This repository implements a mechanism to perform bpf program verification in user space. It further utilizes llvm sanitizer and fuzzer framework to extend error detection coverage.
The motivation of this project is to test verifier in userspace so that we can take advantage of llvm's sanitizer and fuzzer framework. One bug has been discovered because of this effort: http://permalink.gmane.org/gmane.linux.network/376864
- bld
- config
- src
- helper
- test
- linux-samples-bpf
- fuzzerThe bld directory is used to build and run test programs. The config directory holds the recommended linux config file The src/helper contains helper files for kernel and user hooks. The src/test/linux-samples-bpf contains related test verifier files from linux/samples/bpf/ and src/test/fuzzer contains a hook with llvm fuzzer framework.
A linux source tree is needed. The source tree is used to pre-process kernel files.
Note that kernel headers will need to be generated at default
git clone git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
# change defconfig and apply necessary patch as decribed below
cd net-next
make defconfig
make headers_installFor above linux tree, apply the following patch so that llvm can cope with linux inline assembly:
yhs@ubuntu:~/work/fuzzer/net-next$ git diff
diff --git a/Makefile b/Makefile
index c361593..cacbe0f 100644
--- a/Makefile
+++ b/Makefile
@@ -686,6 +686,8 @@ KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare)
# See modpost pattern 2
KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
+# no integrated assembler so not checking inlining assembly format
+KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
else
# This warning generated too much noise in a regular build.
yhs@ubuntu:~/work/fuzzer/net-next$ A llvm/clang compiler with compiler-rt is needed. The compiler-rt is necessary for llvm sanitizer support.
sudo apt-get -y install bison build-essential cmake flex git libedit-dev python zlib1g-dev
git clone http://llvm.org/git/llvm.git
cd llvm/tools; git clone http://llvm.org/git/clang.git
cd ../projects; git clone http://llvm.org/git/compiler-rt.git
cd ..; mkdir -p build/install; cd build
cmake -G "Unix Makefiles" -DLLVM_TARGETS_TO_BUILD="BPF;X86" -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=$PWD/install ..
make -j4
make install
export PATH=$PWD/install/bin:$PATHexport KERNEL_TREE_ROOT=<kernel_tree_root>
cd bld
make setup
make allThe "setup" target creates common symbolic links and download and build llvm fuzzer. It only needs to run once.
The "all" target builds two binaries, test_verifier and test_fuzzer.
test_verifier is essentially linux/samples/bpf/test_verifier.c with
slight modification to adapt to the new test framework, with
sanitizer support. test_fuzzer uses llvm fuzzer framework
for testing.
test_verifier can also generate initial test cases for test_fuzzer.
These test cases will make fuzzer more effective in generating relevent
new test cases.
# generate initial test cases for fuzzer, put them into ./corpus directory
./test_verifier -g ./corpus
./test_fuzzer -max_len=1024 ./corpusTo report memory leaks, the test_fuzzer needs to terminate normally.
This can be done by limiting the number of runs, e.g.,
./test_fuzzer -max_len=1024 -runs=1000000 ./corpusThe following command can be used to find the number of coverages:
# the actual number of coverages should be the number of lines minus one
# to account for function declaration.
objdump -D test_fuzzer | grep '<__sanitizer_cov>' | wcWith this information, you can compare to test_fuzzer output to
see what is the coverage. For example, if the total number of
edge coverages is 1106, and you have the following from test_fuzzer
output:
......
#3466257868 NEW cov: 884 bits: 3749 units: 936 exec/s: 38408 L: 47
#3486994800 NEW cov: 884 bits: 3750 units: 937 exec/s: 38396 L: 64
#3491234878 NEW cov: 886 bits: 3752 units: 938 exec/s: 38394 L: 58
#3495108828 NEW cov: 886 bits: 3754 units: 939 exec/s: 38391 L: 58You will know 886 out of 1106 edges are covered so far.