that detects memory corruption bugs such as buffer over ows or use-after-free AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory. AddressSanitizer is available for Clang and GCC. Unde ned behaviors are aborted On average, the instrumentation increases processing time by about 73% and memory usage by 340%
you want to run AFL [2] Unde ned behavior are aborted As anti-exploitation measure, it isn't a valid option Maybe it even introduces new vulnerabilities [1]: https://blog.hboeck.de/archives/868-How- Heartbleed-couldve-been-found.html [2]: https://fuzzing-project.org/tutorial2.html
it starts in the Planning and Requirement phase Threat modeling happens in the architecture and design phase The Test cases are de ned before coding. Coding phase Testing Release and Maintenance
step (Maybe FATE/ECO) There is no Threat modeling There is (almost) no coding There is Packaging There is building There is test case de nitions There is testing There is release and maintenance
Enable globally ASAN in a OBS project without change (almost) any package spec 2. Build the project 3. Check the failures, looking for possible security issues 4. Open an AUDIT bug for security team 5. if con rmed, handle it as security incident 6. Con gure a Factory ISO with our ASAN repository 7. Run it with OpenQA
Set "-fsanitize=address" in opt ags [1] Opt ags exports compiler ags to the build. They will only have an effect when the spec le is using $RPM_OPT_FLAGS. Not all packages use it It doesn't set the LDFLAGS (maybe xable with -Wl ...) Reference: http://openbuildservice.org/help/manuals/obs-
in the project con guration append -fsanitize=address to CFLAGS, LDFLAGS and CXXFLAGS it works, but not all packages call %con gure.. Autotools is just one of the many other tools (i.e Cmake, scons, etc)
normally are normally not well written Memory usage is higher than normal con gure scripts bad assumptions (pthreads for example) Libtool custom memory allocators
con gure script check for pthread_create() and assume lpthread isnt needed it breaks all packages which need pthreads solution: always link against pthreads :)
own memory allocators ASAN is just able to detect problems with malloc/free, new/delete allocators Workaround would be to try to con gure the application to use the standard allocators
in production ASAN uses enviroment variables without checking for secure execution of setuid binaries It may introduce new vulnerabilities ASAN_OPTIONS='suppressions="/foo root:passwdhash:12345:0::::: bar" log_path=foo' ./suid-binary
write into root owned les before run it, create foo.{1,2,3,..PID_MAX_LIMIT} symlinks to /etc/shadow run it writes in /etc/shadow: AddressSanitizer: failed to read suppressions file '/foo root:passwdhash:12345:0::::: bar'
maybe just the setuid or packages which runs as root? Test it with openQA x bugs with gcc wrapper and toolchain Run AFL fuzzer against the RPM with ASAN enabled Set services running on ASAN (nginx, apache, post x, exim, etc) i.e set up ASAN enabled post x and pipe all my spam folder through this mail server i.e set up ASAN enabled apache and let if face the wild internet