tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[gsoc] syscall/libc fuzzer proposal


My proposal is to write syscall/libc fuzzer, i've written down my thoughts,
please let me know what you think about it. I would appreciate your feedback.
I'm open for any ideas or comments.

1. What is fuzzing?

Fuzz testing is a software testing technique that provides random/invalid data
to the program and then checks if the program failed or something unexpected

More basic information and some historical background about it can be found on
Barton Miller's site. [1]

2. What are the benefits of my project for NetBSD and community?

There are still some bugs in kernels which can be discovered by simple fuzzers.
[2] (As a simple fuzzer I understand here a fuzzer which pass totally random
data into random syscall). I would like to help in making the project more
solid,stable and secure, one of  my goals is also to provide a tool for further
testing. Auditing code by reading it is good, but can simple omit some errors
which can be uncovered during fuzz testing. That's why it's good to have one in
own toolbox.

3. My proposal more detailed:

My idea is to write modern fuzzing tools directed on NetBSD which will be
dedicated to test syscall/libc functions. Probably I will try to make it more
elastic, in order to make it possible to test other libraries too.

There are many techniques which I want to use: CFG fuzzing, evolutionary
fuzzing [3], respecting types passed to functions etc. Today, fuzzing offers
much more than blind seabattle game playing, since NetBSD is an open source

I shouldn't limit myself only to black-box testing.

As a part of my work I would like to write a translator for C language and a
small library. Their goal would be to detect integer overflows, stack overflows,
problems with static array indexing, etc (when such occur during the program
execution). It will enable me to uncover more bugs in the software.


 int foo() { char d[10]; int i; i = 5; return d[i] }

 will be translate into:

 int foo() { char d[10]; int i; int _x; i = 5; _x = i; if ( _x < 0 ||
_x > 9 ) ERROR();
  return d[_x]; }

...your ideas?

4. What are my main goals?

* write syscall/libc fuzzer
* develop additional tools to fuzzer environment
* cover as much project code as possible during testing
* create tool which will be useful for future stress tests


Mateusz Kocielski

Home | Main Index | Thread Index | Old Index