ASan is not canary based. It uses shadow memory and traps at the point of the invalid access, instead of some time later like a canary check.
But yes, it is possible to fool it. It is a testing tool, not a hardening tool. Sent from phone On May 10, 2016 11:48 PM, <[email protected]> wrote: > On Wednesday, May 11, 2016 at 12:13:30 AM UTC+3, pierre.gagelin wrote: >> >> Hi, >> >> I am a French last year student in internship with a researcher from the >> Portsmouth university (UK). We began to work on memory security by looking >> at a research publication which make reference to AddressSanitizer. I had a >> first hand with the tool following your github documentation. Playing a bit >> more with it I found it was possible to make access to unexpected memory >> without triggering Asan (I attached a small C file with comments). Finding >> it too easy I finally think I saw on the internet that it was known and >> won't be changed (I am sorry I don't remember the source and don't find it >> anymore, that why I can't really say I saw it). >> > > Right, that's the difference between canary-based (ASan) and > bounds-checking tools (BaggyBounds). You can only detect overflows up to a > certain extent with canaries (they usually cover 99% of real-world errors > though...). > > >> >> My internship master and I agreed it could be interessant to look a >> little bit deeper on the mechanism and before to jump into >> AddressSanitizer.cpp I prefered to look at a smaller llvm pass: >> BoundsChecking.cpp (same folder). Is it a part of the Asan project? Because >> of what I understood: >> > > No, that's a separate (probably much less sophisticated) checker. > > >> - it is a Function Pass retrieving a list of each instruction >> - instrumenting load, store, atomic cmpxchg, atomic rwm >> - instrumentation is on run-time >> - instrumentation checks the pointer size, offset and size to be >> stored/loaded >> - make a trap if access is out of pointer bounds >> Shouldn't it detect the obvious overflow made on the C file I attached? >> >> Thank you very much for your time and consideration. I am sorry if my >> question is irrelevant, I'm just trying to take hands on the project so far. >> >> Pierre Gagelin >> > -- > You received this message because you are subscribed to the Google Groups > "address-sanitizer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
