File:  [NetBSD Developer Wiki] / wikisrc / users / kamil / proposals.mdwn
Revision 1.3: download - view: text, annotated - select for diffs
Sun Jul 29 19:27:00 2018 UTC (18 months, 3 weeks ago) by kamil
Branches: MAIN
CVS tags: HEAD
Try to tweak font size

Projects proposal

Two kinds of tasks:

 - sanitization,
 - fuzzing.

And in particular sanitization in the context of:

 - MKSANITIZER (using the default runtime ported to NetBSD),
 - MKLIBCSANITIZER (a reimplementation of the runtime inside libc),
 - kernel (a reimplementation of the userland runtime, usually inspired by the counterpart in a different OS).

Fuzzing covers:

 - userland programs and libraries,
 - the kernel.

A typical project consist of:

 - work directly on the LLVM trunk version, unless the feature is available in a stable release,
 - if needed, porting and upstreaming of NetBSD support to LLVM,
 - validation of the feature against upstream test-suite, porting the tests to it,
 - addition of ATF (automated test framework in NetBSD) regression tests covering the new feature,
 - integration with MKSANITIZER/MKLIBCSANITIZER/kernel.

#### Port the LLVM DataFlow sanitizer to NetBSD (MKSANITIZER).

Not started and not researched.

#### Port Scudo to NetBSD (MKSANITIZER).

There is a draft port, however tests are designed against the
GNU malloc(3) API (mallinfo). Porting or reimplementing the
tests for jemalloc(3) is needed. The feature might be fully
functional with local patches, but its status is unknown.

#### Port LLVM CFI to NetBSD (MKSANITIZER).

This project certainly needs commitment and connection of
all the toolchain pieces together. It might require work
on programs like ar(1), ld(1), and dynamic ELF loader.

#### Port SafeStack to MKSANITIZER.

The port is done. All tests pass. It needs research and
integration as the MKSANITIZER option. It might work
out of the box, but it's not tested and not researched.

#### Research and reimplement safestack shared between MKLIBCSANITIZER and the kernel.

Already done by Fuchsia, a research OS from Google.
The feature must be C++ free, similar to micro-UBSan.

#### Port the LLVM cov, profile, xray, and sancov profiling to NetBSD.

Most of this already works, but investigation
of the failing tests is needed.

A quick comparison (as explained by an upstream developer):

##### cov

Did my test execute everything?

##### profile

Record optimizer-relevant details of what was executed.
Profile can have performance overhead where useful, as
long as it doesn't skew the profile or make it unusable.

##### xray

Record programmer-relevant details of what was
executed. Xray must have *absolute* minimal overhead
when *not* doing anything, but ability dynamically
to enable this kind of tracing is necessary.

##### sancov

Record the degree to which possible paths/data are covered
by fuzz testing, in order to direct the fuzzer itself.

#### Research LLVM cov, profile and sancov in the NetBSD kernel. Compare it to Linux and FreeBSD KCOV.

Port as much as possible to the NetBSD kernel.

#### Research LLVM XRay as a replacement of DTrace in the NetBSD kernel.

This is a tricky feature with userland assumptions.
Upstream is looking forward to this research and offers assistance.

#### Port AFL Triforce kernel fuzzer to NetBSD.

A port to OpenBSD already exists. Port and eliminate bugs.

#### Integration of rumpkernel (the NetBSD kernel) with userland tools.

Slice the NetBSD kernel in userland as a library,
and integrate fuzzers with the subsystems (network
stack, syscall layer, SCSI stack, filesystems, etc.).

There is a research project in which rumpkernel has been
successfully fuzzed on the syscall layer with AFL. The layer
accepts input generated by the fuzzer via standard input stream.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb