Fuzzing Rust Text Editor

Transcript

1. Rust ੡ςΩετΤσΟλͰ
   Fuzzing ͢Δ࿩
   Rust.Tokyo 2019 LT
   @Linda_pp
   @rhysd
   

   View Slide

2. Kiro
   https://github.com/rhysd/kiro-editor
   
   
   

   View Slide

3. Kiro
   • λʔϛφϧ༻ UTF-8 ςΩετΤσΟλ
   • ςΩετฤू
   • ίʔυϋΠϥΠτ
   • ϑΝΠϧ಺ΠϯΫϦϝϯλϧݕࡧ
   • Undo/Redo
   • True Color (24bit colors) ରԠ
   • ७ Rust ੡Ͱλʔϛφϧͷೖग़ྗͳͲ΄΅શͯࣗલ࣮૷
   • 'Build Your Own Text Editor' ΛಡΜͰษڧ࣮ͯ͠૷
   • https://viewsourcecode.org/snaptoken/kilo/
   https://github.com/rhysd/kiro-editor
   
   
   

   View Slide

4. Rust Tooling in Kiro Project
   6OJU5FTUJOH DBSHPUFTU
   1FSGFDU
   #FODINBSL DBSHPCFODI
   3FRVJSFTOJHIUMZ
   5FTU
   $PWFSBHF
   UBSQBVMJO
   4&(7PSXPSLT
   XSPOHMZ
   1SPpMJOH
   MJOVYUPPMT
   QFSG
   
   0OMZPO-JOVY
   'V[[JOH DBSHPGV[[
   3FRVJSFTOJHIUMZ
   0OMZPO-JOVYPS
   NBD04
   
   
   

   View Slide

5. Rust Tooling in Kiro Project
   6OJU5FTUJOH DBSHPUFTU
   1FSGFDU
   #FODINBSL DBSHPCFODI
   3FRVJSFTOJHIUMZ
   5FTU
   $PWFSBHF
   UBSQBVMJO
   4&(7PSXPSLT
   XSPOHMZ
   1SPpMJOH
   MJOVYUPPMT
   QFSG
   
   0OMZPO-JOVY
   'V[[JOH DBSHPGV[[
   3FRVJSFTOJHIUMZ
   0OMZPO-JOVYPS
   NBD04
   
   
   

   View Slide

6. Coverage-Guided Fuzzing ͸…
   • ଎͍
   • ηοτΞοϓ͕؆୯ɽগͳ͍ίʔυͰ؆୯ʹಈ͔ͤΔ
   • ͍҆
   • ࣮ߦ؀ڥ΍ςετέʔε΍σʔληοτͷ४උɾϝϯςඞཁͳ͠
   • ͏·͍
   • ୯ମςετͰ͸ݟ͚ͭΒΕͳ͍Α͏ͳΫϥογϡόάΛݟ͚ͭΒ
   ΕΔ
   • Linux Kernel, Chromium, ֤छίϯύΠϥͰେྔͷ࣮੷͋Γʢ˞ʣ
   https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix&can=1
   https://github.com/rust-fuzz/trophy-case
   https://lwn.net/Articles/677764/
   
   
   

   View Slide

7. $ cargo +nightly install cargo-fuzz
   $ cargo fuzz init
   $ vim fuzz/fuzz_targets/fuzz_target_1.rs
   ηοτΞοϓ
   
   
   

   View Slide

8. ࣮૷
   // fuzz_target_1.rs
   #![no_main]
   use libfuzzer_sys::fuzz_target;
   // ͜͜Ͱࣗ෼ͷϥΠϒϥϦΛΠϯϙʔτ
   fuzz_target!(|data: &[u8]| {
   // data ͸ fuzzing ͷΞϧΰϦζϜͰࣗಈੜ੒͞ΕΔόΠτྻ
   // data Λೖྗͱͯ͠ɼΫϥογϡͯ͠΄͘͠ͳ͍ॲཧΛॻ͘
   });
   
   
   

   View Slide

9. $ cargo +nightly fuzz run fuzz_target_1
   ࣮ߦ
   
   
   

   View Slide

10. INFO: Seed: 163684666
    INFO: Loaded 1 modules (47501 inline 8-bit counters): 47501 [0x1042b7e68, 0x1042c37f5),
    INFO: Loaded 1 PC tables (47501 PCs): 47501 [0x1042c37f8,0x10437d0c8),
    INFO: 0 files found in /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/corpus/
    input_text
    INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
    INFO: A corpus is not provided, starting from an empty corpus
    #2 INITED cov: 5511 ft: 5511 corp: 1/1b exec/s: 0 rss: 33Mb
    #4 NEW cov: 5512 ft: 5512 corp: 2/2b lim: 4 exec/s: 0 rss: 33Mb L: 1/1 MS: 2 ShuffleBytes-
    ChangeBit-
    ==47610== ERROR: libFuzzer: deadly signal
    #0 0x10471a445 in __sanitizer_print_stack_trace
    (lib__rustc__clang_rt.asan_osx_dynamic.dylib:x86_64+0x4c445)
    #1 0x103dcbe61 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:205
    #2 0x103d74cff in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:232
    #3 0x103d74c9d in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:203
    snip...
    NOTE: libFuzzer has rudimentary signal handlers.
    Combine libFuzzer with AddressSanitizer or similar for better crash reports.
    SUMMARY: libFuzzer: deadly signal
    MS: 2 ChangeBit-ChangeByte-; base unit: c4488af0c158e8c2832cb927cfb3ce534104cd1e
    0x18,
    \x18
    artifact_prefix='/Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/';
    Test unit written to /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/
    crash-c2143b1a0db17957bec1b41bb2e5f75aa135981e
    Base64: GA==
    ݁Ռ
    
    
    ΫϥογϡόάΛൃݟʂ
    GV[[BSUJGBDUTʹͦͷ࣌ͷೖྗ͕อଘ͞ΕΔ
    

    View Slide

11. cargo-fuzz
    • ϦϙδτϦ → https://github.com/rust-fuzz/cargo-fuzz
    • υΩϡϝϯτ → https://rust-fuzz.github.io/book/
    introduction.html
    • ✨ → https://github.com/rust-fuzz/trophy-case
    • σϑΥϧτͰ LLVM ͷ libFuzzer Λ࢖͏ɽଞͷ fuzzerʢafl.rs
    ͳͲʣʹ΋੾Γସ͑ΒΕΔ
    • ࣗ෼Ͱ corpus Λ༻ҙ͢Δ͜ͱ΋Ͱ͖Δ
    

    View Slide

12. ݁࿦
    fuzzing (with cargo-fuzz) ͸
    ͍҆ɾ଎͍ɾ͏·͍
    ԿΒ͔ͷೖྗΛϢʔβ͔Βड͚औΓॲཧ͢Δ
    ϓϩάϥϜશൠʹ൚༻తʹ࢖͑ΔͷͰɼੋඇ
    ࢼͯ͠Έ͍ͯͩ͘͞
    
    
    

    View Slide