Slide 1

Slide 1 text

Rust ੡ςΩετΤσΟλͰ Fuzzing ͢Δ࿩ Rust.Tokyo 2019 LT @Linda_pp @rhysd

Slide 2

Slide 2 text

Kiro https://github.com/rhysd/kiro-editor

Slide 3

Slide 3 text

Kiro • λʔϛφϧ༻ UTF-8 ςΩετΤσΟλ • ςΩετฤू • ίʔυϋΠϥΠτ • ϑΝΠϧ಺ΠϯΫϦϝϯλϧݕࡧ • Undo/Redo • True Color (24bit colors) ରԠ • ७ Rust ੡Ͱλʔϛφϧͷೖग़ྗͳͲ΄΅શͯࣗલ࣮૷ • 'Build Your Own Text Editor' ΛಡΜͰษڧ࣮ͯ͠૷ • https://viewsourcecode.org/snaptoken/kilo/ https://github.com/rhysd/kiro-editor

Slide 4

Slide 4 text

Rust Tooling in Kiro Project 6OJU5FTUJOH DBSHPUFTU 1FSGFDU #FODINBSL DBSHPCFODI 3FRVJSFTOJHIUMZ 5FTU $PWFSBHF UBSQBVMJO 4&(7PSXPSLT XSPOHMZ 1SPpMJOH MJOVYUPPMT QFSG 0OMZPO-JOVY 'V[[JOH DBSHPGV[[ 3FRVJSFTOJHIUMZ 0OMZPO-JOVYPS NBD04

Slide 5

Slide 5 text

Rust Tooling in Kiro Project 6OJU5FTUJOH DBSHPUFTU 1FSGFDU #FODINBSL DBSHPCFODI 3FRVJSFTOJHIUMZ 5FTU $PWFSBHF UBSQBVMJO 4&(7PSXPSLT XSPOHMZ 1SPpMJOH MJOVYUPPMT QFSG 0OMZPO-JOVY 'V[[JOH DBSHPGV[[ 3FRVJSFTOJHIUMZ 0OMZPO-JOVYPS NBD04

Slide 6

Slide 6 text

Coverage-Guided Fuzzing ͸… • ଎͍ • ηοτΞοϓ͕؆୯ɽগͳ͍ίʔυͰ؆୯ʹಈ͔ͤΔ • ͍҆ • ࣮ߦ؀ڥ΍ςετέʔε΍σʔληοτͷ४උɾϝϯςඞཁͳ͠ • ͏·͍ • ୯ମςετͰ͸ݟ͚ͭΒΕͳ͍Α͏ͳΫϥογϡόάΛݟ͚ͭΒ ΕΔ • Linux Kernel, Chromium, ֤छίϯύΠϥͰେྔͷ࣮੷͋Γʢ˞ʣ https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix&can=1 https://github.com/rust-fuzz/trophy-case https://lwn.net/Articles/677764/

Slide 7

Slide 7 text

$ cargo +nightly install cargo-fuzz $ cargo fuzz init $ vim fuzz/fuzz_targets/fuzz_target_1.rs ηοτΞοϓ

Slide 8

Slide 8 text

࣮૷ // fuzz_target_1.rs #![no_main] use libfuzzer_sys::fuzz_target; // ͜͜Ͱࣗ෼ͷϥΠϒϥϦΛΠϯϙʔτ fuzz_target!(|data: &[u8]| { // data ͸ fuzzing ͷΞϧΰϦζϜͰࣗಈੜ੒͞ΕΔόΠτྻ // data Λೖྗͱͯ͠ɼΫϥογϡͯ͠΄͘͠ͳ͍ॲཧΛॻ͘ });

Slide 9

Slide 9 text

$ cargo +nightly fuzz run fuzz_target_1 ࣮ߦ

Slide 10

Slide 10 text

INFO: Seed: 163684666 INFO: Loaded 1 modules (47501 inline 8-bit counters): 47501 [0x1042b7e68, 0x1042c37f5), INFO: Loaded 1 PC tables (47501 PCs): 47501 [0x1042c37f8,0x10437d0c8), INFO: 0 files found in /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/corpus/ input_text INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: A corpus is not provided, starting from an empty corpus #2 INITED cov: 5511 ft: 5511 corp: 1/1b exec/s: 0 rss: 33Mb #4 NEW cov: 5512 ft: 5512 corp: 2/2b lim: 4 exec/s: 0 rss: 33Mb L: 1/1 MS: 2 ShuffleBytes- ChangeBit- ==47610== ERROR: libFuzzer: deadly signal #0 0x10471a445 in __sanitizer_print_stack_trace (lib__rustc__clang_rt.asan_osx_dynamic.dylib:x86_64+0x4c445) #1 0x103dcbe61 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:205 #2 0x103d74cff in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:232 #3 0x103d74c9d in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:203 snip... NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal MS: 2 ChangeBit-ChangeByte-; base unit: c4488af0c158e8c2832cb927cfb3ce534104cd1e 0x18, \x18 artifact_prefix='/Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/'; Test unit written to /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/ crash-c2143b1a0db17957bec1b41bb2e5f75aa135981e Base64: GA== ݁Ռ ΫϥογϡόάΛൃݟʂ GV[[BSUJGBDUTʹͦͷ࣌ͷೖྗ͕อଘ͞ΕΔ

Slide 11

Slide 11 text

cargo-fuzz • ϦϙδτϦ → https://github.com/rust-fuzz/cargo-fuzz • υΩϡϝϯτ → https://rust-fuzz.github.io/book/ introduction.html • ✨ → https://github.com/rust-fuzz/trophy-case • σϑΥϧτͰ LLVM ͷ libFuzzer Λ࢖͏ɽଞͷ fuzzerʢafl.rs ͳͲʣʹ΋੾Γସ͑ΒΕΔ • ࣗ෼Ͱ corpus Λ༻ҙ͢Δ͜ͱ΋Ͱ͖Δ

Slide 12

Slide 12 text

݁࿦ fuzzing (with cargo-fuzz) ͸ ͍҆ɾ଎͍ɾ͏·͍ ԿΒ͔ͷೖྗΛϢʔβ͔Βड͚औΓॲཧ͢Δ ϓϩάϥϜશൠʹ൚༻తʹ࢖͑ΔͷͰɼੋඇ ࢼͯ͠Έ͍ͯͩ͘͞