Crate libafl_asan

Crate libafl_asan 

Source
Expand description

§asan

asan is a library intended to be used by a guest running in QEMU to support address sanitizer.

It has a modular design intended to support different use cases and environments. The following initial variants are proposed:

  • libafl_qemu_asan_host - Intended as a drop in replacement for the original libqasan, this will have dependency on libc and will interact with QEMU using the bespoke syscall interface to perform memory tracking and shadowing.
  • libafl_qemu_asan_guest - This is similar to libafl_qemu_asan_host, but rather than having QEMU perform the management of the shadow memory and memory tracking, this work will be carried out purely in the guest (and hence should be more performant).
  • libafl_qemu_asan_nolibc - This variant is intended to have no dependencies on libc, nor any other libraries. It is intended to be used in bare-metal targets or targets which have statically linked libc.

The following ancilliary crates are provided as follows:

  • libafl_asan_libc - A dummy libc library used during linking which provides only the symbols dlsym and dlerror. This is intended to ensure that libafl_qemu_asan_guest and libafl_qemu_asan_host do not have any direct dependency on libc and hence avoids the possibility of accidental re-entrancy. (e.g. in the case that we have hooked a function such as malloc and in our handling of the call inadvertently call malloc, or one of our other hooked functions ourselves).
  • libafl_asan_fuzz - A few different fuzzing harnesses used to test libafl_asan.

The componentized nature of the design is intended to permit the user to adapt asan to their needs with minimal modification by selecting and combining alternative implementations of the various key components.

§Features

  • dlmalloc (enabled by default) — Enable support for the dlmalloc allocator backend
  • document-features (enabled by default) — Enable documentation of features
  • global_allocator (enabled by default) — Configure a global allocator (using dlmalloc or mimalloc as configured)
  • guest (enabled by default) — Enable support for shadow memory and tracking in the guest
  • hooks (enabled by default) — Enable support for hooking functions in the guest
  • host (enabled by default) — Enable support for shadow memory and tracking in the host
  • initialize — Intialize all allocations with 0xff
  • libc (enabled by default) — Enable use of the libc library to support creation of mappings, read/write, logging etc (more OS agnostic)
  • syscalls (enabled by default) — Enable the use of direct syscalls (supported by rustix) to interact with the operating system (Unix specific).
  • mimalloc (enabled by default) — Enable the baby_mimalloc allocator
  • test (enabled by default) — Disable the magic used to support no_std environments for running unit and integration tests (we only run our tests on Linux right now).
  • tracking (enabled by default) — Enable support for memory tracking

Re-exports§

pub use test::*;

Modules§

allocator
allocator
env
exit
die
file
hooks
hooks
host
host
logger
logger
maps
mmap
mmap
patch
patch
shadow
shadow
symbols
symbols
test
tracking
tracking

Type Aliases§

GuestAddr
off_t
size_t
ssize_t
wchar_t