MeetBSDCa 2018

Author: Kamil Rytarowski

E-mail: kamil@netbsd.org

Date: October 19th 2018

Place: Intel Santa Clara Campus, California, USA

Kamil Rytarowski (born 1987)

Krakow, Poland

NetBSD user since 6.1.

The NetBSD Foundation member since 2015.

Work areas: kernel, userland, pkgsrc.

Interest: NetBSD on desktop and in particular NetBSD as a workstation.

The current activity in 3rd party software:

• LLVM committer.
• GDB & binutils committer.
• NetBSD maintainer in qemu.

• What are sanitizers?
• Types of sanitizers
• Characteristics of sanitizers
• NetBSD compatibility challenges
• Interceptors
• MKSANITIZER
• A selection of fixed programs

Sanitizer is a programming tool that detects computer program bugs such as:

• buffer overflows,
• signed integer overflow,
• uninitialized memory read,
• data races etc.

The fundamental four types of sanitizers.

• Address Sanitizer (Asan) - Finds invalid address usage bugs.
• Undefined Behavior Sanitizer (UBSan) - Finds unspecified code semantics bugs.
• Thread Sanitizer (TSan) - Finds threading bugs.
• Memory Sanitizer (MSan) - Finds uninitialized memory read.

All of them are supported on NetBSD.

• Checks are performed dynamically in runtime.
• Compiler (Clang, GCC) emits checks inlined into the generated code.
• Runtime handles non-trivial validation and reporting of bugs.

Sanitizers.

• Compile-time instrumentation
• Slowdown 2x
• Decent portability
• Detects: out-of-bounds heap, out-of-bounds stack, out-of-bounds globals, use-after-free, use-after-return, uninitialized-memory-read, leaks, undefined-behavior, data races

Valgrind.

• Dynamic-binary instrumentation
• Slowdown 20x
• Difficult porting to new platforms and OSes
• Detects: out-of-bounds heap, use-after-free, uninitialized-memory-read, leaks, data races

The base distribution (HEAD version).

• GCC-style distribution: ASan, UBSan, LSan (scratch)
• LLVM-style distribution: shipping with the distribution coming soon

Externally prebuilt standalone toolchain.

• GCC: downstream for LLVM, ignored right now
• LLVM: occasional prebuilt snapshots for public consumption http://cdn.netbsd.org/pub/NetBSD/misc/kamil/

Design choices.

• Sanitizers are designed to run on top of libc, libpthread, libm, librt
• The c, pthread, m and rt libraries are not instrumented (no compiler flags during build)
• Most sanitizers keep track of allocations from unistrumented libraries with malloc(3) and mmap(2) interceptors
• Written in C++ and ship with native support of sanitization of C++ code
• Requirement of low-level C++ runtime features (LLVM libc++ and GNU libstdc++ supported)
• Most sanitizers require large address space for meta-buffers

Problems generated by the design of sanitizers: ASLR.

• Incompatiblity with NetBSD PaX ASLR (as of now) due to requirement of mapping allocated buffers into meta-buffers of sanitizers
• NetBSD's Address Space Layour Randomization is too aggressive
• ASan randomly work with ASLR; TSan & MSan break all the time
• Crashes caused by ASLR tend to be hard to understand

Workaround.

• Disable PaX ASLR either globally or per-application
• Included runtime detector of PaX ASLR for NetBSD applications and bail out with an error message

On NetBSD (ELF program file format) interceptors use dynamic loader functionality to install interceptors for routines from a dynamically loaded library.

Sanitizer's runtime inlines a local copy of a certain interceptor into the body of a program, and this symbol is resolved before resolving a symbol from a library.

• Sanitizers (usually) do not know whether arbitrary data region is initialized
• Sanitizers (usually) do not know whether base library will either read or write data referenced by passed pointer
• Sanitizers (usually) do not know what happens inside unsanitized libraries (c, rt, etc)

Solution.

• Introduce an interceptor for every libc, libm, librt, libpthread API call that passes data (in any direction: in / out) over a pointer
• Handle special cases on per-sanitizer, per-API and per-OS (& per-libc) basis

Solution.

• Disable recursive interceptors in sensitive sanitizers (MSan)
• Recursive interception is disabled on per-interceptor and per-sanitizer basis
• In narrow cases there is a need to install interceptors for functions that do not return or take any arguments (example: void tzset(void)) only for the purpose of disabling calls of interceptors inside uninstrumented library
• Cover more function calls in base libraries with interceptors
• Keep adding interceptors until your application starts to execute correctly

GNU world.

• Fragmentation of userland, programs such as GNU grep(1) are developed separately with GNU patch(1) and GNU libc
• Alternative versions of libc (musl, eglibc, newlib, ...)
• Developers restrict themselves to POSIX functions and reinvent utility functions in their programs

BSD world.

• Entire basesystem is developed inside a single source tree
• Single version of libc, unless somone is overly-adventurous
• Developers push common utility routines to either utility libraries (libutil) or directly into base libraries (libc, ...)

The GNU vs BSD implications in sanitizers.

• The BSD world must install many more interceptors than the GNU world (at least 100% more)

• Adding interceptors for C++ libraries is practically undoable due to C++ symbol name mangling (and might be incompatible between compiler versions)
• Adding interceptors for a certain C library requires us to link every sanitized program with that library (such as libutil symbols will require us to link every sanitized program with -lutil)
• Covering symbols from more libraries with interceptors enlarges the runtime, requires a lot of manual work and does not scale
• Adding interceptors for a certain library assumes that we will skip potential bugs inside its code

In narrow cases interceptors introduce compatiblity issues between 32 and 64-bit code (such as libkvm - interacting with kernel memory).

In the libkvm case it worked to rebuild the library with a sanitizer natively.

Last but not least, if there are already symbols inside an application duplicated with a basesystem - they will conflict with an interceptor.

Workaround.

• Patch the code to rename a symbol to remove name clash (Symbol name clash in a program with UNIX interfaces is in some cases a POSIX spec violation)
• Refer to preprocessor magic and rename the symbol in the fly for the use of sanitization (e.g. -Dregex=__renamed_regex)

Summary.

• libc, libm, librt, libposix remain unsanitized
• The BSD world requires more interceptors than the GNU world
• All the other libraries shall be prebuilt with native sanitization
• Processing the userland to ship sanitized libraries manually is impractically difficult

Solution.

• Automatization of preprocessing the entire userland with a selected set of sanitizers with a distribution build flag (NetBSD's MKSANITIZER)

ASan: sh(1), sysinst(8), heimdal krb5, libutil(3), man(1), installboot(8), passwd(8), ...

UBSan: tmux(1), expr(1), ksh(1), ifconfig(8), libc, [gnu]grep(1), gzip(1), [n]awk(1), [n]vi(1), disklabel(8), ...

MSan: sh(1), top(1), ...

... and others that were forgotten to mention.

Further reading

• Monthly reports on https://blog.netbsd.org/
• Current TODO maintained in the NetBSD sources src/doc/TODO.sanitizers
• Wiki page overview https://wiki.netbsd.org/users/kamil/sanitizers/
• MKLIBCSANITIZER with a homegrown sanitizer runtime inside libc
• NetBSD Kernel Sanitizers

Action needed

• Validate your code with a sanitizer
• Check the list of a reported NetBSD issues and submit patches with fixes! http://netbsd.org/~kamil/mksanitizer-reports

Future directions

• kcov(4) and syzkaller - multithreaded coverage-guided kernel fuzzer
• rumpkernel sanitizing and fuzzing - research and innovations