[gsoc] syscall/libc fuzzer proposal

To: tech-kern%netbsd.org@localhost
Subject: [gsoc] syscall/libc fuzzer proposal
From: Mateusz Kocielski <m.kocielski%gmail.com@localhost>
Date: Sat, 20 Mar 2010 17:32:28 +0200

Hi,

My proposal is to write syscall/libc fuzzer, i've written down my thoughts,
please let me know what you think about it. I would appreciate your feedback.
I'm open for any ideas or comments.

1. What is fuzzing?

Fuzz testing is a software testing technique that provides random/invalid data
to the program and then checks if the program failed or something unexpected
happened.

More basic information and some historical background about it can be found on
Barton Miller's site. [1]

2. What are the benefits of my project for NetBSD and community?

There are still some bugs in kernels which can be discovered by simple fuzzers.
[2] (As a simple fuzzer I understand here a fuzzer which pass totally random
data into random syscall). I would like to help in making the project more
solid,stable and secure, one of  my goals is also to provide a tool for further
testing. Auditing code by reading it is good, but can simple omit some errors
which can be uncovered during fuzz testing. That's why it's good to have one in
own toolbox.

3. My proposal more detailed:

My idea is to write modern fuzzing tools directed on NetBSD which will be
dedicated to test syscall/libc functions. Probably I will try to make it more
elastic, in order to make it possible to test other libraries too.

There are many techniques which I want to use: CFG fuzzing, evolutionary
fuzzing [3], respecting types passed to functions etc. Today, fuzzing offers
much more than blind seabattle game playing, since NetBSD is an open source
project

I shouldn't limit myself only to black-box testing.

As a part of my work I would like to write a translator for C language and a
small library. Their goal would be to detect integer overflows, stack overflows,
problems with static array indexing, etc (when such occur during the program
execution). It will enable me to uncover more bugs in the software.


 (Eg.

 int foo() { char d[10]; int i; i = 5; return d[i] }

 will be translate into:

 int foo() { char d[10]; int i; int _x; i = 5; _x = i; if ( _x < 0 ||
_x > 9 ) ERROR();
  return d[_x]; }
 )


...your ideas?

4. What are my main goals?

* write syscall/libc fuzzer
* develop additional tools to fuzzer environment
* cover as much project code as possible during testing
* create tool which will be useful for future stress tests

Links:
[1] http://pages.cs.wisc.edu/~bart/fuzz/Foreword1.html
[2] http://archive.netbsd.se/?ml=dfbsd-kernel&a=2006-09&t=2348821
[3] http://www.vdalabs.com/tools/efs_gpf.html


-- 
Mateusz Kocielski

Follow-Ups:
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: Darren Reed
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: Matthias Kretschmer
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: Eric Haszlakiewicz
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: David Young
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: Hubert Feyrer
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: Thor Lancelot Simon
- Re: [gsoc] syscall/libc fuzzer proposal
  - From: Julio Merino

Prev by Date: Re: config(5) break down
Next by Date: Re: config(5) break down
Previous by Thread: Soliciting opinions on desired "envstat -S" behavior
Next by Thread: Re: [gsoc] syscall/libc fuzzer proposal
Indexes:

Home | Main Index | Thread Index | Old Index