Hi,
I am a French last year student in internship with a researcher from the
Portsmouth university (UK). We began to work on memory security by looking
at a research publication which make reference to AddressSanitizer. I had a
first hand with the tool following your github documentation. Playing a bit
more with it I found it was possible to make access to unexpected memory
without triggering Asan (I attached a small C file with comments). Finding
it too easy I finally think I saw on the internet that it was known and
won't be changed (I am sorry I don't remember the source and don't find it
anymore, that why I can't really say I saw it).
My internship master and I agreed it could be interessant to look a little
bit deeper on the mechanism and before to jump into AddressSanitizer.cpp I
prefered to look at a smaller llvm pass: BoundsChecking.cpp (same folder).
Is it a part of the Asan project? Because of what I understood:
- it is a Function Pass retrieving a list of each instruction
- instrumenting load, store, atomic cmpxchg, atomic rwm
- instrumentation is on run-time
- instrumentation checks the pointer size, offset and size to be
stored/loaded
- make a trap if access is out of pointer bounds
Shouldn't it detect the obvious overflow made on the C file I attached?
Thank you very much for your time and consideration. I am sorry if my
question is irrelevant, I'm just trying to take hands on the project so far.
Pierre Gagelin
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
#include <stdlib.h>
#include <stdio.h>
int heapOutOfBounds (int argc, char ** argv) {
int * buffer = (int *)malloc(10 * sizeof(int));
buffer[0] = 0;
int i;
scanf("%d", &i);
int res = buffer[9 + i];
free(buffer);
return res;
}
int stackOutOfBounds (int argc, char ** argv) {
int buffer[10] = {0};
buffer[0] = 1;
int i;
scanf("%d", &i);
return buffer[9 + i];
}
// to run a test, uncomment the one you want
int main (int argc, char ** argv) {
// HEAP-OUT-OF-BOUNDS
// On a 32bit Kali 2.0 OS:
// try "1" and "1234567". The first should trigger ASAN and not the second
// it seems that there is a limit between 250000 and 300000 that triggers
// a SIGSEGV. So 3 categories of numbers are dsitinguishable:
// - those inferior to the limit: triggers Asan
// - those supperior to 1234567: triggers nothing
// - those inbetween: triggers sigsegv
// On a 64bit Kali 2.0 OS:
// results are the same but the number involved are different from the
// ones in the 32bit architecture:
// - 1234567 <- 123456789123456789123456789
// - between 250000 and 300000 <- exactly on 2050
// - same for those inbetween
/*
int res = heapOutOfBounds(argc, argv);
printf("res: %d (%p)\n", res, &res);
*/
// STACK-OUT-OF-BOUNDS
// We can see undetected access to several memory zones
// try "1" to trigger Asan and "11", "15" and greater than "23" to switch it
/*
int res = stackOutOfBounds(argc, argv);
printf("res: %d (%p)\n", res, &res);
*/
return 0;
}
