Code Sanitizer
   HOME

TheInfoList



Click Here for Items Related To - Code Sanitizer
OR:
Code Sanitizer on:   [Wikipedia]   [Google]   [Amazon]

A code sanitizer is a programming tool that detects bugs in the form of undefined or suspicious behavior by a
compiler In computing, a compiler is a computer program that Translator (computing), translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primaril ...
inserting
instrumentation Instrumentation is a collective term for measuring instruments, used for indicating, measuring, and recording physical quantities. It is also a field of study about the art and science about making measurement instruments, involving the related ...
code at runtime. The class of tools was first introduced by Google's AddressSanitizer (or ASan) of 2012, which uses directly mapped
shadow memory In computing, shadow memory is a technique used to track and store information on computer memory used by a computer program, program during its execution. Shadow memory consists of shadow bytes that map to individual bits or one or more bytes in ...
to detect
memory corruption Memory corruption occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs; this is termed as violation of m ...
such as buffer overflows or accesses to a
dangling pointer Dangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations. More generally, dangling references and wild references a ...
(use-after-free).


AddressSanitizer

Google's ASan, introduced in 2012, uses a
shadow memory In computing, shadow memory is a technique used to track and store information on computer memory used by a computer program, program during its execution. Shadow memory consists of shadow bytes that map to individual bits or one or more bytes in ...
scheme to detect memory bugs. It is available in: *
Clang Clang () is a compiler front end for the programming languages C, C++, Objective-C, Objective-C++, and the software frameworks OpenMP, OpenCL, RenderScript, CUDA, SYCL, and HIP. It acts as a drop-in replacement for the GNU Compiler ...
(starting from version 3.1) * GCC (starting from version 4.8) *
Xcode Xcode is a suite of developer tools for building apps on Apple devices. It includes an integrated development environment (IDE) of the same name for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, tvOS, and visionOS. It w ...
(starting from version 7.0) *
MSVC Microsoft Visual C++ (MSVC) is a compiler for the C, C++, C++/CLI and C++/CX programming languages by Microsoft. MSVC is proprietary software; it was originally a standalone product but later became a part of Visual Studio and made available ...
(widely available starting from version 16.9). On average, the instrumentation increases processing time by about 73% and memory usage by 240%. There is a hardware-accelerated ASan called HWAsan available for AArch64 and (in a limited fashion) x86_64. AddressSanitizer does not detect any uninitialized memory reads (but this is detected by MemorySanitizer), and only detects some use-after-return bugs. It is also not capable of detecting all arbitrary memory corruption bugs, nor all arbitrary write bugs due to integer underflow/overflows (when the integer with undefined behavior is used to calculate memory address offsets). Adjacent buffers in structs and classes are not protected from overflow, in part to prevent breaking backwards compatibility.


KernelAddressSanitizer

The KernelAddressSanitizer (KASan) detects dynamic memory errors in the Linux kernel. Kernel instrumentation requires a special feature in the compiler supplying the -fsanitize=kernel-address command line option, since kernels do not use the same address space as normal programs. KASan is also available for use with Windows kernel drivers beginning in Windows 11 22H2 and above. Similarly to Linux, compiling a Windows driver with KASAN requires passing the /fsanitize=kernel-address command line option to the MSVC compiler.


Other sanitizers

Google also produced LeakSanitizer (LSan,
memory leak In computer science, a memory leak is a type of resource leak that occurs when a computer program incorrectly manages memory allocations in a way that memory which is no longer needed is not released. A memory leak may also happen when an objec ...
s), ThreadSanitizer (TSan,
data race A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events, leading to unexpected or inconsistent ...
s and
deadlocks Deadlock commonly refers to: * Deadlock (computer science), a situation where two processes are each waiting for the other to finish * Deadlock (locksmithing) or deadbolt, a physical door locking mechanism * Political deadlock or gridlock, a situa ...
), MemorySanitizer (MSan, uninitialized memory), and UndefinedBehaviorSanitizer (UBSan,
undefined behavior In computer programming, a program exhibits undefined behavior (UB) when it contains, or is executing code for which its programming language specification does not mandate any specific requirements. This is different from unspecified behavior, ...
s, with fine-grained control). These tools are generally available in Clang/LLVM and GCC. Similar to KASan, there are kernel-specific versions of LSan, MSan, TSan, as well as completely original kernel sanitizers such as KFENCE and KCSan. Additional sanitizer tools (grouped by compilers under or a similar flag) include: * LLVM
control-flow integrity Control-flow integrity (CFI) is a general term for computer security techniques that prevent a wide variety of malware attacks from redirecting the flow of execution (the control flow) of a program. Background A computer program commonly changes ...
and its kernel counterpart, which checks
virtual table In computer programming, a virtual method table (VMT), virtual function table, virtual call table, dispatch table, vtable, or vftable is a mechanism used in a programming language to support dynamic dispatch (or run-time method binding). Wh ...
s and type casts for forward-edge CFI * MemTagSanitizer, an ASan-like tool that uses Armv8.5-A features for very low overhead * ShadowCallStack, an AArch64 tool that provides a
shadow stack In computer security, a shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that "shadows" the program call stack. In the functi ...
protection * Scudo Hardened Allocator, an alternative memory allocator that includes GWP-ASan, a probabilistic ASan analogue with low overhead * libFuzzer, an LLVM tool that adds code coverage to fuzzing


Usage

A code sanitizer detects suspicious behavior as the program runs. One common way to use a sanitizer is to combine it with
fuzzing In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptio ...
, which generates inputs likely to trigger bugs.


Users

Chromium Chromium is a chemical element; it has Symbol (chemistry), symbol Cr and atomic number 24. It is the first element in Group 6 element, group 6. It is a steely-grey, Luster (mineralogy), lustrous, hard, and brittle transition metal. Chromium ...
and
Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...
developers are active users of AddressSanitizer; the tool has found hundreds of bugs in these web browsers. A number of bugs were found in
FFmpeg FFmpeg is a free and open-source software project consisting of a suite of libraries and programs for handling video, audio, and other multimedia files and streams. At its core is the command-line ffmpeg tool itself, designed for processing vide ...
and FreeType. The
Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
has enabled the AddressSanitizer for the
x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit extension of the x86 instruction set architecture, instruction set. It was announced in 1999 and first available in the AMD Opteron family in 2003. It introduces two new ope ...
architecture as of Linux version 4.0.


Examples


ASan: Heap-use-after-free

// To compile: g++ -O -g -fsanitize=address heap-use-after-free.cc int main(int argc, char **argv) 
$ ./a.out

 5587
ERROR: AddressSanitizer: heap-use-after-free on address 0x61400000fe44 at pc 0x47b55f bp 0x7ffc36b28200 sp 0x7ffc36b281f8
READ of size 4 at 0x61400000fe44 thread T0
    #0 0x47b55e in main /home/test/example_UseAfterFree.cc:5
    #1 0x7f15cfe71b14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
    #2 0x47b44c in _start (/root/a.out+0x47b44c)

0x61400000fe44 is located 4 bytes inside of 400-byte region  x61400000fe40,0x61400000ffd0)
freed by thread T0 here:
    #0 0x465da9 in operator delete[void*) (/root/a.out+0x465da9)
    #1 0x47b529 in main /home/test/example_UseAfterFree.cc:4

previously allocated by thread T0 here:
    #0 0x465aa9 in operator new[](unsigned long) (/root/a.out+0x465aa9)
    #1 0x47b51e in main /home/test/example_UseAfterFree.cc:3

SUMMARY: AddressSanitizer: heap-use-after-free /home/test/example_UseAfterFree.cc:5 main
Shadow bytes around the buggy address:
   ..  0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c287fff9fc0: fa fa fa fa fa fa fa fa dd fd fd fd fd fd fd
  0x0c287fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   ..Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

 5587
ABORTING


ASan: Heap-buffer-overflow

// RUN: clang++ -O -g -fsanitize=address heap-buf-of.cc && ./a.out int main(int argc, char **argv) 

 25372
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffd4 at pc 0x0000004ddb59 bp 0x7fffea6005a0 sp 0x7fffea600598
READ of size 4 at 0x61400000ffd4 thread T0
    #0 0x46bfee in main /tmp/main.cpp:4:13

0x61400000ffd4 is located 4 bytes to the right of 400-byte region  x61400000fe40,0x61400000ffd0)
allocated by thread T0 here:
    #0 0x4536e1 in operator delete[void*)
    #1 0x46bfb9 in main /tmp/main.cpp:2:16


ASan: Stack-buffer-overflow

// RUN: clang -O -g -fsanitize=address stack-buf-of.cc && ./a.out int main(int argc, char **argv) 

 7405
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff64740634 at pc 0x46c103 bp 0x7fff64740470 sp 0x7fff64740468
READ of size 4 at 0x7fff64740634 thread T0
    #0 0x46c102 in main /tmp/example_StackOutOfBounds.cc:5

Address 0x7fff64740634 is located in stack of thread T0 at offset 436 in frame
    #0 0x46bfaf in main /tmp/example_StackOutOfBounds.cc:2

  This frame has 1 object(s):
    [32, 432) 'stack_array' <
 Memory access at offset 436 overflows this variable


ASan: Global-buffer-overflow

// RUN: clang -O -g -fsanitize=address global-buf-of.cc && ./a.out int global_array[100] = ; int main(int argc, char **argv) 

 7455
ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000689b54 at pc 0x46bfd8 bp 0x7fff515e5ba0 sp 0x7fff515e5b98
READ of size 4 at 0x000000689b54 thread T0
    #0 0x46bfd7 in main /tmp/example_GlobalOutOfBounds.cc:4

0x000000689b54 is located 4 bytes to the right of 
  global variable 'global_array' from 'example_GlobalOutOfBounds.cc' (0x6899c0) of size 400


UBSan: nullptr-dereference

// RUN: g++ -O -g -fsanitize=null null-dereference.c && ./a.out int main(int argc, char **argv) 
null-dereference.c:4:10: runtime error: load of null pointer of type 'const char'
Segmentation fault (core dumped)


See also

*
Intel MPX Intel MPX (Memory Protection Extensions) are a discontinued set of extensions to the x86 instruction set architecture. With compiler, runtime library and operating system support, Intel MPX claimed to enhance security to software by checking poin ...
* The Application Verifier (AppVerif.exe) in
Microsoft Windows SDK Microsoft Windows SDK, and its predecessors Platform SDK, and .NET Framework SDK, are software development kits (SDKs) from Microsoft that contain documentation, header files, libraries, samples and tools required to develop applications for Micr ...
*
Valgrind Valgrind () is a programming tool for memory debugging, memory leak detection, and profiling. Valgrind was originally designed to be a freely licensed memory debugging tool for Linux on x86, but has since evolved to become a generic framework ...
, a memory debugging tool


References

{{Reflist, 30em


External links


AddressSanitizer Google Group
(no mailing list)
AddressSanitizer project page


Security testing tools Computer security procedures Free memory management software Free memory debuggers