[gentoo-dev] Creating a Gentoo built with Address Sanitizer

[gentoo-dev] Creating a Gentoo built with Address Sanitizer

[Hanno Böck]

Hi,

A quick intro for people who don't know address sanitizer (asan): It's a
feature of gcc and clang adding bounds-checking to c (enabled with
-fsanitize=address command line), which will cause applications to crash
and throw an error if an invalid memory access happens.
Very simple example:
int a[2]={1, 1};
int b=a[2];

This is invalid because a[2] does not exist, but usually software will
silently ignore such errors. Address Sanitizer catches them.

Address Sanitizer is supposed to be a debugging-tool, because it slows
down things quite a lot.

I've been playing with the idea of having a full system with almost
everything build with address sanitizer for quite a while. Gentoo is
obviously a good choice for such a system due to it being source based
and flexible.

I by now have a rudimentary system running in a chroot where everything
except glibc, gcc and some deps of gcc is built with asan. I'll probably
publish a stage tarball at some point. As asan has been around for a
while a lot of stuff is already fixed, so often it's merely a "take the
newer version of package X and it works". But in the process of trying
to run such a system I already reported a couple of bugs to the
corresponding upstreams (e.g. recently in bash).


Why's that interesting? First of all it lets you find bugs. There may
be corner cases, but I'm right now not aware of any situation where an
error by address sanitizer happens in legit code. An out of bounds
access or other memory access errors are always a bug.
So in an ideal world it should be possible to just recompile
everything with asan and it runs. (You just need to consider the order
of recompiling things - you can run an asan-ized software with
non-asan-libs, but you cannot do it the other way round: non-asan
software with asan-libs break.)

Such a system could also be interesting as a high security linux
variant not vulnerable to common buffer overflows and other memory
errors. It is slower, but that may be acceptable. (However it should be
said that right now asan is incompatible with grsecurity - and probably
people who want a high secure linux variant want grsecurity.)

For now I just wanted to announce that I'm working on this, so people
who care can get in touch with me. I'll probably write a detailed blog
post at some point.
Depending on how much interest there is this may be something Gentoo
wants to consider as an official project and publish official stage
tarballs.

cu, Hanno
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

Re: [gentoo-dev] Creating a Gentoo built with Address Sanitizer

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/02/2015 03:12 PM, Hanno Böck wrote:
> Hi,
> 

Hi Hanno, this sounds great!
..

> 
> For now I just wanted to announce that I'm working on this, so
> people who care can get in touch with me. I'll probably write a
> detailed blog post at some point. Depending on how much interest
> there is this may be something Gentoo wants to consider as an
> official project and publish official stage tarballs.

This might be something that can be interesting for the Auditing
subproject of Security as well

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJVlTpKAAoJECULev7WN52FddEH/Ahu5Pv1HoC4gJilEbOojsPj
Yiex0b/HtBxsHcAkNfaFhc83ho3eX1yOoMj69Hh7Lc7+HItF1UFdIxJZ3XykYO4H
fiZXonW0kcjuK2VKQnh/kQKju1NdALBHKuXQTZXKAz0NSId8/Pp9AUylWUHP6Btk
EE8S+dBlntAm0xDZw6VbVerPCOEVGGDRRnJg8FqiX92JNPuRDt6jDJCRLy/q6rBF
XyqSz4KG4dVa4xrlnemo1n/tZR2xRBBPRq+edYKZmIhELCuqZh2jZeRX3b5HSk1k
maNou8o1at9lej+BqhNM1snFqWX0bZTQQfPq7erUIPfa6ZUq6LPhQSH/9gTpTMc=
=RGP5
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Creating a Gentoo built with Address Sanitizer

[Anthony G. Basile]

On 7/2/15 9:12 AM, Hanno Böck wrote:
> Hi,
>
>
> Such a system could also be interesting as a high security linux
> variant not vulnerable to common buffer overflows and other memory
> errors. It is slower, but that may be acceptable. (However it should be
> said that right now asan is incompatible with grsecurity - and probably
> people who want a high secure linux variant want grsecurity.)

Its actually PaX that is incompatible with -fsanitize=address because of 
the shadowing of the address space, so you can still use grsec and the 
other protections it provides like hardneing of chroots or rbac.  Just 
turn off PaX when configuring the kernel. (Note: pax should be okay with 
-fsanitize=thread but I haven't tested).  I think this is a cool 
project, but I'm more interested in asan's debugging abilities than a 
run time tool to stop memory abuses.  I like pax's approach where the 
*kernel* simply doesn't allow certain memory uses, eg, pages are 
allocated either read+write or read+execute but never write+execute.

I'd like to play with an amd64 stage3 and see how it asan gets along 
with the hardened toolchain and hardened kernel.

>
> For now I just wanted to announce that I'm working on this, so people
> who care can get in touch with me. I'll probably write a detailed blog
> post at some point.
> Depending on how much interest there is this may be something Gentoo
> wants to consider as an official project and publish official stage
> tarballs.
>
> cu, Hanno


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA