Project name
Student: CostinCarabas (costincarabas@FreeBSD.org)
Mentor: AndrewTurner (andrew@freebsd.org)
Project description
Nowadays fuzzing has become a state of the art technique in finding vulnerabilities. The procedure has evolved and now includes instrumenting the source code in order to improve the code coverage. Another set of tools that improve fuzzing is the sanitizers. Sanitizers are programming tools that detect bugs in the programs. There are a few types of sanitizers: Address Sanitizers (ASan), Undefined Behavior Sanitizers (UBSan), Thread Sanitizers (TSan) and Memory Sanitizers (MSan). There are sanitizers that are kernel specific: KASan, KUBSan, KTSan, KMSan. The use of sanitizers would reveal more vulnerabilities related to memory corruption (buffer overflows, access to a dangling pointer, disclose kernel memory to user space).
FreeBSD includes support for the kernel coverage sanitizer and undefined behaviour sanitizer, however support for the other sanitizers is missing. These are useful to find bugs while fuzzing the kernel.
Port one or more of KASAN, KMSAN, and KTSAN to work in the FreeBSD kernel. Use the ported sanitizers with fuzzers (syzkaller or triforce) in order to find more memory vulnerabilities.
Deliverables
Port one or more of KASAN, KMSAN, and KTSAN to work in the FreeBSD kernel.
Use the ported sanitizers with fuzzers (syzkaller or triforce) in order to find more memory vulnerabilities.
The Code
https://github.com/CostinCarabas/freebsd/commits/kasan_amd64
Work Done
- Ported KASAN to amd64 based on Andrew's work on arm64 and on OpenBSD.
TODO
- Currently testing KASAN to see if it detects use-after-free and buffer overflow attacks.
- Create a Pull Request to merge the code into master
- Unify the code with Andrew's arm64 version.
- Use fuzzer with KASAN
LONG TERM
- Continue porting other sanitizers