doylet/ASANManualPoisoning
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: doylet/ASANManualPoisoning:main
Branches Tags
doylet/ASANManualPoisoning:main
..
compare: doylet/ASANManualPoisoning:6a49e6fb597f5e195c97c9dd70ceb1a080a68610
Branches Tags
doylet/ASANManualPoisoning:main

6 Commits
main .. 6a49e6fb59

Author SHA1 Message Date
doylet 6a49e6fb59 Tweak wording of sliding window test 2023-08-28 22:19:51 +10:00
doylet 8cce3380f5 build: Use script directory for build folder in Windows 2023-08-28 22:19:35 +10:00
doylet 5211a755a3 build: Add GCC build script 2023-08-28 22:19:14 +10:00
doylet 1f5070f456 Generate the readme from the example 2023-08-28 22:12:55 +10:00
doylet 591956471e build: Compile into build folder 2023-08-28 13:35:53 +10:00
doylet 7d0aa69421 Initial commit 2023-08-28 00:33:11 +10:00
2 changed files with 28 additions and 53 deletions
Expand all files Collapse all files
asan_example.cpp
+11 -24
View File
@@ -84,22 +84,8 @@ int main()
"## Overview\n"
"\n"
"ASAN provides a way to manually markup ranges of bytes to\n"
"prohibit or permit reads to those addresses. In\n"
"`<sanitizer/asan_interface.h>` there's a vague brief mention to\n"
"alignment requirements for the poison API:\n"
"\n"
"```cpp\n"
"/// ... This function is not guaranteed to poison the entire region -\n"
"/// it could poison only a subregion of <c>[addr, addr+size)</c> due to ASan\n"
"/// alignment restrictions.\n"
"void __asan_poison_memory_region(void const volatile *addr, size_t size);\n"
"\n"
"/// ... This function could unpoison a super-region of <c>[addr, addr+size)</c> due\n"
"/// to ASan alignment restrictions.\n"
"void __asan_unpoison_memory_region(void const volatile *addr, size_t size);\n"
"```\n"
"\n"
"There's another small foot-note in Google's "
"prohibit or permit reads to those addresses. There's a short\n"
"foot-note in Google's "
"[AddressSanitizerManualPoisoning](https://github.com/google/"
"sanitizers/wiki/AddressSanitizerManualPoisoning)\n"
"documentation that states:\n"
@@ -111,24 +97,25 @@ int main()
"chunks should start with 8-aligned addresses.\n"
"```\n"
"\n"
"So then this repository runs some simple tests to clarify the behaviour\n"
"of the API on un/aligned addresses at various sizes without having\n"
"This repository runs some simple tests to clarify the behaviour of\n"
"the API on un/aligned addresses at various sizes without having\n"
"to dig into source code or read the [ASAN paper](https://static."
"googleusercontent.com/media/research.google.com/en/pubs/archive/"
"37752.pdf).\n"
"\n"
"We use a stack-allocated 16 byte array and test un/poisoning\n"
"various ranges of bytes from different alignments to clarify the\n"
"poisoning behaviour of the API. This reveals that calling the API\n"
"haphazardly, unaligned or straddling boundaries can lead to gaps in\n"
"poisoned memory and hide potential leaks (as also demonstrated in\n"
"[Manual ASAN poisoning and alignment]"
"(https://github.com/mcgov/asan_alignment_example)).\n"
"poisoning behaviour of the API.\n"
"\n"
"This reveals that calling the API haphazardly, unaligned or\n"
"straddling boundaries can lead to gaps in poisoned memory and hide\n"
"potential leaks (as also demonstrated in [Manual ASAN poisoning and\n"
"alignment](https://github.com/mcgov/asan_alignment_example)).\n"
"\n"
"## References\n"
"\n"
"- [Manual ASAN poisoning and alignment](https://github.com/mcgov/asan_alignment_example) example by `mcgov`\n"
"- [Address Sanitizer: A Fast Address Sanity Checker](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37752.pdf)\n"
"- [Address Sanitizer: A Fast Address Sanity Checker](https://static.googleusercontent.com/media/research.google.com/en/pubs/archive/37752.pdf)\n"
"- [sanitizer/asan_interface.h](https://github.com/llvm-mirror/compiler-rt/blob/master/include/sanitizer/asan_interface.h)\n"
"\n"
"## Raw Test Results\n"
readme.md
+17 -29
View File
@@ -25,22 +25,8 @@ marked-up memory that may lead to undetected read/writes.
## Overview
ASAN provides a way to manually markup ranges of bytes to
prohibit or permit reads to those addresses. In
`<sanitizer/asan_interface.h>` there's a vague brief mention to
alignment requirements for the poison API:
```cpp
/// ... This function is not guaranteed to poison the entire region -
/// it could poison only a subregion of <c>[addr, addr+size)</c> due to ASan
/// alignment restrictions.
void __asan_poison_memory_region(void const volatile *addr, size_t size);
/// ... This function could unpoison a super-region of <c>[addr, addr+size)</c> due
/// to ASan alignment restrictions.
void __asan_unpoison_memory_region(void const volatile *addr, size_t size);
```
There's another small foot-note in Google's [AddressSanitizerManualPoisoning](https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning)
prohibit or permit reads to those addresses. There's a short
foot-note in Google's [AddressSanitizerManualPoisoning](https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning)
documentation that states:
```
@@ -50,30 +36,32 @@ of memory leaving poisoned redzones between them. The allocated
chunks should start with 8-aligned addresses.
```
So then this repository runs some simple tests to clarify the behaviour
of the API on un/aligned addresses at various sizes without having
This repository runs some simple tests to clarify the behaviour of
the API on un/aligned addresses at various sizes without having
to dig into source code or read the [ASAN paper](https://static.googleusercontent.com/media/research.google.com/en/pubs/archive/37752.pdf).
We use a stack-allocated 16 byte array and test un/poisoning
various ranges of bytes from different alignments to clarify the
poisoning behaviour of the API. This reveals that calling the API
haphazardly, unaligned or straddling boundaries can lead to gaps in
poisoned memory and hide potential leaks (as also demonstrated in
[Manual ASAN poisoning and alignment](https://github.com/mcgov/asan_alignment_example)).
poisoning behaviour of the API.
This reveals that calling the API haphazardly, unaligned or
straddling boundaries can lead to gaps in poisoned memory and hide
potential leaks (as also demonstrated in [Manual ASAN poisoning and
alignment](https://github.com/mcgov/asan_alignment_example) example
by `mcgov`.
## References
- [Manual ASAN poisoning and alignment](https://github.com/mcgov/asan_alignment_example) example by `mcgov`
- [Address Sanitizer: A Fast Address Sanity Checker](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37752.pdf)
- [Address Sanitizer: A Fast Address Sanity Checker](https://static.googleusercontent.com/media/research.google.com/en/pubs/archive/37752.pdf)
- [sanitizer/asan_interface.h](https://github.com/llvm-mirror/compiler-rt/blob/master/include/sanitizer/asan_interface.h)
## Raw Test Results
Here we poison a sliding window of 7 bytes to demonstrate that ASAN
poisoning will only poison the byte region if the region meets an 8
byte aligned address. It will only poison bytes up to the boundary,
any bytes that straddle the boundary that do not hit the next 8 byte
boundary are not poisoned.
Here we demonstrate that ASAN poison-ing will only poison the
byte region if the region meets an 8 byte boundary. It will only
poison bytes upto the 8 byte boundary, any bytes that straddle
the boundary that do not hit the next 8 byte boundary are not
poison-ed.
```
Byte Array 00 01 02 03 04 05 06 07 | 08 09 10 11 12 13 14 15