Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fuzzing Rust Text Editor

Linda_pp
October 26, 2019

Fuzzing Rust Text Editor

Rust.Tokyo LT

Linda_pp

October 26, 2019
Tweet

More Decks by Linda_pp

Other Decks in Programming

Transcript

  1. Rust ੡ςΩετΤσΟλͰ
    Fuzzing ͢Δ࿩
    Rust.Tokyo 2019 LT
    @Linda_pp
    @rhysd

    View full-size slide

  2. Kiro
    https://github.com/rhysd/kiro-editor


    View full-size slide

  3. Kiro
    • λʔϛφϧ༻ UTF-8 ςΩετΤσΟλ
    • ςΩετฤू
    • ίʔυϋΠϥΠτ
    • ϑΝΠϧ಺ΠϯΫϦϝϯλϧݕࡧ
    • Undo/Redo
    • True Color (24bit colors) ରԠ
    • ७ Rust ੡Ͱλʔϛφϧͷೖग़ྗͳͲ΄΅શͯࣗલ࣮૷
    • 'Build Your Own Text Editor' ΛಡΜͰษڧ࣮ͯ͠૷
    • https://viewsourcecode.org/snaptoken/kilo/
    https://github.com/rhysd/kiro-editor


    View full-size slide

  4. Rust Tooling in Kiro Project
    6OJU5FTUJOH DBSHPUFTU
    1FSGFDU
    #FODINBSL DBSHPCFODI
    3FRVJSFTOJHIUMZ
    5FTU
    $PWFSBHF
    UBSQBVMJO
    4&(7PSXPSLT
    XSPOHMZ
    1SPpMJOH
    MJOVYUPPMT
    QFSG

    0OMZPO-JOVY
    'V[[JOH DBSHPGV[[
    3FRVJSFTOJHIUMZ
    0OMZPO-JOVYPS
    NBD04


    View full-size slide

  5. Rust Tooling in Kiro Project
    6OJU5FTUJOH DBSHPUFTU
    1FSGFDU
    #FODINBSL DBSHPCFODI
    3FRVJSFTOJHIUMZ
    5FTU
    $PWFSBHF
    UBSQBVMJO
    4&(7PSXPSLT
    XSPOHMZ
    1SPpMJOH
    MJOVYUPPMT
    QFSG

    0OMZPO-JOVY
    'V[[JOH DBSHPGV[[
    3FRVJSFTOJHIUMZ
    0OMZPO-JOVYPS
    NBD04


    View full-size slide

  6. Coverage-Guided Fuzzing ͸…
    • ଎͍
    • ηοτΞοϓ͕؆୯ɽগͳ͍ίʔυͰ؆୯ʹಈ͔ͤΔ
    • ͍҆
    • ࣮ߦ؀ڥ΍ςετέʔε΍σʔληοτͷ४උɾϝϯςඞཁͳ͠
    • ͏·͍
    • ୯ମςετͰ͸ݟ͚ͭΒΕͳ͍Α͏ͳΫϥογϡόάΛݟ͚ͭΒ
    ΕΔ
    • Linux Kernel, Chromium, ֤छίϯύΠϥͰେྔͷ࣮੷͋Γʢ˞ʣ
    https://bugs.chromium.org/p/chromium/issues/list?q=label%3AStability-LibFuzzer%2CStability-AFL%20-status%3ADuplicate%2CWontFix&can=1
    https://github.com/rust-fuzz/trophy-case
    https://lwn.net/Articles/677764/


    View full-size slide

  7. $ cargo +nightly install cargo-fuzz
    $ cargo fuzz init
    $ vim fuzz/fuzz_targets/fuzz_target_1.rs
    ηοτΞοϓ


    View full-size slide

  8. ࣮૷
    // fuzz_target_1.rs
    #![no_main]
    use libfuzzer_sys::fuzz_target;
    // ͜͜Ͱࣗ෼ͷϥΠϒϥϦΛΠϯϙʔτ
    fuzz_target!(|data: &[u8]| {
    // data ͸ fuzzing ͷΞϧΰϦζϜͰࣗಈੜ੒͞ΕΔόΠτྻ
    // data Λೖྗͱͯ͠ɼΫϥογϡͯ͠΄͘͠ͳ͍ॲཧΛॻ͘
    });


    View full-size slide

  9. $ cargo +nightly fuzz run fuzz_target_1
    ࣮ߦ


    View full-size slide

  10. INFO: Seed: 163684666
    INFO: Loaded 1 modules (47501 inline 8-bit counters): 47501 [0x1042b7e68, 0x1042c37f5),
    INFO: Loaded 1 PC tables (47501 PCs): 47501 [0x1042c37f8,0x10437d0c8),
    INFO: 0 files found in /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/corpus/
    input_text
    INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
    INFO: A corpus is not provided, starting from an empty corpus
    #2 INITED cov: 5511 ft: 5511 corp: 1/1b exec/s: 0 rss: 33Mb
    #4 NEW cov: 5512 ft: 5512 corp: 2/2b lim: 4 exec/s: 0 rss: 33Mb L: 1/1 MS: 2 ShuffleBytes-
    ChangeBit-
    ==47610== ERROR: libFuzzer: deadly signal
    #0 0x10471a445 in __sanitizer_print_stack_trace
    (lib__rustc__clang_rt.asan_osx_dynamic.dylib:x86_64+0x4c445)
    #1 0x103dcbe61 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:205
    #2 0x103d74cff in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:232
    #3 0x103d74c9d in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:203
    snip...
    NOTE: libFuzzer has rudimentary signal handlers.
    Combine libFuzzer with AddressSanitizer or similar for better crash reports.
    SUMMARY: libFuzzer: deadly signal
    MS: 2 ChangeBit-ChangeByte-; base unit: c4488af0c158e8c2832cb927cfb3ce534104cd1e
    0x18,
    \x18
    artifact_prefix='/Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/';
    Test unit written to /Users/rhayasd/Develop/github.com/rhysd/kiro-editor/fuzz/artifacts/input_text/
    crash-c2143b1a0db17957bec1b41bb2e5f75aa135981e
    Base64: GA==
    ݁Ռ


    ΫϥογϡόάΛൃݟʂ
    GV[[BSUJGBDUTʹͦͷ࣌ͷೖྗ͕อଘ͞ΕΔ

    View full-size slide

  11. cargo-fuzz
    • ϦϙδτϦ → https://github.com/rust-fuzz/cargo-fuzz
    • υΩϡϝϯτ → https://rust-fuzz.github.io/book/
    introduction.html
    • ✨ → https://github.com/rust-fuzz/trophy-case
    • σϑΥϧτͰ LLVM ͷ libFuzzer Λ࢖͏ɽଞͷ fuzzerʢafl.rs
    ͳͲʣʹ΋੾Γସ͑ΒΕΔ
    • ࣗ෼Ͱ corpus Λ༻ҙ͢Δ͜ͱ΋Ͱ͖Δ

    View full-size slide

  12. ݁࿦
    fuzzing (with cargo-fuzz) ͸
    ͍҆ɾ଎͍ɾ͏·͍
    ԿΒ͔ͷೖྗΛϢʔβ͔Βड͚औΓॲཧ͢Δ
    ϓϩάϥϜશൠʹ൚༻తʹ࢖͑ΔͷͰɼੋඇ
    ࢼͯ͠Έ͍ͯͩ͘͞


    View full-size slide