Opened 12 months ago

Last modified 9 months ago

#26265 needs_revision enhancement

A proposal and demo for a fuzzing system that works with Rust through C code

Reported by: debily Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Trivial Keywords: fuzzing, Rust, afl, 035-removed-20180711
Cc: chelseakomlo, isis Actual Points:
Parent ID: #24265 Points:
Reviewer: nickm Sponsor:

Description

I've implemented a demo for fuzzing Rust code and C code at the same time. I hope I can address #25386 with that by using cargo afl. Though I would like to have this system approved first before I write code for a PR.

Child Tickets

Attachments (1)

testlib.tar.gz (1.4 KB) - added by debily 12 months ago.
make install-depends && make run will start the fuzzer afl-gcc can be provided by setting AFL_CC

Download all attachments as: .zip

Change History (10)

Changed 12 months ago by debily

Attachment: testlib.tar.gz added

make install-depends && make run will start the fuzzer afl-gcc can be provided by setting AFL_CC

comment:1 Changed 12 months ago by teor

Milestone: Tor: 0.3.5.x-final
Status: newneeds_review

Putting this feature in 0.3.5 for review.

comment:2 Changed 12 months ago by debily

Summary: A demo for a fuzzing system that works for Rust through C codeA proposal and demo for a fuzzing system that works with Rust through C code

comment:3 Changed 12 months ago by chelseakomlo

Cc: chelseakomlo added

comment:4 Changed 12 months ago by isis

Cc: isis added

This probably won't fix #25386, but it is a pretty good start on #24265. What we really need eventually is a way for the same random fuzzer input to be sent to both a C function and a Rust function, both of which are supposed to behave identically (e.g. the parsers in src/or/protover.c and src/rust/protover/protover.rs).

comment:5 in reply to:  4 Changed 12 months ago by debily

Replying to isis:

This probably won't fix #25386, but it is a pretty good start on #24265. What we really need eventually is a way for the same random fuzzer input to be sent to both a C function and a Rust function, both of which are supposed to behave identically (e.g. the parsers in src/or/protover.c and src/rust/protover/protover.rs).

Well I could do a json dump of structures and compare them, though one can never be sure of correctness of used json libraries.

comment:6 Changed 12 months ago by dgoulet

Reviewer: nickm

comment:7 Changed 11 months ago by nickm

Status: needs_reviewneeds_revision

Setting as needs_revision per isis's comment above. This is a decent example of Rust fuzzing, but what we need is a feature to run the C and the rust in parallel, and compare their outputs. In many cases, the outputs will be strings, lists of strings, booleans, or some similar data structure, so the comparison shouldn't be too hard. For us to get the benefit of trace-aware fuzzing, we really need both of the implementations to run in the same process.

Additionally, it would be much more useful if this fuzzing could be done through the infrastructure currently in src/test/fuzz directory: That way, we could run this fuzzing not only with AFL, but also with llvm's libfuzzer, with google's OSS-Fuzz, and whatever else we wind up having in the future.

comment:8 Changed 10 months ago by nickm

Keywords: 035-removed-20180711 added
Milestone: Tor: 0.3.5.x-finalTor: unspecified

Removing needs_revision tickets from 0.3.5 that seem to be stalled. Please move back if they are under active revision or discussion.

comment:9 Changed 9 months ago by teor

Parent ID: #25386#24265
Note: See TracTickets for help on using tickets.