Files

T

Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization

10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 23:52:15 +09:00

5.0 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Fuzzing

매 한 줄

"매 random/mutated input 으로 crash, hang, UB 의 hunt". 매 1988 Miller (Wisconsin) 의 random input shell experiment 가 origin. 2026 현재 매 coverage-guided (AFL++, libFuzzer, Honggfuzz), structure-aware (libprotobuf-mutator), grammar-based (Nautilus), LLM-augmented (OSS-Fuzz Gen) 가 mainstream. Google OSS-Fuzz 가 100K+ bug 발견, Chrome/Linux kernel/OpenSSL 의 routine workflow.

매 핵심

매 fuzzing categories

Black-box (dumb): random input, no instrumentation. 매 zzuf, radamsa.
Coverage-guided (grey-box): input 의 mutation + branch coverage feedback. 매 AFL++, libFuzzer, Honggfuzz.
White-box (concolic): symbolic execution + solver. 매 KLEE, SAGE.
Structure-aware: protobuf, JSON 의 grammar 의 valid input. 매 libprotobuf-mutator, FuzzGrammar.
Differential: 매 동일 input 을 두 implementation 에 → divergence 의 bug.

매 sanitizers

ASan (heap/stack OOB, UAF), UBSan (UB), MSan (uninit read), TSan (data race), LSan (leak).
매 fuzzing 의 corpus 는 sanitizer 와 함께 build 의 mandatory.

매 응용

Memory-safety bug discovery (C/C++ codebases).
Parser hardening (image, video, network protocols).
Browser engine (V8 fuzzilli, JSC fuzzer).
Crypto library (OpenSSL, BoringSSL via OSS-Fuzz).

💻 패턴

libFuzzer (C++)

// fuzz_target.cc — clang -fsanitize=fuzzer,address fuzz_target.cc parser.cc
#include <stdint.h>
#include <stddef.h>
#include "parser.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size < 4) return 0;
  Parser p;
  p.Parse(reinterpret_cast<const char*>(data), size);  // ASan catches OOB/UAF
  return 0;
}

cargo-fuzz (Rust)

// fuzz/fuzz_targets/parse.rs
#![no_main]
use libfuzzer_sys::fuzz_target;

fuzz_target!(|data: &[u8]| {
    if let Ok(s) = std::str::from_utf8(data) {
        let _ = mycrate::parse(s);  // panics 는 fuzz crash 로 catch
    }
});

cargo fuzz run parse -- -max_total_time=600

Go native fuzzing (1.18+)

func FuzzParseURL(f *testing.F) {
    f.Add("http://example.com")
    f.Fuzz(func(t *testing.T, s string) {
        u, err := url.Parse(s)
        if err == nil && u.String() != s && url.QueryEscape(u.String()) == "" {
            t.Errorf("roundtrip mismatch: %q", s)
        }
    })
}

go test -fuzz=FuzzParseURL -fuzztime=10m

AFL++ (compile-time instrumentation)

CC=afl-clang-fast CXX=afl-clang-fast++ ./configure
make -j8
mkdir in; echo "seed" > in/0
afl-fuzz -i in -o out -- ./target @@

Structure-aware (libprotobuf-mutator)

DEFINE_PROTO_FUZZER(const my::Message& msg) {
  HandleMessage(msg);  // valid proto guaranteed → deeper coverage
}

OSS-Fuzz integration

FROM gcr.io/oss-fuzz-base/base-builder
RUN apt-get install -y libssl-dev
COPY . $SRC/myproject
COPY build.sh $SRC/
WORKDIR $SRC/myproject

매 결정 기준

상황	Approach
C/C++ memory bug hunt	libFuzzer + ASan/UBSan
Rust panic / logic bug	cargo-fuzz
Network protocol parser	AFL++ + structure-aware mutator
Two implementations comparison	Differential fuzzing
Continuous (open-source)	OSS-Fuzz
Grammar-rich (JS, SQL)	Grammar-based (Nautilus, fuzzilli)

기본값: 매 coverage-guided (libFuzzer/AFL++) + ASan + corpus minimization + CI 에 5min smoke.

🔗 Graph

부모: DAST (동적 애플리케이션 보안 테스트)
변형: SCA (소프트웨어 구성 분석)
응용: OSS-Fuzz · V8 엔진 힙 아키텍처
Adjacent: Property-Based Testing

🤖 LLM 활용

언제: 매 untrusted input 의 parser, codec, deserializer 가 있는 경우. 매 security-critical library 의 release 전 mandatory. 언제 X: pure functional code 의 deterministic 한 input space (property-based testing 이 더 적절). 매 GUI / network state-heavy code.

❌ 안티패턴

Sanitizer 없이 fuzz: 매 silent corruption 을 miss. 매 ASan 의 mandatory.
Seed corpus 없음: 매 coverage 의 plateau 가 빠름. 매 valid sample 10-100 개 의 seed.
CI 에 30s 만 fuzz: 매 너무 짧음. 매 minimum 10min, ideal continuous (OSS-Fuzz pattern).
Crash 만 의 focus: 매 hang, OOM, slow input 도 bug. 매 timeout / rss_limit 설정.

🧪 검증 / 중복

Verified (Miller 1990 "Empirical Study of Reliability of UNIX Utilities"; AFL++ docs; OSS-Fuzz reports).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — coverage-guided + sanitizers + OSS-Fuzz

5.0 KiB Raw Blame History