bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b64b5199f83bf6fd4604f709e3d42a5b8ce758f5
2nd/10_Wiki/Topics/Programming & Language/Fuzzing.md
T
Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update
2026-05-10 22:08:15 +09:00

5.0 KiB
Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
id title category status canonical_id aliases duplicate_of source_trust_level confidence_score verification_status tags raw_sources last_reinforced github_commit tech_stack
wiki-2026-0508-fuzzing Fuzzing 10_Wiki/Topics verified self
Fuzz Testing
Coverage-Guided Fuzzing
none A 0.9 applied
security
testing
dast
2026-05-10 pending
language framework
C/Rust/Go AFL++/libFuzzer/cargo-fuzz

Fuzzing

매 한 줄

"매 random/mutated input 으로 crash, hang, UB 의 hunt". 매 1988 Miller (Wisconsin) 의 random input shell experiment 가 origin. 2026 현재 매 coverage-guided (AFL++, libFuzzer, Honggfuzz), structure-aware (libprotobuf-mutator), grammar-based (Nautilus), LLM-augmented (OSS-Fuzz Gen) 가 mainstream. Google OSS-Fuzz 가 100K+ bug 발견, Chrome/Linux kernel/OpenSSL 의 routine workflow.

매 핵심

매 fuzzing categories

  • Black-box (dumb): random input, no instrumentation. 매 zzuf, radamsa.
  • Coverage-guided (grey-box): input 의 mutation + branch coverage feedback. 매 AFL++, libFuzzer, Honggfuzz.
  • White-box (concolic): symbolic execution + solver. 매 KLEE, SAGE.
  • Structure-aware: protobuf, JSON 의 grammar 의 valid input. 매 libprotobuf-mutator, FuzzGrammar.
  • Differential: 매 동일 input 을 두 implementation 에 → divergence 의 bug.

매 sanitizers

  • ASan (heap/stack OOB, UAF), UBSan (UB), MSan (uninit read), TSan (data race), LSan (leak).
  • 매 fuzzing 의 corpus 는 sanitizer 와 함께 build 의 mandatory.

매 응용

  1. Memory-safety bug discovery (C/C++ codebases).
  2. Parser hardening (image, video, network protocols).
  3. Browser engine (V8 fuzzilli, JSC fuzzer).
  4. Crypto library (OpenSSL, BoringSSL via OSS-Fuzz).

💻 패턴

libFuzzer (C++)

// fuzz_target.cc — clang -fsanitize=fuzzer,address fuzz_target.cc parser.cc
#include <stdint.h>
#include <stddef.h>
#include "parser.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size < 4) return 0;
  Parser p;
  p.Parse(reinterpret_cast<const char*>(data), size);  // ASan catches OOB/UAF
  return 0;
}

cargo-fuzz (Rust)

// fuzz/fuzz_targets/parse.rs
#![no_main]
use libfuzzer_sys::fuzz_target;

fuzz_target!(|data: &[u8]| {
    if let Ok(s) = std::str::from_utf8(data) {
        let _ = mycrate::parse(s);  // panics 는 fuzz crash 로 catch
    }
});

cargo fuzz run parse -- -max_total_time=600

Go native fuzzing (1.18+)

func FuzzParseURL(f *testing.F) {
    f.Add("http://example.com")
    f.Fuzz(func(t *testing.T, s string) {
        u, err := url.Parse(s)
        if err == nil && u.String() != s && url.QueryEscape(u.String()) == "" {
            t.Errorf("roundtrip mismatch: %q", s)
        }
    })
}

go test -fuzz=FuzzParseURL -fuzztime=10m

AFL++ (compile-time instrumentation)

CC=afl-clang-fast CXX=afl-clang-fast++ ./configure
make -j8
mkdir in; echo "seed" > in/0
afl-fuzz -i in -o out -- ./target @@

Structure-aware (libprotobuf-mutator)

DEFINE_PROTO_FUZZER(const my::Message& msg) {
  HandleMessage(msg);  // valid proto guaranteed → deeper coverage
}

OSS-Fuzz integration

FROM gcr.io/oss-fuzz-base/base-builder
RUN apt-get install -y libssl-dev
COPY . $SRC/myproject
COPY build.sh $SRC/
WORKDIR $SRC/myproject

매 결정 기준

상황 Approach
C/C++ memory bug hunt libFuzzer + ASan/UBSan
Rust panic / logic bug cargo-fuzz
Network protocol parser AFL++ + structure-aware mutator
Two implementations comparison Differential fuzzing
Continuous (open-source) OSS-Fuzz
Grammar-rich (JS, SQL) Grammar-based (Nautilus, fuzzilli)

기본값: 매 coverage-guided (libFuzzer/AFL++) + ASan + corpus minimization + CI 에 5min smoke.

🔗 Graph

  • 부모: DAST (동적 애플리케이션 보안 테스트)
  • 변형: SCA (소프트웨어 구성 분석)
  • 응용: OSS-Fuzz · V8 엔진 힙 아키텍처
  • Adjacent: Symbolic Execution · Property-Based Testing

🤖 LLM 활용

언제: 매 untrusted input 의 parser, codec, deserializer 가 있는 경우. 매 security-critical library 의 release 전 mandatory. 언제 X: pure functional code 의 deterministic 한 input space (property-based testing 이 더 적절). 매 GUI / network state-heavy code.

안티패턴

  • Sanitizer 없이 fuzz: 매 silent corruption 을 miss. 매 ASan 의 mandatory.
  • Seed corpus 없음: 매 coverage 의 plateau 가 빠름. 매 valid sample 10-100 개 의 seed.
  • CI 에 30s 만 fuzz: 매 너무 짧음. 매 minimum 10min, ideal continuous (OSS-Fuzz pattern).
  • Crash 만 의 focus: 매 hang, OOM, slow input 도 bug. 매 timeout / rss_limit 설정.

🧪 검증 / 중복

  • Verified (Miller 1990 "Empirical Study of Reliability of UNIX Utilities"; AFL++ docs; OSS-Fuzz reports).
  • 신뢰도 A.

🕓 Changelog

날짜 변경
2026-05-08 Phase 1
2026-05-10 Manual cleanup — coverage-guided + sanitizers + OSS-Fuzz
Reference in New Issue View Git Blame Copy Permalink