1 |
Hi, |
2 |
|
3 |
A quick intro for people who don't know address sanitizer (asan): It's a |
4 |
feature of gcc and clang adding bounds-checking to c (enabled with |
5 |
-fsanitize=address command line), which will cause applications to crash |
6 |
and throw an error if an invalid memory access happens. |
7 |
Very simple example: |
8 |
int a[2]={1, 1}; |
9 |
int b=a[2]; |
10 |
|
11 |
This is invalid because a[2] does not exist, but usually software will |
12 |
silently ignore such errors. Address Sanitizer catches them. |
13 |
|
14 |
Address Sanitizer is supposed to be a debugging-tool, because it slows |
15 |
down things quite a lot. |
16 |
|
17 |
I've been playing with the idea of having a full system with almost |
18 |
everything build with address sanitizer for quite a while. Gentoo is |
19 |
obviously a good choice for such a system due to it being source based |
20 |
and flexible. |
21 |
|
22 |
I by now have a rudimentary system running in a chroot where everything |
23 |
except glibc, gcc and some deps of gcc is built with asan. I'll probably |
24 |
publish a stage tarball at some point. As asan has been around for a |
25 |
while a lot of stuff is already fixed, so often it's merely a "take the |
26 |
newer version of package X and it works". But in the process of trying |
27 |
to run such a system I already reported a couple of bugs to the |
28 |
corresponding upstreams (e.g. recently in bash). |
29 |
|
30 |
|
31 |
Why's that interesting? First of all it lets you find bugs. There may |
32 |
be corner cases, but I'm right now not aware of any situation where an |
33 |
error by address sanitizer happens in legit code. An out of bounds |
34 |
access or other memory access errors are always a bug. |
35 |
So in an ideal world it should be possible to just recompile |
36 |
everything with asan and it runs. (You just need to consider the order |
37 |
of recompiling things - you can run an asan-ized software with |
38 |
non-asan-libs, but you cannot do it the other way round: non-asan |
39 |
software with asan-libs break.) |
40 |
|
41 |
Such a system could also be interesting as a high security linux |
42 |
variant not vulnerable to common buffer overflows and other memory |
43 |
errors. It is slower, but that may be acceptable. (However it should be |
44 |
said that right now asan is incompatible with grsecurity - and probably |
45 |
people who want a high secure linux variant want grsecurity.) |
46 |
|
47 |
For now I just wanted to announce that I'm working on this, so people |
48 |
who care can get in touch with me. I'll probably write a detailed blog |
49 |
post at some point. |
50 |
Depending on how much interest there is this may be something Gentoo |
51 |
wants to consider as an official project and publish official stage |
52 |
tarballs. |
53 |
|
54 |
cu, Hanno |
55 |
-- |
56 |
Hanno Böck |
57 |
http://hboeck.de/ |
58 |
|
59 |
mail/jabber: hanno@××××××.de |
60 |
GPG: BBB51E42 |