Dynamic: add Fuzzy token

[asgerf]

Adds a Fuzzy token to the identifying access path for all dynamic languages, which will match, loosely speaking, an arbitrary series of operations.

For example, suppose we wanted to add a SQL injection sink for the query method in the mysql package, but we don't have a detailed enough knowledge of the library to do this precisely. So we just write the model like this:

mysql; Fuzzy.Member[query].Argument[0]; sql-injection

This would match all query calls whose receiver is an object that appears to come from the mysql package. The latter criterion comes from "tracking through an arbitrary series of operations".

This can serve as a foundation for a dedicated extension point for fuzzy models. An entry in such a fuzzy model might simply look like:

mysql; query; Argument[0]; sql-injection

[yoff]

Python 👍
And thanks for implementing this for Python, also! 💪
I suppose that in getAFuzzySuccessor we should make sure to avoid loops and that is why self parameters are avoided in Ruby. The Python implementation does look loop-free as far as I can tell. Do the DCA runs actually test the new feature, if we have no fuzzy specifications yet?

[alexrford]

Ruby LGTM - I've played around with this a bit and it seems potentially very useful for modeling automation.

[alexrford]

I guess that this means that "FuzzyLib!;Fuzzy.<path>;test-sink" will find strictly more results than "FuzzyLib;Fuzzy.<path>;test-sink"?

[asgerf]

Yes, slightly unfortunate and probably not a user experience for beginners.

I'm thinking if we add a dedicated extensible predicate for fuzzy models, it would translate into regular models that use both FuzzyLib and FuzzyLib! as the initial type. Or perhaps we could add FuzzyLib! as a fuzzy successor of FuzzyLib.

[alexrford]

The current behaviour does make sense under the mindset of "FuzzyLib.new is just another method", but it was initially unintuitive for me because I was thinking of object instantiation as something separate from a regular class method call.