kitty.model.high_level.graph module

Model with a graph structure, all paths in the graph will be fuzzed. The last node in each path will be mutated until exhaustion.

class kitty.model.high_level.graph.GraphModel(name='GraphModel')[source]

Bases: kitty.model.high_level.base.BaseModel

The GraphModel is built of a simple digraph, where the nodes are templates, and on each edge there’s a callback function. It will provide sequences of edges from this graph, always starting from the root (dummy) node, where the last template in the sequence (the destination of the last edge) is mutated. As such the main target of the GraphModel is to fuzz the handling of the fields in a message.

Assuming we have the templates A, B, C and D and we want to fuzz all templates, but we know that in order to make an impact in fuzzing template D, we first need to send A, then B or C, and only then D, e.g. we have the following template graph:

  /==> B
 /      \
A        +==> D
 \      /
  \==> C

Which translate to the following sequences (* - mutated template):

A*
A -> B*
A -> B -> D*
A -> C*
A -> C -> D*

Such a model will be written in Kitty like this:

Example:
model = GraphModel('MyGraphModel')
model.connect(A)
model.connect(A, B)
model.connect(B, D)
model.connect(A, C)
model.connect(C, D)

Note

Make sure there are no loops in your model!!

The callback argument of connect allows monitoring and maintainance during a fuzzing test.

Example:
def log_if_empty_response(fuzzer, edge, response):
    if not response:
        logger.error('Got an empty response for request %s' % edge.src.get_name())

model.connect(A, B, log_if_empty_response)
__init__(name='GraphModel')[source]
Parameters:name – name for this model
check_loops_in_grpah(current=None, visited=[])[source]
Parameters:
  • current – current node to check if visited
  • visited – list of visited fields
Raise:

KittyException if loop found
connect(src, dst=None, callback=None)[source]
Parameters:
  • src – source node, if dst is None it will be destination node and the root (dummy) node will be source
  • dst – destination node (default: None)
  • callback (func(fuzzer, edge, response) -> None) – a function to be called after the response for src received and before dst is sent
get_model_info()[source]
get_stages()[source]
Returns:dictionary of information regarding the stages in the fuzzing session

Note

structure: { current: [‘stage1’, ‘stage2’, ‘stage3’], ‘stages’: {‘source1’: [‘dest1’, ‘dest2’], ‘source2’: [‘dest1’, ‘dest3’]}}

get_template_info()[source]
Returns:dictionary of information regarding the current template
get_test_info()[source]
hash()[source]
skip(count)[source]