Peach 2.1 BETA3 exposes the mutators used by Peach to perform fuzzing.  Each mutator performs a specific mutation.  Custom mutators can be created and included, additionally the order in which mutators are used can be customized for all fuzzers down to specific tests.

First up lets take a look at the default mutators included with this release:

default.NullMutator

The first mutator we will look at is the NullMutator.  This mutator has a single test case that does not modify anything.  By default this is the first mutator Peach will use so the first iteration (#1) will produce data that was not modified in anyway to help with debugging of your fuzzer.

string.StringTokenMutator

Next up is the StringTokenMutator.  This mutator is applied to all string elements in a data model.  This mutator will tokenize the strings default value (if any) and perform a number of mutations on the resulting token tree including 1,000 to 2,000 bad strings, removals, additions, duplications, etc.  The string “?key1=value1&key2=value2″ will result in about 40,000 test cases from this mutator.

string.XmlW3CMutator

The XmlW3CMutator will cycle through every XML test case provided by the W3C.  This numerous XML files that have caused faults in various XML parsers.  This mutator will only target string elements that have a hint of type=xml.

string.PathMutator

As one would guess this mutator performs mutations on file system paths including UNC network paths.  In the current beta3 release this mutator is fairly limited but will be expanded for the non-beta 2.1 release.  Additionally, this mutator will only target strings that have a hint of type=path.

string.HostnameMutator

You would also be correct in assuming this mutator performed mutations of hostname.  Again, the mustations performed will be expanded for the 2.1 release, but still currently useful.  This mutator will only target strings that have a hint of type=hostname.

string.FilenameMutator

Finally, I bet you can guess what this mutator does!  That’s right, mutates filenames and filenames that include paths.  This mutator will only target strings that have a hint of type=filename.

number.NumericalEdgeCaseMutator

The NumericalEdgeCaseMutator targets all Number elements in the data model and cycles through a number of interesting numerical edge cases which occur on type boundaries (0, min/max for both signed/unsigned).  Currently we will go from Edge Number - 50 through Edge Number + 50.  This mutator is good at locating certain types of integer overflow related faults.

number.NumericalVarianceMutator

The NumericalVarianceMutator also targets all Number elements in the data model.  This mutator will take the default value and generate a range of values starting with Default Value - 50 through Default Value + 50.

number.FiniteRandomNumbersMutator

This mutator will produce upto 5,000 random numbers between the min/max of a Number element.  This mutator is useful for triggering unpredictable faults.

blob.BitFlipperMutator

This release also includes a simple bit flipper that targets Blob elements in the data model and performs random bit flips based on the size of the blob.  For example the larger the blob the more flips will occur.  This mutator is finite.

datatree.DataTreeRemoveMutator

This mutator will walk our data model and remove nodes one at a time.

datatree.DataTreeDuplicateMutator

Similar to the DataTreeRemoverMutator accept this mutator will walk the data model and duplicate nodes from 2 through 50 duplications of each node.

datatree.DataTreeSwapNearNodesMutator

Finally, the last mutator included with Peach 2.1 will swap sibling nodes in the data model causing the data model to be reagranged.