Code Monkey home page Code Monkey logo

fuzzer's Introduction

BertRLFuzzer: A Grammar-preserving BERT-based Reinforcement Learning Fuzzer

We present a novel tool BertRLFuzzer, a grammar-preserving BERT-based Reinforcement Learning fuzzer aimed at finding security vulnerabilities, especially SQL injection (SQLi) and Cross-site Scripting (XSS). Briefly, our method works as follows: given a list of grammar-adhering seed inputs, the fuzzer performs grammar-preserving and attack-provoking mutation operations on these seed inputs to generate candidate attack vectors. The core innovations of our tool is the combined use of two machine learning concepts. The first key idea is the use of a BERT-style Transformer model that enables the fuzzer to mutate strings in a grammar-preserving way without requiring the user to specify complex input grammars of victim applications, and the second is the use of a Proximal Policy Optimization (PPO)-based reinforcement learning (RL) technique that enables the fuzzer to automatically learn effective mutation operators. The ability of BERT-style models to learn grammars is key. This feature enables BertRLFuzzer to be grammar-preserving and learn attack vector patterns, and also enables BertRLFuzzer to be extensible, i.e., the user can extend to a variety of victim applications and attack vectors without explicitly modifying the fuzzer. Further, the mutation operators learnt via RL in BertRLFuzzer enable it to automatically search a space of attack vectors in a heuristic way that are specialized to a victim application. Finally, an additional advantage of using RL is that, unlike supervised learning based fuzzers, we don't need to create labeled training data.

Running the example website

  1. Make sure you have docker installed
  2. Go to example_website/docker
  3. On the CLI, execute docker-compose up

You will find the following two webpages:

Other benchmark SUTs

Running the tool

  1. Setup the environment using requirements.txt
  2. python attention_fuzzer/main.py --expt_tag <suitable_tag_for_future_ref> --model_variant "BERT" --logging "normal"

fuzzer's People

Contributors

bert-rl-fuzzer avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.