rust-secure-code / wg

Coordination repository for the Secure Code Working Group
150 stars 10 forks source link

Improve dynamic analysis tooling #26

Open Shnatsel opened 5 years ago

Shnatsel commented 5 years ago

We already have some excellent tooling for generating test cases for programs to make them blow up:

We also want to add Angora to this collection which has raised the bar on fuzzing, see #17.

However, all of this glory is pretty much for naught if we don't have tooling to detect the runtime faults that these tests trigger. The current state is:

Getting Address Sanitizer to work without workarounds (see #20) would already put us in an excellent position. Getting Memory Sanitizer to work would be harder, it is not universally applicable (see #21). Perhaps a more usable Rust-specific alternative could be concocted.

Shnatsel commented 5 years ago

FWIW I've taken a stab at "universally applicable alternative to Memory Sanitizer" by writing libdiffuzz, but my approach was very simplistic, so the tool is not any better than MSAN, it just has completely different limitations.

A more sophisticated approach that's closer to what MSAN is doing might yield better results. Or perhaps someone could just hammer MSAN into something generally applicable.