Name: Mohit Bhakkad
Project title: Archive built with asan
Background: I am a 21 year old computer science student from Pune, India. I have been programming from past four years, and am well versed with C/C++, shell scripting and some other high level languages like Python, Java etc. I have used ASan, and I have been contributing to compiler-rt, which included MIPS port for MSan, DFSan and TSan. Before that I have worked on improving the efficiency of twitter-storm project, and some database related projects which included REST APIs and NoSQL databases. These projects can be found here.
- I have contributed to sanitizers, so it makes me passionate to use it to improve security of our operating system.
Synopsis: The goal of this project is to rebuild the entire Debian repository with Asan.
- ASan is one of the sanitizers provided by compiler-rt project. Its a fast memory error detector, which can detect various bugs like:
- Out-of-bounds accesses to heap, stack and globals
- Use-after-return (to some extent)
- Double-free, invalid free
- Memory leaks (experimental)
- This project is next step of scan-build on the Debian archive and Debian built with clang. Now this project will use asan flag while compiling each package.
I have tried to address all the 3 requirements for this project, and documented these in a github repository:
#1. A proof of concept of Debian packages being built with ASAN enabled:
I have used script given at the end of the clang.debian.net page to configure a chroot environment with clang replacing gcc.
- For PoC I have inserted some buggy code in "hello world" package, and build it with appending "-fsanitize=asan" in dpkg-buildflags. Binaries generated gives the expected Address Sanitizer error.
#2. Debile installation:
With some help on IRC, I am able to install debile: (Proof as required)
- Now I will start to experiment with Debile to learn its funtionality, and to see how we can use it to build the whole Debian archive.
- Mar 16 - Mar 27 : Application Period
- Mar 27 - Apr 27 : Applications evaluation period
- This time can be utilized to get familiar with project:
- To communicate with mentor to clear any doubt regarding the project.
- To perform pre-coding tasks given by mentor.
- To play with debile and understand its functions.
- To try to use asan while building packages and submit found bugs.
- Apr 27 - May 25 : Community bonding
- To continue communicating with mentor.
- To know more about Debian Community and its processes.
- Continue submitting bugs, and their solutions if resolved.
- May 25 - Aug 17:
- May 25 - June 25:
- To discuss and decide on the way to o build every Debian packages using ASan.
- To start building debian repository with ASan, to categorize errors, and create a list of errors.
- Bug submission for above packages.
- Try to resolve issues which are trivial.
- Documentation of the work till this date.
- June 26 - July 3:
- Mid-term Evaluation.
- July 4 - Aug 17:
- Finding solutions for failing packages.
- Patch submission and communication with upstream projects to resolve issues.
- Try to reduce number of failing packages to zero.
- Finishing Documentation.
- Aug 17 - Aug 21:
- Final testing, results and conclusions.
- Aug 21 - Aug 28:
- Final evaluation.
- Submission of work done.
- May 25 - June 25:
Benefits to Debian: This project will filter entire Debian repo with Address Sanitizer, making Debian secure from various memory related bugs, Which is a sure benefit.
Deliverables: A repository of Debian packages built with ASan.
Exams and other commitments: No exams.
Other summer plans: No other plans.
Why Debian?: Debian is my daily OS as for many others in the world, so improving its security is like improving our own security.
Are you applying for other projects in SoC? Yes, I am applying to another Debian project "Bootable Clang-Built Debian".