> It looks like the asan support boils down to: > > NOSTRIP=1 CC=$CLANG_DIR/bin/clang CFLAGS="-fsanitize=address -g" make
It's also better to have some runtime support as well, i.e. set ASAN_SYMBOLIZER_PATH so it uses debug info to show function names, and not just hex addresses. It is easy to confuse build and runtime options, but I like keeping them separate in the Makefile and test.sh respectively. The bwk repo is set up the same way if you want an example. Also, the other sanitizers are useful, and coverage is another build variant (roughly, it adds machine instructions to increment counters for every line/branch/etc.) > Sigh, I'm building llvm 3.8.0 here so following the blfs instructions so > I can reproduce this. (what on earth is clang-analyzer? I take it _that_ > is the static analysis tool I was thinking of?) You know you can just download the binaries right? I've heard that building LLVM/clang takes forever. >> but that's still a bad idea, and not fixing bad style like that (which >> you did fix) means you can't use asan to find all the other bugs. that >> would definitely be throwing the baby out with the bathwater. i think >> it's an open question how security-critical we should consider the >> various things implemented by toybox. my personal opinion is toward >> the "not at all" end of the spectrum, > > I want them to be secure. I'm just not convinced these tools help. They definitely help. Buffer overflows controlled by user input are security holes, and these tools are extremely good at finding buffer overflows (as long as you have test coverage, which you need anyway). You have user input in wget/tar/compression/crypto/grep/sed/etc. And even "find"... if you are a sys admin for hosted users, they can attack you via filenames and metadata and gain your privileges. The other sanitizers also catch integer overflow (integer overflow that HAPPENED, not possible). I'm pretty sure you had some of those too, I think in tar or gz. Integer overflow causes security bugs that most developers find hard to reason about (whereas most people get buffer overflows these days.) Andy _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
