On Saturday, March 18, 2017 at 8:02:25 PM UTC+5:30, Paras Chetal wrote: > > Hi Jean-Philippe, > > Really sorry for the delayed response, but yes, I am still very much > interested in the project. > I have been going through the arch-spec of qubes and have been studying > the code base of qubes-builder, trying to understand how everything is > stitched together. > > Regarding static analysis, I ran scan-build across the various components > in the qubes-builder, but that does not really reveal anything interesting > off the top (as expected). I will still be sending a PR in by the end of > this weekend to have a convinient bash script in the qubes-builder/scripts > directory which will scan-build the various components under > qubes-builder/qubes-src. Custom static analysis of untrusted_ variables > will obviously be much more useful, and I'll add it later. > > I'm more interested in taking up extensive fuzzing (using afl) of the > various qubes components. It seems to me that would be much more useful for > Qubes than just static analysis. The two major tasks, like you said, would > be the identification and subsequent guided fuzzing of the interfaces which > cross trust boundaries. Since I'm relatively new to this, I'm not sure how > I should divide them into sub tasks. I would appreciate if you could help > me with that. Once we have the sub-tasks figured out, I'll think about the > milestones and a proposed timeline for the project. > > I think I'll be able to work on both static and dynamic analysis over the > summer. Implementing symbolic execution is still unclear, and I'll work on > it later if time permits. > I'll stay in touch with you on the #qubes channel on freenode IRC. (nick: > feignix) > > Regards, > Paras Chetal > <https://paraschetal.in> >
Hi Jean-Philippe, Could you please explain how identification of the interfaces which exchange data from vchan buffers could be automated? Designing an intermediate layer through which all data will move through, seems to me to be the ideal way. I don't have much knowledge of how cross-process taint tracking could be implemented here. Could you please point me to some resources from where I can read up on it?. Also, I have some questions regarding how I should set up my system to get started with fuzzing. For instance, let's say I start with the fuzzing of libvchan. I would have to provide some dummy input data (controlled by afl-fuzz) and then store the results, right? How would I detect whether the input actually led to unintended behavior? Since I'm fuzzing individual components but I need to analyze the effect these components have on the whole system. (like filesystem modifications outside of the hierarchy). I have started writing the proposal for GSoC. I'll be sharing it in around a week or so. I plan to lay the groundwork for both static and dynamic analysis. Please let me know what according to you would be the satisfactory outcome for the project. Regards, Paras Chetal <https://paraschetal.in> -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/31f4007f-61b4-48bc-853c-2f9e2108cb8f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
