Annotation of wikisrc/users/maya.mdwn, revision 1.2

1.1       maya        1: # Tips for using analyzers on NetBSD #
                      2: 
                      3: ## Address Sanitizer (+UBsan) (preliminary) ##
                      4: 
                      5: ASan reports memory violations, and detects many off-by-ones. It seems
                      6: to produce very high quality reports.
                      7: 
                      8: It only needs to be compiled on the resulting binary[1]. It cannot compile
                      9: static objects so requires some fiddling with makefiles to disable those.
                     10: 
                     11: I've been running it on netbsd tests in the following manner[2]:
                     12: 
                     13:     cd /usr/src/tests/lib/libc
                     14:     env USETOOLS=never MK_SSP=no HAVE_SSP=no CFLAGS="-fno-omit-frame-pointer -O0 -g -ggdb -U_FORTIFY_SOURCE -fsanitize=address -fsanitize=undefined" LDFLAGS="-lasan -lubsan" make -j20
                     15: 
                     16:     env ASAN_OPTIONS=alloc_dealloc_mismatch=0 LD_PRELOAD="/usr/lib/libasan.so /usr/lib/libubsan.so" atf-run
                     17: 
1.2     ! maya       18:     sysctl -w security.pax.aslr.enabled=0 # [3]
        !            19: 
1.1       maya       20: 1. Seems like this is a cause of worse reports, as in-library functions
                     21: are not intercepted.
                     22: 
                     23: 2. Not even close to canonical commands, should probably be improved.
                     24: 
1.2     ! maya       25: 3. To workaround "Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly". An alternative is to LD_PRELOAD and LD_LIBRARY_PATH an entirely separate libc, ld.elf_so, etc.
        !            26: 
        !            27: 4. ASAN_OPTIONS=alloc_dealloc_mismatch=0 is because atf-run itself
1.1       maya       28:     triggers a bug. Should have a look at it so this option doesn't
                     29:     need to be disabled.
                     30: 
                     31: Important note: ASan should not be run on production systems. [It can pose a
                     32: security risk](http://www.openwall.com/lists/oss-security/2016/02/17/9).
                     33: 
                     34: ## Coverity ##
                     35: 
                     36: Coverity is a static analyzer.
                     37: 
                     38: You can see a part of its output in coverity-updates@, and a lot more
                     39: if you go to the website (sign up with your netbsd email or poke someone
                     40: for access).
                     41: 
                     42: A lot of the reports are about strncpy/strcpy or in code that belongs
                     43: to GCC (in the case of userland), you can tackle this by limiting
                     44: results to a particular directory (click the folder icon). You can
                     45: also sort by issue.
                     46: 
                     47: Some suggestions for things to focus on, as there are many defects
                     48: reported:
                     49: - Setuid programs
                     50: - Anything kernel
                     51: - Stuff that runs as root
                     52: - Library or other code you know well already
                     53: - Drivers for hardware you actually own and can test
                     54: 
                     55: Future ideas:
                     56: 
1.2     ! maya       57: - GCC could be told to add ASan flags for all shared objects, making it easier to build world with those flags
1.1       maya       58: - We could run all of NetBSD with ASan for some real world tests.
1.2     ! maya       59: - ASan for kernel? (subr_kmem.c has some flags which do some of the work, could it do more?)
1.1       maya       60: - Fuzzers are cool.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb