Annotation of wikisrc/users/maya.mdwn, revision 1.8
1.1 maya 1: # Tips for using analyzers on NetBSD #
2:
3: ## Address Sanitizer (+UBsan) (preliminary) ##
4:
1.3 maya 5: ASan reports memory violations, and detects many off-by-ones. It seems to produce very high quality reports.
1.1 maya 6:
1.3 maya 7: It only needs to be compiled on the resulting binary[1]. It cannot compile static objects so requires some fiddling with makefiles to disable those.
1.1 maya 8:
9: I've been running it on netbsd tests in the following manner[2]:
10:
11: cd /usr/src/tests/lib/libc
12: env USETOOLS=never MK_SSP=no HAVE_SSP=no CFLAGS="-fno-omit-frame-pointer -O0 -g -ggdb -U_FORTIFY_SOURCE -fsanitize=address -fsanitize=undefined" LDFLAGS="-lasan -lubsan" make -j20
13:
1.3 maya 14: env ASAN_OPTIONS=alloc_dealloc_mismatch=0 LD_PRELOAD="/usr/lib/libasan.so /usr/lib/libubsan.so" atf-run # [3]
1.1 maya 15:
1.3 maya 16: sysctl -w security.pax.aslr.enabled=0 # [4]
1.2 maya 17:
1.1 maya 18: 1. Seems like this is a cause of worse reports, as in-library functions
19: are not intercepted.
20:
21: 2. Not even close to canonical commands, should probably be improved.
22:
1.7 maya 23: 3. To workaround "Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly". An alternative is to LD_PRELOAD and LD_LIBRARY_PATH an entirely separate libc, ld.elf_so, etc.
1.3 maya 24:
1.7 maya 25: 4. ASan can be wrong about which function is faulting, if we're talking about functions internal to the library. Running it on a separate file or in GDB can be helpful. Worth trying if the failure doesn't make sense.
1.1 maya 26:
1.6 maya 27: **Important note: ASan should not be run on production systems. [It can pose a security risk](http://www.openwall.com/lists/oss-security/2016/02/17/9).**
1.1 maya 28:
29: ## Coverity ##
30:
31: Coverity is a static analyzer.
32:
33: You can see a part of its output in coverity-updates@, and a lot more
34: if you go to the website (sign up with your netbsd email or poke someone
35: for access).
36:
37: A lot of the reports are about strncpy/strcpy or in code that belongs
38: to GCC (in the case of userland), you can tackle this by limiting
39: results to a particular directory (click the folder icon). You can
40: also sort by issue.
41:
42: Some suggestions for things to focus on, as there are many defects
43: reported:
1.4 maya 44:
1.1 maya 45: - Setuid programs
46: - Anything kernel
47: - Stuff that runs as root
48: - Library or other code you know well already
49: - Drivers for hardware you actually own and can test
50:
1.5 maya 51: ## Future ideas: ##
1.1 maya 52:
1.2 maya 53: - GCC could be told to add ASan flags for all shared objects, making it easier to build world with those flags
1.1 maya 54: - We could run all of NetBSD with ASan for some real world tests.
1.2 maya 55: - ASan for kernel? (subr_kmem.c has some flags which do some of the work, could it do more?)
1.1 maya 56: - Fuzzers are cool.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb