Google Summer of Code 2018 Mentor Summit

Author: Kamil Rytarowski

E-mail: kamil@netbsd.org

Date: October 13rd 2018

Place: Googleplex, Mountain View, California, USA

Kamil Rytarowski (born 1987)

Krakow, Poland

NetBSD user since 6.1.

The NetBSD Foundation member (== developer) since 2015.

Work areas: kernel, userland, pkgsrc.

Interest: NetBSD on desktop and in particular NetBSD as a workstation.

The current activity in 3rd party software:

• LLVM committer.
• GDB & binutils committer.
• NetBSD maintainer in qemu.

The first time mentor during GSoC 2018.

• Lightning introduction to NetBSD
• NetBSD and Google Summer of Code
• Sanitizers
• Userland sanitizers
• Kernel sanitizers

NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is available for a wide range of platforms, from large-scale servers and powerful desktop systems to handheld and embedded devices.

PowerPC, Alpha, SPARC, MIPS, SH3, ARM, amd64, i386, m68k, VAX, ...

Of course it runs NetBSD.

Binaries.

• Daily builds https://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/latest/
• Releases https://cdn.netbsd.org/pub/NetBSD/

Community support.

• Bugs and patches can be sent via Gnats https://www.netbsd.org/cgi-bin/sendpr.cgi?gndb=netbsd.
• Several mailing lists https://www.netbsd.org/mailinglists exist. The netbsd-users list is a good choice for many problems.
• A community IRC channel exist on #netbsd @ freenode
• Twitter, GitHub, etc...

For additional introduction check The NetBSD Guide.

https://www.netbsd.org/docs/guide/en/

NetBSD participated successfully in the following Google's Summer of Code programs: 2005-2013 and 2016-2018.

In 2018 there were 9 project slots for The NetBSD Foundation.

Together with Christos Zoulas, I've mentored 3 students this year.

Two of them finished the coding periods successfully.

• Yang Zheng (China) "Integrate libFuzzer with the basesystem"
• Siddharth Muralee (India) "Kernel Address Sanitizer"

Check http://blog.netbsd.org/ for their reports.

Other successful projects mentored by the NetBSD developers.

• Keivan Motavalli "Configuration files versioning in pkgsrc"
• Nizar Benshaqi "SQL Database for ATF tests results with online query and statistics page"

Sanitizer is a programming tool that detects computer program bugs such as:

• buffer overflows,
• signed integer overflow,
• uninitialized memory read,
• data races etc.

The fundamental four types of sanitizers:

• Address Sanitizer (Asan) - Finds invalid address usage bugs.
• Undefined Behavior Sanitizer (UBSan) - Finds unspecified code semantics bugs.
• Thread Sanitizer (TSan) - Finds threading bugs.
• Memory Sanitizer (MSan) - Finds uninitialized memory read.

All of them main four userland sanitizers are supported on NetBSD.

• ASan (amd64, i386)
• UBSan (all ports)
• MSan (amd64)
• TSan (amd64)

There are two sanitizers available in the NetBSD kernel.

• kASan (amd64, aarch64)
• kUBSan (all ports)

• Checks are performed dynamically in runtime.
• Compiler (Clang, GCC) emits checks inlined into the generated code.
• Runtime handles non-trivial validation and reporting of bugs.

Sanitizers:

• Compile-time instrumentation
• Slowdown 2x
• Decent portability
• Detects: out-of-bounds heap, out-of-bounds stack, out-of-bounds globals, use-after-free, use-after-return, uninitialized-memory-read, leaks, undefined-behavior, data races

Valgrind:

• Dynamic-binary instrumentation
• Slowdown 20x
• Difficult porting to new platforms and OSes
• Detects: out-of-bounds heap, use-after-free, uninitialized-memory-read, leaks, data races

The base distribution (HEAD version).

• GCC-style distribution: ASan, UBSan, LSan (scratch)
• LLVM-style distribution: shipping with the distribution coming soon

Externally prebuilt standalone toolchain.

• GCC: downstream for LLVM, ignored right now
• LLVM: occasional prebuilt snapshots for public consumption http://cdn.netbsd.org/pub/NetBSD/misc/kamil/

µUBSan - independent NetBSD runtime:

• Clean room independent and self-contained implementation (1300 LOC)
• Implemented within a single C file (ubsan.c) with minimal dependencies (mostly printing, support for variable argument lists and optional aborting the execution)
• The same runtime is reused in userland and kernel
• Used as a standalone library, the runtime (and compiler instrumentation) is verified with the ATF regression tests (checking both C and C++)

• Designed to be portable to any reasonable 32-bit and 64-bit CPU (restrictions are mostly due to handling of floating point numbers)
• No Undefined Behavior triggered in the runtime (contrary to alternatives), this implies self-sanitizing
• With a minimal shim known ports to FreeBSD (arm, aarch64) and XNU kernels (x86?)
• No TODO lists, considered as feature-complete - just track upstream for new reports (like signed/unsigned integer truncation)

ASan: sh(1), sysinst(8), heimdal krb5, libutil(3), man(1), installboot(8), passwd(8), ...

UBSan: tmux(1), expr(1), ksh(1), ifconfig(8), libc, [gnu]grep(1), gzip(1), [n]awk(1), [n]vi(1), disklabel(8), ...

MSan: sh(1), top(1), ...

... and others that were forgotten to mention.

Available the NetBSD kernel diagnostics:

• DIAGNOSTIC - inexpensive kernel consistency checks
• DEBUG - expensive debugging checks/support
• LOCKDEBUG - expensive locking checks/support
• KMEM_POISON - detects modify-after-free (removed after introduction of kASan)
• KMEM_GUARD - very expensive; detects overflows, invalid pointer/size passed at free, underflow at free, use-after-free
• KMEM_REDZONE - detects overrun bugs (removed after introduction of kASan)

They are usually expensive and detect logical kernel bugs in certain subsystems or routines only.

Shares runtime with the userland (µUBSan).

Detected and fixed kernel bugs

• sys/sys/wait.h sys/external/bsd/drm2/dist/drm/i915/i915_reg.h sys/netinet6/in6.c sys/kern/kern_descrip.c sys/kern/kern_lwp.c sys/kern/sys_mqueue.c sys/dev/scsipi/scsipiconf.h sys/kern/subr_pool.c sys/ufs/ffs/ffs_subr.c sys/sys/mman.h sys/dev/pci/pciide_piix_reg.h sys/arch/x86/x86/intr.c sys/kern/kern_descrip.c common/lib/libutil/snprintb.c common/lib/libc/inet/inet_addr.c common/lib/libc/sys/cpuset.c sys/fs/msdosfs/msdosfs_fat.c sys/fs/udf/ecma167-udf.h ...

... and more

Mostly:

• unportable bit shift (mostly harmless in modern CPUs)
• unaligned memory access (reports in ACPICA, IP stack, MD specific code; RISC CPUs are sensitive to this)
• signed integer overflow (usually means either bad design or real bugs)

Primary author of the port: Maxime Villard (maxv@NetBSD.org).

Initial porting by Siddharth Muralee (during Google Summer of Code).

Detects unauthorized memory access (unallocated or already freed) - use-after-free, out-of-bound access, etc.

The NetBSD port functional with ASan ABI v6 (GCC 6.x) and v8 (GCC 7.x, Clang/LLVM 6.x).

kASan supported on the following ports:

• NetBSD/amd64
• NetBSD/aarch64 (to be merged with mainline)

Nice to have for bug detecting purposes:

• a port to a performant 32-bit CPU emulated with a hardware assisted virtualization (NetBSD/i386 is a good candidate)

Further reading

• Monthly reports on https://blog.netbsd.org/
• Current TODO maintained in the NetBSD sources src/doc/TODO.sanitizers
• Wiki page overview https://wiki.netbsd.org/users/kamil/sanitizers/

Action needed

• Validate your code with a sanitizer
• Check the list of a reported NetBSD issues and submit patches with fixes! http://netbsd.org/~kamil/mksanitizer-reports

Future directions

• kcov(4) and syzkaller - multithreaded coverage-guided kernel fuzzer
• rumpkernel sanitizing and fuzzing - research and innovations

permalink: http://netbsd.org/~kamil/gsoc2018_mentor_summit.html