SlideShare a Scribd company logo
1 of 30
Download to read offline
a look into the sanitizer family
by Akul Pillai
>_ whoami
● Akul Pillai (Twitter: @akulpillai)
● 2nd year CSE BTech Student @ Amrita School of
Engineering, Amritapuri
● aka k4iz3n, CTF Player @teambi0s
● Reverse Engineering and Binary Exploitation
● Organizing team @ InCTF and InCTFj
>_ Agenda
● What are Sanitizers?
○ Overview
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)
>_ What are Sanitizers?
● A family of dynamic testing tools available in Clang, GCC
and Xcode that allows you to perform runtime analysis on
your code.
● Detects bugs such as
○ buffer overflows
○ signed integer overflows
○ uninitialized memory reads
○ data races, etc
● An amazing fuzzer aid
>_ Types of Sanitizers
There are fundamentally 4 types of Sanitizers:
>_ Address Sanitizer
detects invalid address usage
bugs
>_ Undefined Behaviour Sanitizer
finds unspecified code semantic
bugs
>_ Thread Sanitizer
detects threading bugs
>_ Memory Sanitizer
finds uninitialized memory access
bugs
>_ Characteristics of Sanitizers
● Compiler Instrumented
○ The compiler adds checks inlined into the generated code
● Checks are performed dynamically during runtime
● A detailed report is created and outputted
Meaning only bugs that are encountered during execution
are reported.
>_ Agenda
● What are Sanitizers?
○ Types
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)
>_ Address Sanitizer (ASan)
● Open source tool developed by Google.
● Is a fast memory corruption bug detector
● ASan can detect:
○ Use after free (dangling pointer dereference)
○ Heap buffer overflow
○ Stack buffer overflow
○ Global buffer overflow
○ Use after return
○ Use after scope
>_ ASan - Usage
Ships with the following compilers, and can be enabled using
the following flags:
○ GCC & Clang: -fsanitize=address
○ Xcode : Runtime Sanitization > Enable Address Sanitizer
>_ ASan - Working
*address = ...; // or: ... = *address;
if (IsPoisoned(address)) {
ReportError(address, kAccessSize, kIsWrite);
}
*address = ...; // or: ... = *address;
after instrumentation:
>_ ASan - Memory Mapping
● Uses memory mapping in a way to optimize performance
● The virtual address space is divided into 2 disjoint
classes:
○ Main application memory (Mem): this memory is used by the regular
application code.
○ Shadow memory (Shadow): This memory contains the shadow values (or
metadata).
>_ ASan - Memory Mapping
0
7
6
5
4
3
2
1
-1
addressable
unaddressable/poisoned
shadow
8 bytes of main memory is
mapped to 1 byte of shadow
memory
>_ ASan - Instrumentation
shadow_address = MemToShadow(address);
if (ShadowIsPoisoned(shadow_address)) {
ReportError(address, kAccessSize, kIsWrite);
}
if (IsPoisoned(address)) {
ReportError(address, kAccessSize, kIsWrite);
}
*address = ...; // or: ... = *address;
using shadow memory:
>_ ASan - buffer overflow
>_ ASan - use after free
>_ Agenda
● What are Sanitizers?
○ Types
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)
>_ Undefined Behaviour Sanitizer (UBSan)
● Undefined Behavior describes the result of any operation
with unspecified semantics, such as
○ dividing by zero
○ loading memory from a misaligned pointer
○ dereferencing a null pointer.
● UBSan detects:
○ out-of-bounds access of arrays
○ integer overflow
○ out-of-range casts to, from, or between floating-point types and
other types.
>_ UBSan - Usage
Ships with the following compilers, and can be enabled using
the following flags:
○ GCC & Clang: -fsanitize=undefined
○ Xcode : Runtime Sanitization > Enable Undefined Behaviour
Sanitizer
>_ UBSan - integer overflow
>_ UBSan - Working
demo
>_ UBSan - Working
-fsanitize=alignment
-fsanitize=bool
-fsanitize=builtin
-fsanitize=bounds
-fsanitize=enum
-fsanitize=float-cast-overflow
-fsanitize=nullability-arg
-fsanitize=object-size
-fsanitize=pointer-overflow
-fsanitize=return
-fsanitize=shift
-fsanitize=vptr
>_ UBSan - array out of bounds
>_ UBSan - Working
demo
>_ questions?

More Related Content

What's hot

Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android Benchmarks
Koan-Sin Tan
 

What's hot (20)

Continguous Memory Allocator in the Linux Kernel
Continguous Memory Allocator in the Linux KernelContinguous Memory Allocator in the Linux Kernel
Continguous Memory Allocator in the Linux Kernel
 
ARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくいARM LinuxのMMUはわかりにくい
ARM LinuxのMMUはわかりにくい
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrency
 
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
qemu + gdb + sample_code: Run sample code in QEMU OS and observe Linux Kernel...
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
Trace kernel code tips
Trace kernel code tipsTrace kernel code tips
Trace kernel code tips
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
JVM: A Platform for Multiple Languages
JVM: A Platform for Multiple LanguagesJVM: A Platform for Multiple Languages
JVM: A Platform for Multiple Languages
 
Performance Tuning EC2 Instances
Performance Tuning EC2 InstancesPerformance Tuning EC2 Instances
Performance Tuning EC2 Instances
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile Devices
 
Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)Embedded Android : System Development - Part II (Linux device drivers)
Embedded Android : System Development - Part II (Linux device drivers)
 
Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)Bootstrap process of u boot (NDS32 RISC CPU)
Bootstrap process of u boot (NDS32 RISC CPU)
 
Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android Benchmarks
 

Similar to A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

Analytics tools and Instruments
Analytics tools and InstrumentsAnalytics tools and Instruments
Analytics tools and Instruments
Krunal Soni
 
Performance analysis of sobel edge filter on heterogeneous system using opencl
Performance analysis of sobel edge filter on heterogeneous system using openclPerformance analysis of sobel edge filter on heterogeneous system using opencl
Performance analysis of sobel edge filter on heterogeneous system using opencl
eSAT Publishing House
 

Similar to A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai (20)

0507 057 01 98 * Adana Cukurova Klima Servisleri
0507 057 01 98 * Adana Cukurova Klima Servisleri0507 057 01 98 * Adana Cukurova Klima Servisleri
0507 057 01 98 * Adana Cukurova Klima Servisleri
 
Optimizing mobile applications - Ian Dundore, Mark Harkness
Optimizing mobile applications - Ian Dundore, Mark HarknessOptimizing mobile applications - Ian Dundore, Mark Harkness
Optimizing mobile applications - Ian Dundore, Mark Harkness
 
Manticore 6.pdf
Manticore 6.pdfManticore 6.pdf
Manticore 6.pdf
 
Analytics tools and Instruments
Analytics tools and InstrumentsAnalytics tools and Instruments
Analytics tools and Instruments
 
Microprocessors - 80386DX
Microprocessors - 80386DXMicroprocessors - 80386DX
Microprocessors - 80386DX
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
 
Introducing Parameter Sensitivity to Dynamic Code-Clone Analysis Methods
Introducing Parameter Sensitivity to Dynamic Code-Clone Analysis MethodsIntroducing Parameter Sensitivity to Dynamic Code-Clone Analysis Methods
Introducing Parameter Sensitivity to Dynamic Code-Clone Analysis Methods
 
Server-Side Development for the Cloud
Server-Side Developmentfor the CloudServer-Side Developmentfor the Cloud
Server-Side Development for the Cloud
 
Pointer
PointerPointer
Pointer
 
Computer Architecture and Organization
Computer Architecture and OrganizationComputer Architecture and Organization
Computer Architecture and Organization
 
Introduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationIntroduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimization
 
Writing Applications for Scylla
Writing Applications for ScyllaWriting Applications for Scylla
Writing Applications for Scylla
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
Introduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationIntroduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimization
 
Valgrind
ValgrindValgrind
Valgrind
 
Performance analysis of sobel edge filter on heterogeneous system using opencl
Performance analysis of sobel edge filter on heterogeneous system using openclPerformance analysis of sobel edge filter on heterogeneous system using opencl
Performance analysis of sobel edge filter on heterogeneous system using opencl
 
PPT DMA.pptx
PPT  DMA.pptxPPT  DMA.pptx
PPT DMA.pptx
 
memory
memorymemory
memory
 
SOSCON 2016 JerryScript
SOSCON 2016 JerryScriptSOSCON 2016 JerryScript
SOSCON 2016 JerryScript
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
 

More from Cysinfo Cyber Security Community

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
 Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr   siddharth muraleeDynamic binary analysis using angr   siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc -	ashutosh ahelleyaBit flipping attack on aes cbc -	ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack	Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis	Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation	Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack	XXE - XML External Entity Attack
XXE - XML External Entity Attack
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

  • 1. a look into the sanitizer family by Akul Pillai
  • 2. >_ whoami ● Akul Pillai (Twitter: @akulpillai) ● 2nd year CSE BTech Student @ Amrita School of Engineering, Amritapuri ● aka k4iz3n, CTF Player @teambi0s ● Reverse Engineering and Binary Exploitation ● Organizing team @ InCTF and InCTFj
  • 3. >_ Agenda ● What are Sanitizers? ○ Overview ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)
  • 4. >_ What are Sanitizers? ● A family of dynamic testing tools available in Clang, GCC and Xcode that allows you to perform runtime analysis on your code. ● Detects bugs such as ○ buffer overflows ○ signed integer overflows ○ uninitialized memory reads ○ data races, etc ● An amazing fuzzer aid
  • 5. >_ Types of Sanitizers There are fundamentally 4 types of Sanitizers: >_ Address Sanitizer detects invalid address usage bugs >_ Undefined Behaviour Sanitizer finds unspecified code semantic bugs >_ Thread Sanitizer detects threading bugs >_ Memory Sanitizer finds uninitialized memory access bugs
  • 6. >_ Characteristics of Sanitizers ● Compiler Instrumented ○ The compiler adds checks inlined into the generated code ● Checks are performed dynamically during runtime ● A detailed report is created and outputted Meaning only bugs that are encountered during execution are reported.
  • 7. >_ Agenda ● What are Sanitizers? ○ Types ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)
  • 8. >_ Address Sanitizer (ASan) ● Open source tool developed by Google. ● Is a fast memory corruption bug detector ● ASan can detect: ○ Use after free (dangling pointer dereference) ○ Heap buffer overflow ○ Stack buffer overflow ○ Global buffer overflow ○ Use after return ○ Use after scope
  • 9. >_ ASan - Usage Ships with the following compilers, and can be enabled using the following flags: ○ GCC & Clang: -fsanitize=address ○ Xcode : Runtime Sanitization > Enable Address Sanitizer
  • 10. >_ ASan - Working *address = ...; // or: ... = *address; if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; after instrumentation:
  • 11. >_ ASan - Memory Mapping ● Uses memory mapping in a way to optimize performance ● The virtual address space is divided into 2 disjoint classes: ○ Main application memory (Mem): this memory is used by the regular application code. ○ Shadow memory (Shadow): This memory contains the shadow values (or metadata).
  • 12. >_ ASan - Memory Mapping 0 7 6 5 4 3 2 1 -1 addressable unaddressable/poisoned shadow 8 bytes of main memory is mapped to 1 byte of shadow memory
  • 13. >_ ASan - Instrumentation shadow_address = MemToShadow(address); if (ShadowIsPoisoned(shadow_address)) { ReportError(address, kAccessSize, kIsWrite); } if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; using shadow memory:
  • 14. >_ ASan - buffer overflow
  • 15.
  • 16.
  • 17. >_ ASan - use after free
  • 18.
  • 19.
  • 20. >_ Agenda ● What are Sanitizers? ○ Types ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)
  • 21. >_ Undefined Behaviour Sanitizer (UBSan) ● Undefined Behavior describes the result of any operation with unspecified semantics, such as ○ dividing by zero ○ loading memory from a misaligned pointer ○ dereferencing a null pointer. ● UBSan detects: ○ out-of-bounds access of arrays ○ integer overflow ○ out-of-range casts to, from, or between floating-point types and other types.
  • 22. >_ UBSan - Usage Ships with the following compilers, and can be enabled using the following flags: ○ GCC & Clang: -fsanitize=undefined ○ Xcode : Runtime Sanitization > Enable Undefined Behaviour Sanitizer
  • 23. >_ UBSan - integer overflow
  • 24.
  • 25. >_ UBSan - Working demo
  • 26. >_ UBSan - Working -fsanitize=alignment -fsanitize=bool -fsanitize=builtin -fsanitize=bounds -fsanitize=enum -fsanitize=float-cast-overflow -fsanitize=nullability-arg -fsanitize=object-size -fsanitize=pointer-overflow -fsanitize=return -fsanitize=shift -fsanitize=vptr
  • 27. >_ UBSan - array out of bounds
  • 28.
  • 29. >_ UBSan - Working demo