Muva nje I-Google ivuliwe nge-blog post iphrojekthi ye-ClusterFuzzLite, evumela ukuhlela ukuhlolwa kwe-fuzzing yekhodi yokutholwa kusenesikhathi kobungozi obungaba khona esigabeni sokusebenza sezinhlelo eziqhubekayo zokuhlanganisa.
Okwamanje, i-ClusterFuzz ingasetshenziswa ukwenza ngokuzenzakalelayo ukuhlolwa kwe-fuzz kwezicelo zokudonsa kokuthi Izenzo ze-GitHub, I-Google Cloud Build ne-Prow, kodwa kulindeleke ukuthi esikhathini esizayo ihambisane nezinye izinhlelo ze-IC. Le phrojekthi isuselwe kuplathifomu ye-ClusterFuzz, edalelwe ukuxhumanisa umsebenzi wamaqoqo okuhlola axakayo, futhi isatshalaliswa ngaphansi kwelayisensi ye-Apache 2.0.
Kufanele kuqashelwe ukuthi ngemva kokwethulwa kwe-Google kwesevisi ye-OSS-Fuzz ngo-2016, amaphrojekthi wemithombo evulekile angaphezu kuka-500 amukelwa ohlelweni lokuhlola oluxakile. Kusukela ekuhloleni okwenziwe, ngaphezu kuka-6.500 ubungozi obuqinisekisiwe bususiwe futhi amaphutha angaphezu kuka-21.000 alungisiwe.
Mayelana ne-ClusterFuzzLite
I-ClusterFuzzLite iyaqhubeka nokuthuthukisa izindlela zokuhlola eziyindida ngekhono lokuhlonza izinkinga ngaphambi kwesikhathi esigabeni sokubuyekezwa kontanga sezinguquko ezihlongozwayo. I-ClusterFuzzLite isivele yethuliwe ezinqubweni zokubuyekezwa koshintsho kumaphrojekthi we-systemd nama-curl, futhi yenze kwaba nokwenzeka ukuhlonza amaphutha angazange atholwe kubahlaziyi be-static nama-linters asetshenziswe esigabeni sokuqala sokuqinisekiswa kwekhodi entsha.
Namuhla, siyajabula ukumemezela i-ClusterFuzzLite, isixazululo esiqhubekayo sokudideka esisebenza njengengxenye yokugeleza komsebenzi we-CI/CD ukuze kutholwe ubungozi ngokushesha kunangaphambili. Ngemigqa embalwa nje yekhodi, abasebenzisi be-GitHub bangahlanganisa i-ClusterFuzzLite ekuhambeni kwabo komsebenzi kanye nezicelo zokudonsa i-fuzz ukuze babambe izimbungulu ngaphambi kokuba zenziwe, bathuthukise ukuvikeleka okuphelele kochungechunge lokuhlinzekwa kwesofthiwe.
Kusukela yethulwa ngo-2016, amaphrojekthi womthombo ovulekile obalulekile angaphezu kuka-500 ahlanganiswe nohlelo lwe-Google OSS-Fuzz, okuholele ekulungisweni kobungozi obungaphezu kuka-6.500 kanye neziphazamisi ezingu-21.000. I-ClusterFuzzLite ihambisana ne-OSS-Fuzz, ithola amaphutha okuhlehla ngaphambi kwesikhathi kakhulu ohlelweni lokuthuthukiswa.
I-ClusterFuzzLite isekela ukuqinisekiswa kwephrojekthi ku-C, C ++, Java (nezinye izilimi ezisekelwe ku-JVM), i-Go, Python, Rust, ne-Swift. Ukuhlolwa kwe-fuzzing kwenziwa kusetshenziswa injini ye-LibFuzzer. Amathuluzi e-AddressSanitizer, MemorySanitizer kanye ne-UBSan (UndefinedBehaviorSanitizer) angaphinde abizwe ukuze kutholwe amaphutha enkumbulo nokudidayo.
Okwezici ezisemqoka I-ClusterFuzzLite igqamisa isibonelo i ukuqinisekiswa okusheshayo kwezinguquko ezihlongozwayo ukuthola amaphutha esiteji ngaphambi kokwamukelwa kwekhodi, kanye ukulandwa kwemibiko ngezimo zokuphahlazeka, ikhono lokuthuthela kuyo izivivinyo ze-fuzzing ezithuthuke kakhulu ukuhlonza amaphutha ajulile angazange avele ngemva kokuqinisekisa ukushintshwa kwekhodi, futhi ukukhiqizwa kwemibiko yokuhlanganisa ukuze kuhlolwe ukumbozwa kwekhodi ngesikhathi sokuhlolwa kanye nesakhiwo semodular esikuvumela ukuthi ukhethe ukusebenza okudingekile.
Amaphrojekthi amakhulu afaka i-systemd ne-curlya asebenzisa i-ClusterFuzzLite phakathi nokubuyekezwa kwekhodi, ngemiphumela emihle. NgokukaDaniel Stenberg, umbhali we-curl, "Lapho ababuyekezi abangabantu bevuma futhi begunyaze ikhodi futhi abahlaziyi bekhodi abamile kanye nama-linters abakwazi ukubona ezinye izinkinga, ukudideka yikhona okukuyisa ezingeni elilandelayo lokuvuthwa kwekhodi nokuqina. I-OSS-Fuzz ne-ClusterFuzzLite zisisiza ukuthi silondoloze i-curl njengephrojekthi yekhwalithi, usuku lonke, nsuku zonke nakuko konke ukuhlanganyela.
Kufanele sikhumbule ukuthi ukuhlola okufingqiwe kudala ukusakazwa kwazo zonke izinhlobo zenhlanganisela engahleliwe yedatha yokufaka eduze nedatha yangempela (isb. amakhasi e-html anemingcele yethegi engahleliwe, amafayela noma izithombe ezinamaheda angavamile, njll.) futhi alungise ukwehluleka okungenzeka enqubweni.
Uma noma yikuphi ukulandelana kwehluleka noma kungafani nempendulo elindelwe, lokhu kuziphatha cishe kubonisa isiphazamisi noma ukuba sengozini.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.