Design and Implementation of a Coverage-Guided Ruby Fuzzer

Design and Implementation of a Coverage-Guided Ruby Fuzzer

연구 분야: Analysis

학회: CSET '24: Proceedings of the 17th Cyber Security Experimentation and Test Workshop

The dynamic nature of cybersecurity threats necessitates the development of advanced tools capable of identifying vulnerabilities in software applications. Fuzz testing is a core method for cybersecurity research and practice because it exemplifies the scientific pursuit for proactive and secure computing environments through its emphasis on systematic experimentation and analysis. Ruby is a dynamic language used to build some of the leading websites and software applications. This paper presents Ruzzy, a coverage-guided fuzzer for Ruby, inspired by Google’s Atheris and developed to address the lack of a modern fuzzing tool within the Ruby community. By integrating with the libFuzzer ecosystem and providing support for both pure Ruby code and Ruby C extensions, Ruzzy represents a significant advancement in automated security testing for Ruby applications. We describe the motivations behind Ruzzy’s creation, its architecture, and its potential impact on improving the security posture of Ruby-based software.