Fuzzing Rust Text Editor

Transcript

1. Rust ੡ςΩετΤσΟλͰ Fuzzing ͢Δ࿩ Rust.Tokyo 2019 LT @Linda_pp @rhysd

2. Kiro https://github.com/rhysd/kiro-editor
   

3. Kiro • λʔϛφϧ༻ UTF-8 ςΩετΤσΟλ • ςΩετฤू • ίʔυϋΠϥΠτ •

   ϑΝΠϧ಺ΠϯΫϦϝϯλϧݕࡧ • Undo/Redo • True Color (24bit colors) ରԠ • ७ Rust ੡Ͱλʔϛφϧͷೖग़ྗͳͲ΄΅શͯࣗલ࣮૷ • 'Build Your Own Text Editor' ΛಡΜͰษڧ࣮ͯ͠૷ • https://viewsourcecode.org/snaptoken/kilo/ https://github.com/rhysd/kiro-editor
   

4. Rust Tooling in Kiro Project 6OJU
   5FTUJOH DBSHP
   UFTU 1FSGFDU #FODINBSL DBSHP
   CFODI

   3FRVJSFT
   OJHIUMZ 5FTU
   $PWFSBHF UBSQBVMJO 4&(7
   PS
   XPSLT
   XSPOHMZ 1SPpMJOH MJOVY
   UPPMT
   QFSG 0OMZ
   PO
   -JOVY 'V[[JOH DBSHP
   GV[[ 3FRVJSFT
   OJHIUMZ
   0OMZ
   PO
   -JOVY
   PS
   NBD04
   

5. Rust Tooling in Kiro Project 6OJU
   5FTUJOH DBSHP
   UFTU 1FSGFDU #FODINBSL DBSHP
   CFODI

   3FRVJSFT
   OJHIUMZ 5FTU
   $PWFSBHF UBSQBVMJO 4&(7
   PS
   XPSLT
   XSPOHMZ 1SPpMJOH MJOVY
   UPPMT
   QFSG 0OMZ
   PO
   -JOVY 'V[[JOH DBSHP
   GV[[ 3FRVJSFT
   OJHIUMZ
   0OMZ
   PO
   -JOVY
   PS
   NBD04
   

6. Coverage-Guided Fuzzing ͸… • ଎͍ • ηοτΞοϓ͕؆୯ɽগͳ͍ίʔυͰ؆୯ʹಈ͔ͤΔ • ͍҆ •

   ࣮ߦ؀ڥ΍ςετέʔε΍σʔληοτͷ४උɾϝϯςඞཁͳ͠ • ͏·͍ • ୯ମςετͰ͸ݟ͚ͭΒΕͳ͍Α͏ͳΫϥογϡόάΛݟ͚ͭΒ ΕΔ • Linux Kernel, Chromium, ֤छίϯύΠϥͰେྔͷ࣮੷͋Γʢ˞ʣ https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix&can=1 https://github.com/rust-fuzz/trophy-case https://lwn.net/Articles/677764/
   

7. $ cargo +nightly install cargo-fuzz $ cargo fuzz init $

   vim fuzz/fuzz_targets/fuzz_target_1.rs ηοτΞοϓ
   

8. ࣮૷ // fuzz_target_1.rs #![no_main] use libfuzzer_sys::fuzz_target; // ͜͜Ͱࣗ෼ͷϥΠϒϥϦΛΠϯϙʔτ fuzz_target!(|data: &[u8]|

   { // data ͸ fuzzing ͷΞϧΰϦζϜͰࣗಈੜ੒͞ΕΔόΠτྻ // data Λೖྗͱͯ͠ɼΫϥογϡͯ͠΄͘͠ͳ͍ॲཧΛॻ͘ });
   

9. $ cargo +nightly fuzz run fuzz_target_1 ࣮ߦ
   

10. INFO: Seed: 163684666 INFO: Loaded 1 modules (47501 inline 8-bit

    counters): 47501 [0x1042b7e68, 0x1042c37f5), INFO: Loaded 1 PC tables (47501 PCs): 47501 [0x1042c37f8,0x10437d0c8), INFO: 0 files found in /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/corpus/ input_text INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: A corpus is not provided, starting from an empty corpus #2 INITED cov: 5511 ft: 5511 corp: 1/1b exec/s: 0 rss: 33Mb #4 NEW cov: 5512 ft: 5512 corp: 2/2b lim: 4 exec/s: 0 rss: 33Mb L: 1/1 MS: 2 ShuffleBytes- ChangeBit- ==47610== ERROR: libFuzzer: deadly signal #0 0x10471a445 in __sanitizer_print_stack_trace (lib__rustc__clang_rt.asan_osx_dynamic.dylib:x86_64+0x4c445) #1 0x103dcbe61 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:205 #2 0x103d74cff in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:232 #3 0x103d74c9d in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:203 snip... NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal MS: 2 ChangeBit-ChangeByte-; base unit: c4488af0c158e8c2832cb927cfb3ce534104cd1e 0x18, \x18 artifact_prefix='/Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/'; Test unit written to /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/ crash-c2143b1a0db17957bec1b41bb2e5f75aa135981e Base64: GA== ݁Ռ
     ΫϥογϡόάΛൃݟʂ
    GV[[BSUJGBDUT
    ʹͦͷ࣌ͷೖྗ͕อଘ͞ΕΔ

11. cargo-fuzz • ϦϙδτϦ → https://github.com/rust-fuzz/cargo-fuzz • υΩϡϝϯτ → https://rust-fuzz.github.io/book/ introduction.html

    • ✨ → https://github.com/rust-fuzz/trophy-case • σϑΥϧτͰ LLVM ͷ libFuzzer Λ࢖͏ɽଞͷ fuzzerʢafl.rs ͳͲʣʹ΋੾Γସ͑ΒΕΔ • ࣗ෼Ͱ corpus Λ༻ҙ͢Δ͜ͱ΋Ͱ͖Δ

12. ݁࿦ fuzzing (with cargo-fuzz) ͸ ͍҆ɾ଎͍ɾ͏·͍ ԿΒ͔ͷೖྗΛϢʔβ͔Βड͚औΓॲཧ͢Δ ϓϩάϥϜશൠʹ൚༻తʹ࢖͑ΔͷͰɼੋඇ ࢼͯ͠Έ͍ͯͩ͘͞