probabilities from given sample inputs, and specifically direct our tests towards input features that are uncommon in these samples.\">Probabilistic Grammar Fuzzing</a>\n",
    "* <a href=\"GeneratorGrammarFuzzer.ipynb\" title=\"Fuzzing with Generators (GeneratorGrammarFuzzer)&#10;&#10;In this chapter, we show how to extend grammars with functions – pieces of code that get executed during grammar expansion, and that can generate, check, or change elements produced.  Adding functions to a grammar allows for very versatile test generation, bringing together the best of grammar generation and programming.\">Fuzzing with Generators</a>\n",
    "* <a href=\"GreyboxGrammarFuzzer.ipynb\" title=\"Greybox Fuzzing with Grammars (GreyboxGrammarFuzzer)&#10;&#10;In this chapter, we introduce important extensions to our syntactic fuzzing techniques, all leveraging syntactic parts of existing inputs.\">Greybox Fuzzing with Grammars</a>\n",
    "* <a href=\"Reducer.ipynb\" title=\"Reducing Failure-Inducing Inputs (Reducer)&#10;&#10;By construction, fuzzers create inputs that may be hard to read.  This causes issues during debugging, when a human has to analyze the exact cause of the failure.  In this chapter, we present techniques that automatically reduce and simplify failure-inducing inputs to a minimum in order to ease debugging.\">Reducing Failure-Inducing Inputs</a>\n",
    "\n",
    "### <a href=\"04_Semantical_Fuzzing.ipynb\" title=\"Part IV: Semantic Fuzzing (04_Semantical_Fuzzing)&#10;&#10;This part introduces test generation techniques that take the semantics of the input into account, notably the behavior of the program that processes the input.\">Part IV: Semantic Fuzzing</a>\n",
    "\n",
    "* <a href=\"FuzzingWithConstraints.ipynb\" title=\"Fuzzing with Constraints (FuzzingWithConstraints)&#10;&#10;In previous chapters, we have seen how Grammar-Based Fuzzing allows us to efficiently generate myriads of syntactically valid inputs.&#10;However, there are semantic input features that cannot be expressed in a context-free grammar, such as\">Fuzzing with Constraints</a>\n",
    "* <a href=\"GrammarMiner.ipynb\" title=\"Mining Input Grammars (GrammarMiner)&#10;&#10;So far, the grammars we have seen have been mostly specified manually – that is, you (or the person knowing the input format) had to design and write a grammar in the first place.  While the grammars we have seen so far have been rather simple, creating a grammar for complex inputs can involve quite some effort.  In this chapter, we therefore introduce techniques that automatically mine grammars from programs – by executing the programs and observing how they process which parts of the input.  In conjunction with a grammar fuzzer, this allows us to &#10;1. take a program, &#10;2. extract its input grammar, and &#10;3. fuzz it with high efficiency and effectiveness, using the concepts in this book.\">Mining Input Grammars</a>\n",
    "* <a href=\"InformationFlow.ipynb\" title=\"Tracking Information Flow (InformationFlow)&#10;&#10;We have explored how one could generate better inputs that can penetrate deeper into the program in question. While doing so, we have relied on program crashes to tell us that we have succeeded in finding problems in the program. However, that is rather simplistic. What if the behavior of the program is simply incorrect, but does not lead to a crash? Can one do better?\">Tracking Information Flow</a>\n",
    "* <a href=\"ConcolicFuzzer.ipynb\" title=\"Concolic Fuzzing (ConcolicFuzzer)&#10;&#10;In the chapter on information flow, we have seen how one can use dynamic taints to produce more intelligent test cases than simply looking for program crashes. We have also seen how one can use the taints to update the grammar, and hence focus more on the dangerous methods.\">Concolic Fuzzing</a>\n",
    "* <a href=\"SymbolicFuzzer.ipynb\" title=\"Symbolic Fuzzing (SymbolicFuzzer)&#10;&#10;One of the problems with traditional methods of fuzzing is that they fail to exercise all the possible behaviors that a system can have, especially when the input space is large. Quite often the execution of a specific branch of execution may happen only with very specific inputs, which could represent a minimal fraction of the input space. The traditional fuzzing methods relies on chance to produce inputs they need. However, relying on randomness to generate values that we want is a bad idea when the space to be explored is huge. For example, a function that accepts a string, even if one only considers the first $10$ characters, already has $2^{80}$ possible inputs. If one is looking for a specific string, random generation of values will take a few thousand years even in one of the super computers.\">Symbolic Fuzzing</a>\n",
    "* <a href=\"DynamicInvariants.ipynb\" title=\"Mining Function Specifications (DynamicInvariants)&#10;&#10;When testing a program, one not only needs to cover its several behaviors; one also needs to check whether the result is as expected.  In this chapter, we introduce a technique that allows us to mine function specifications from a set of given executions, resulting in abstract and formal descriptions of what the function expects and what it delivers.\">Mining Function Specifications</a>\n",
    "\n",
    "### <a href=\"05_Domain-Specific_Fuzzing.ipynb\" title=\"Part V: Domain-Specific Fuzzing (05_Domain-Specific_Fuzzing)&#10;&#10;This part discusses test generation for a number of specific domains.  For all these domains, we introduce fuzzers that generate inputs as well as miners that analyze the input structure.\">Part V: Domain-Specific Fuzzing</a>\n",
    "\n",
    "* <a href=\"ConfigurationFuzzer.ipynb\" title=\"Testing Configurations (ConfigurationFuzzer)&#10;&#10;The behavior of a program is not only governed by its data.  The configuration of a program – that is, the settings that govern the execution of a program on its (regular) input data, as set by options or configuration files – just as well influences behavior, and thus can and should be tested.  In this chapter, we explore how to systematically test and cover software configurations.  By automatically inferring configuration options, we can apply these techniques out of the box, with no need for writing a grammar.  Finally, we show how to systematically cover combinations of configuration options, quickly detecting unwanted interferences.\">Testing Configurations</a>\n",
    "* <a href=\"APIFuzzer.ipynb\" title=\"Fuzzing APIs (APIFuzzer)&#10;&#10;So far, we have always generated system input, i.e. data that the program as a whole obtains via its input channels.  However, we can also generate inputs that go directly into individual functions, gaining flexibility and speed in the process.  In this chapter, we explore the use of grammars to synthesize code for function calls, which allows you to generate program code that very efficiently invokes functions directly.\">Fuzzing APIs</a>\n",
    "* <a href=\"Carver.ipynb\" title=\"Carving Unit Tests (Carver)&#10;&#10;So far, we have always generated system input, i.e. data that the program as a whole obtains via its input channels.  If we are interested in testing only a small set of functions, having to go through the system can be very inefficient.  This chapter introduces a technique known as carving, which, given a system test, automatically extracts a set of unit tests that replicate the calls seen during the system test.  The key idea is to record such calls such that we can replay them later – as a whole or selectively.  On top, we also explore how to synthesize API grammars from carved unit tests; this means that we can synthesize API tests without having to write a grammar at all.\">Carving Unit Tests</a>\n",
    "* <a href=\"PythonFuzzer.ipynb\" title=\"Testing Compilers (PythonFuzzer)&#10;&#10;In this chapter, we will make use of grammars and grammar-based testing to systematically generate program code – for instance, to test a compiler or an interpreter. Not very surprisingly, we use Python and the Python interpreter as our domain.\">Testing Compilers</a>\n",
    "* <a href=\"WebFuzzer.ipynb\" title=\"Testing Web Applications (WebFuzzer)&#10;&#10;In this chapter, we explore how to generate tests for Graphical User Interfaces (GUIs), notably on Web interfaces.  We set up a (vulnerable) Web server and demonstrate how to systematically explore its behavior – first with handwritten grammars, then with grammars automatically inferred from the user interface.  We also show how to conduct systematic attacks on these servers, notably with code and SQL injection.\">Testing Web Applications</a>\n",
    "* <a href=\"GUIFuzzer.ipynb\" title=\"Testing Graphical User Interfaces (GUIFuzzer)&#10;&#10;In this chapter, we explore how to generate tests for Graphical User Interfaces (GUIs), abstracting from our previous examples on Web testing.  Building on general means to extract user interface elements and activate them, our techniques generalize to arbitrary graphical user interfaces, from rich Web applications to mobile apps, and systematically explore user interfaces through forms and navigation elements.\">Testing Graphical User Interfaces</a>\n",
    "\n",
    "### <a href=\"06_Managing_Fuzzing.ipynb\" title=\"Part VI: Managing Fuzzing (06_Managing_Fuzzing)&#10;&#10;This part discusses how to manage fuzzing in the large.\">Part VI: Managing Fuzzing</a>\n",
    "\n",
    "* <a href=\"FuzzingInTheLarge.ipynb\" title=\"Fuzzing in the Large (FuzzingInTheLarge)&#10;&#10;In the past chapters, we have always looked at fuzzing taking place on one machine for a few seconds only.  In the real world, however, fuzzers are run on dozens or even thousands of machines; for hours, days and weeks; for one program or dozens of programs.  In such contexts, one needs an infrastructure to collect failure data from the individual fuzzer runs, and to aggregate such data in a central repository.  In this chapter, we will examine such an infrastructure, the FuzzManager framework from Mozilla.\">Fuzzing in the Large</a>\n",
    "* <a href=\"WhenToStopFuzzing.ipynb\" title=\"When To Stop Fuzzing (WhenToStopFuzzing)&#10;&#10;In the past chapters, we have discussed several fuzzing techniques.  Knowing what to do is important, but it is also important to know when to stop doing things.  In this chapter, we will learn when to stop fuzzing – and use a prominent example for this purpose: The Enigma machine that was used in the second world war by the navy of Nazi Germany to encrypt communications, and how Alan Turing and I.J. Good used fuzzing techniques to crack ciphers for the Naval Enigma machine.\">When To Stop Fuzzing</a>\n",
    "\n",
    "### <a href=\"99_Appendices.ipynb\" title=\"Appendices (99_Appendices)&#10;&#10;This part holds notebooks and modules that support other notebooks.\">Appendices</a>\n",
    "\n",
    "* <a href=\"AcademicPrototyping.ipynb\" title=\"Academic Prototyping (AcademicPrototyping)&#10;&#10;This is the manuscript of Andreas Zeller&#x27;s tutorial&#10;&quot;Academic Prototyping&quot; at the ESEC/FSE 2022 conference.\">Academic Prototyping</a>\n",
    "* <a href=\"PrototypingWithPython.ipynb\" title=\"Prototyping with Python (PrototypingWithPython)&#10;&#10;This is the manuscript of Andreas Zeller&#x27;s keynote&#10;&quot;Coding Effective Testing Tools Within Minutes&quot; at the TAIC PART 2020 conference.\">Prototyping with Python</a>\n",
    "* <a href=\"ExpectError.ipynb\" title=\"Error Handling (ExpectError)&#10;&#10;The code in this notebook helps with handling errors.  Normally, an error in  notebook code causes the execution of the code to stop; while an infinite loop in notebook code causes the notebook to run without end.  This notebook provides two classes to help address these concerns.\">Error Handling</a>\n",
    "* <a href=\"Timer.ipynb\" title=\"Timer (Timer)&#10;&#10;The code in this notebook helps with measuring time.\">Timer</a>\n",
    "* <a href=\"Timeout.ipynb\" title=\"Timeout (Timeout)&#10;&#10;The code in this notebook helps in interrupting execution after a given time.\">Timeout</a>\n",
    "* <a href=\"ClassDiagram.ipynb\" title=\"Class Diagrams (ClassDiagram)&#10;&#10;This is a simple viewer for class diagrams.  Customized towards the book.\">Class Diagrams</a>\n",
    "* <a href=\"RailroadDiagrams.ipynb\" title=\"Railroad Diagrams (RailroadDiagrams)&#10;&#10;The code in this notebook helps with drawing syntax-diagrams.  It is a (slightly customized) copy of the excellent library from Tab Atkins jr., which unfortunately is not available as a Python package.\">Railroad Diagrams</a>\n",
    "* <a href=\"ControlFlow.ipynb\" title=\"Control Flow Graph (ControlFlow)&#10;&#10;The code in this notebook helps with obtaining the control flow graph of python functions.\">Control Flow Graph</a>\n"
   ]
  }
 ],
 "metadata": {
  "ipub": {
   "bibliography": "fuzzingbook.bib"
  },
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.10.2"
  },
  "toc": {
   "base_numbering": 1,
   "nav_menu": {},
   "number_sections": true,
   "sideBar": true,
   "skip_h1_title": true,
   "title_cell": "",
   "title_sidebar": "Contents",
   "toc_cell": false,
   "toc_position": {},
   "toc_section_display": true,
   "toc_window_display": true
  },
  "toc-autonumbering": false
 },
 "nbformat": 4,
 "nbformat_minor": 5
}