AddressSanitizer

AddressSanitizer (or ASan) is a programming tool that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free). AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory. AddressSanitizer is currently implemented in Clang (starting from version 3.1[1]) and GCC (starting from version 4.8[2]). On average, the instrumentation increases processing time by about 73% and memory usage by 340%.[3]

Users

Chromium and Firefox developers are active users of AddressSanitizer,[4][5] the tool has found hundreds of bugs in these web browsers.[6] A number of bugs were found in FFmpeg[7] and FreeType.[8] The Linux kernel has enabled the AddressSanitizer for the x86-64 architecture as of Linux version 4.0. The kernel instrumentation requires a special feature in the compiler supplying the -fsanitize=kernel-address command line option, since kernels do not use the same address space as normal programs.[9][10]

Examples

Heap-use-after-free

// RUN: clang -O -g -fsanitize=address %t && ./a.out
int main(int argc, char **argv) {
  int *array = new int[100];
  delete [] array;
  return array[argc];  // BOOM
}
==7182==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400000fe44 at pc 0x46bfef bp 0x7fff91b88080 sp 0x7fff91b88078
READ of size 4 at 0x61400000fe44 thread T0
    #0 0x46bfee in main /tmp/example_UseAfterFree.cc:5

0x61400000fe44 is located 4 bytes inside of 400-byte region [0x61400000fe40,0x61400000ffd0)
freed by thread T0 here:
    #0 0x4536e1 in operator delete[](void*)
    #1 0x46bfb9 in main /tmp/example_UseAfterFree.cc:4

previously allocated by thread T0 here:
    #0 0x453371 in operator new[](unsigned long) 
    #1 0x46bfae in main /tmp/example_UseAfterFree.cc:3

Heap-buffer-overflow

// RUN: clang -O -g -fsanitize=address %t && ./a.out
int main(int argc, char **argv) {
  int *array = new int[100];
  array[0] = 0;
  int res = array[argc + 100];  // BOOM
  delete [] array;
  return res;
}
==25372==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffd4 at pc 0x0000004ddb59 bp 0x7fffea6005a0 sp 0x7fffea600598
READ of size 4 at 0x61400000ffd4 thread T0
    #0 0x46bfee in main /tmp/main.cpp:4:13

0x61400000ffd4 is located 4 bytes to the right of 400-byte region [0x61400000fe40,0x61400000ffd0)
allocated by thread T0 here:
    #0 0x4536e1 in operator delete[](void*)
    #1 0x46bfb9 in main /tmp/main.cpp:2:16

Stack-buffer-overflow

// RUN: clang -O -g -fsanitize=address %t && ./a.out
int main(int argc, char **argv) {
  int stack_array[100];
  stack_array[1] = 0;
  return stack_array[argc + 100];  // BOOM
}
==7405==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff64740634 at pc 0x46c103 bp 0x7fff64740470 sp 0x7fff64740468
READ of size 4 at 0x7fff64740634 thread T0
    #0 0x46c102 in main /tmp/example_StackOutOfBounds.cc:5

Address 0x7fff64740634 is located in stack of thread T0 at offset 436 in frame
    #0 0x46bfaf in main /tmp/example_StackOutOfBounds.cc:2

  This frame has 1 object(s):
    [32, 432) 'stack_array' <== Memory access at offset 436 overflows this variable

Global-buffer-overflow

// RUN: clang -O -g -fsanitize=address %t && ./a.out
int global_array[100] = {-1};
int main(int argc, char **argv) {
  return global_array[argc + 100];  // BOOM
}
==7455==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000689b54 at pc 0x46bfd8 bp 0x7fff515e5ba0 sp 0x7fff515e5b98
READ of size 4 at 0x000000689b54 thread T0
    #0 0x46bfd7 in main /tmp/example_GlobalOutOfBounds.cc:4

0x000000689b54 is located 4 bytes to the right of 
  global variable 'global_array' from 'example_GlobalOutOfBounds.cc' (0x6899c0) of size 400

Limitations

AddressSanitizer does not prevent any uninitialized memory reads, and only prevents some use-after-return bugs.[11] It is also not capable of preventing all arbitrary memory corruption bugs. Arbitrary write bugs due to integer underflow/overflows (when the integer with undefined behavior is used to calculate memory address offsets). Adjacent buffers in structs and classes are not protected from overflow, in part to prevent breaking backwards compatibility.[12]

References

  1. "LLVM 3.1 Release Notes". LLVM. Retrieved 8 February 2014.
  2. "GCC 4.8 Release Notes". GCC. Retrieved 8 February 2014.
  3. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov. "AddressSanitizer: a fast address sanity checker" (PDF). Proceedings of the 2012 USENIX conference on Annual Technical Conference.
  4. Abhishek Arya and Cris Neckar, Chrome Security Team. "Fuzzing for Security".
  5. "Securing Firefox: Trying new code analysis techniques".
  6. "Some of the bugs found by AddressSanitizer".
  7. Mateusz Jurczyk and Gynvael Coldwind. "FFmpeg and a thousand fixes".
  8. "Search results for AddressSanitizer in FreeType Bugs:".
  9. Jake Edge. "The kernel address sanitizer".
  10. Jonathan Corbet. "3.20 merge window part 2".
  11. "ComparisonOfMemoryTools". AddressSanitizer Wiki. Retrieved 1 July 2014.
  12. "Bypassing AddressSanitizer" (PDF). Eric Wimberley. Retrieved 1 July 2014.

External links

This article is issued from Wikipedia - version of the Saturday, February 27, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.