Projects proposal

Two kinds of tasks:

And in particular sanitization in the context of:

Fuzzing covers:

A typical project consist of:

Port the LLVM DataFlow sanitizer to NetBSD (MKSANITIZER).

Not started and not researched.

Port Scudo to NetBSD (MKSANITIZER).

There is a draft port, however tests are designed against the GNU malloc(3) API (mallinfo). Porting or reimplementing the tests for jemalloc(3) is needed. The feature might be fully functional with local patches, but its status is unknown.

Port LLVM CFI to NetBSD (MKSANITIZER).

This project certainly needs commitment and connection of all the toolchain pieces together. It might require work on programs like ar(1), ld(1), and dynamic ELF loader.

Port SafeStack to MKSANITIZER.

The port is done. All tests pass. It needs research and integration as the MKSANITIZER option. It might work out of the box, but it's not tested and not researched.

Research and reimplement safestack shared between MKLIBCSANITIZER and the kernel.

Already done by Fuchsia, a research OS from Google. The feature must be C++ free, similar to micro-UBSan.

Port the LLVM cov, profile, xray, and sancov profiling to NetBSD.

Most of this already works, but investigation of the failing tests is needed.

A quick comparison (as explained by an upstream developer):

cov

Did my test execute everything?

profile

Record optimizer-relevant details of what was executed. Profile can have performance overhead where useful, as long as it doesn't skew the profile or make it unusable.

xray

Record programmer-relevant details of what was executed. Xray must have absolute minimal overhead when not doing anything, but ability dynamically to enable this kind of tracing is necessary.

sancov

Record the degree to which possible paths/data are covered by fuzz testing, in order to direct the fuzzer itself.

Research LLVM cov, profile and sancov in the NetBSD kernel. Compare it to Linux and FreeBSD KCOV.

Port as much as possible to the NetBSD kernel.

Research LLVM XRay as a replacement of DTrace in the NetBSD kernel.

This is a tricky feature with userland assumptions. Upstream is looking forward to this research and offers assistance.

Port AFL Triforce kernel fuzzer to NetBSD.

A port to OpenBSD already exists. Port and eliminate bugs.

Integration of rumpkernel (the NetBSD kernel) with userland tools.

Slice the NetBSD kernel in userland as a library, and integrate fuzzers with the subsystems (network stack, syscall layer, SCSI stack, filesystems, etc.).

There is a research project in which rumpkernel has been successfully fuzzed on the syscall layer with AFL. The layer accepts input generated by the fuzzer via standard input stream.

Add a comment