介绍 Ruzzy，一种基于覆盖率的 Ruby 模糊测试器

Introducing Ruzzy: Trail of Bits presents Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software handling untrusted input. The Ruby community lacked such a tool, so they built Ruzzy inspired by Google's Atheris and using libFuzzer.
Bringing fuzz testing to Ruby: Fuzzing is a dynamic testing method to detect security issues and bugs. Ruby fuzzers exist but have issues. Ruzzy is built with principles like fuzzing pure Ruby and C extensions, being easy to use with RubyGems, and integrating with libFuzzer.
Installing and running Ruzzy: Ruzzy requires a Linux environment and a recent Clang version. On Mac or Windows, Docker Desktop can be used. Install Ruzzy from RubyGems with specific environment variables.
Fuzzing Ruby C extensions: Ruzzy includes a "dummy" C extension with a heap-use-after-free bug. Configure sanitizer options and start fuzzing with LD_PRELOAD. It quickly produces crashes.
Fuzzing pure Ruby code: Fuzzing pure Ruby code requires a tracer script and a fuzzing harness. The tracer script initializes the fuzzing, and the harness contains the fuzzing target. Ruzzy uses libFuzzer's coverage-guided instrumentation to find crashing inputs.
Interesting implementation details:
- Creating a Ruby fuzzing harness: Use Ruby-FFI or Ruby C extensions to bridge the gap between Ruby code and the libFuzzer C/C++ implementation. Pass Ruby Procs to C function pointers using rb_proc_call.
- Compiling Ruby C extensions with libFuzzer: Use the mkmf module to compile Ruby C extensions with libFuzzer. Set environment variables to inject fuzzing flags during installation. Search GitHub for extconf.rb files to find fuzzing targets.
- Adding coverage support for pure Ruby code: Use the Ruby Coverage module and Ruby event hooking (TracePoint) to add coverage support for pure Ruby code. Define private coverage event hooks and call Coverage.setup(branches: true) before fuzzing.
Find more Ruby bugs with Ruzzy: Building the tool is the start. Use it to find bugs and contribute to the trophy case. Check out other fuzzing posts and contact for custom fuzzing.