Fuzzing Rust Text Editor

Dea1add99f4cf942792c0f185aa2f2fd?s=47 Linda_pp
October 26, 2019

Fuzzing Rust Text Editor

Rust.Tokyo LT

Dea1add99f4cf942792c0f185aa2f2fd?s=128

Linda_pp

October 26, 2019
Tweet

Transcript

  1. 3.

    Kiro • λʔϛφϧ༻ UTF-8 ςΩετΤσΟλ • ςΩετฤू • ίʔυϋΠϥΠτ •

    ϑΝΠϧ಺ΠϯΫϦϝϯλϧݕࡧ • Undo/Redo • True Color (24bit colors) ରԠ • ७ Rust ੡Ͱλʔϛφϧͷೖग़ྗͳͲ΄΅શͯࣗલ࣮૷ • 'Build Your Own Text Editor' ΛಡΜͰษڧ࣮ͯ͠૷ • https://viewsourcecode.org/snaptoken/kilo/ https://github.com/rhysd/kiro-editor  
  2. 4.

    Rust Tooling in Kiro Project 6OJU5FTUJOH DBSHPUFTU 1FSGFDU #FODINBSL DBSHPCFODI

    3FRVJSFTOJHIUMZ 5FTU $PWFSBHF UBSQBVMJO 4&(7PSXPSLT XSPOHMZ 1SPpMJOH MJOVYUPPMT QFSG 0OMZPO-JOVY 'V[[JOH DBSHPGV[[ 3FRVJSFTOJHIUMZ 0OMZPO-JOVYPS NBD04  
  3. 5.

    Rust Tooling in Kiro Project 6OJU5FTUJOH DBSHPUFTU 1FSGFDU #FODINBSL DBSHPCFODI

    3FRVJSFTOJHIUMZ 5FTU $PWFSBHF UBSQBVMJO 4&(7PSXPSLT XSPOHMZ 1SPpMJOH MJOVYUPPMT QFSG 0OMZPO-JOVY 'V[[JOH DBSHPGV[[ 3FRVJSFTOJHIUMZ 0OMZPO-JOVYPS NBD04  
  4. 6.

    Coverage-Guided Fuzzing ͸… • ଎͍ • ηοτΞοϓ͕؆୯ɽগͳ͍ίʔυͰ؆୯ʹಈ͔ͤΔ • ͍҆ •

    ࣮ߦ؀ڥ΍ςετέʔε΍σʔληοτͷ४උɾϝϯςඞཁͳ͠ • ͏·͍ • ୯ମςετͰ͸ݟ͚ͭΒΕͳ͍Α͏ͳΫϥογϡόάΛݟ͚ͭΒ ΕΔ • Linux Kernel, Chromium, ֤छίϯύΠϥͰେྔͷ࣮੷͋Γʢ˞ʣ https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix&can=1 https://github.com/rust-fuzz/trophy-case https://lwn.net/Articles/677764/  
  5. 7.

    $ cargo +nightly install cargo-fuzz $ cargo fuzz init $

    vim fuzz/fuzz_targets/fuzz_target_1.rs ηοτΞοϓ  
  6. 8.

    ࣮૷ // fuzz_target_1.rs #![no_main] use libfuzzer_sys::fuzz_target; // ͜͜Ͱࣗ෼ͷϥΠϒϥϦΛΠϯϙʔτ fuzz_target!(|data: &[u8]|

    { // data ͸ fuzzing ͷΞϧΰϦζϜͰࣗಈੜ੒͞ΕΔόΠτྻ // data Λೖྗͱͯ͠ɼΫϥογϡͯ͠΄͘͠ͳ͍ॲཧΛॻ͘ });  
  7. 10.

    INFO: Seed: 163684666 INFO: Loaded 1 modules (47501 inline 8-bit

    counters): 47501 [0x1042b7e68, 0x1042c37f5), INFO: Loaded 1 PC tables (47501 PCs): 47501 [0x1042c37f8,0x10437d0c8), INFO: 0 files found in /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/corpus/ input_text INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: A corpus is not provided, starting from an empty corpus #2 INITED cov: 5511 ft: 5511 corp: 1/1b exec/s: 0 rss: 33Mb #4 NEW cov: 5512 ft: 5512 corp: 2/2b lim: 4 exec/s: 0 rss: 33Mb L: 1/1 MS: 2 ShuffleBytes- ChangeBit- ==47610== ERROR: libFuzzer: deadly signal #0 0x10471a445 in __sanitizer_print_stack_trace (lib__rustc__clang_rt.asan_osx_dynamic.dylib:x86_64+0x4c445) #1 0x103dcbe61 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:205 #2 0x103d74cff in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:232 #3 0x103d74c9d in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:203 snip... NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal MS: 2 ChangeBit-ChangeByte-; base unit: c4488af0c158e8c2832cb927cfb3ce534104cd1e 0x18, \x18 artifact_prefix='/Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/'; Test unit written to /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/ crash-c2143b1a0db17957bec1b41bb2e5f75aa135981e Base64: GA== ݁Ռ   ΫϥογϡόάΛൃݟʂ GV[[BSUJGBDUTʹͦͷ࣌ͷೖྗ͕อଘ͞ΕΔ
  8. 11.

    cargo-fuzz • ϦϙδτϦ → https://github.com/rust-fuzz/cargo-fuzz • υΩϡϝϯτ → https://rust-fuzz.github.io/book/ introduction.html

    • ✨ → https://github.com/rust-fuzz/trophy-case • σϑΥϧτͰ LLVM ͷ libFuzzer Λ࢖͏ɽଞͷ fuzzerʢafl.rs ͳͲʣʹ΋੾Γସ͑ΒΕΔ • ࣗ෼Ͱ corpus Λ༻ҙ͢Δ͜ͱ΋Ͱ͖Δ