Name: Sergey Davidoff
Background: I'm a fourth-year IT student. I've been responsible for packaging, software integration, ISO building and development tools in elementary project for over two years throughout the Luna cycle. I also have some background in IT security; I have discovered and reported CVE-2014-8154 and two other memory (mis)management vulnerabilities which are not yet publicly disclosed.
Project title: Debian archive built with Address Sanitizer
Project details: In the context of Clang project, ASAN, Address Sanitizer is a fast memory error detector. It consists of a compiler instrumentation module and a run-time library. It will compile any code which built with gcc or clang and insert a static library in the binary. This library will automatically check some common memory errors. More information The first step of this project would be to propose a way to build every Debian packages using ASAN. The method must scale to the whole Debian archive (ie most of the packages should build out of the box using ASAN). Then I will implement building packages with Address Sanitizer in debile, Debian's generic rebuild platform, and start building the Debian archive with Address Sanitizer, watching out for failed builds and fixing them. I'll also look into automatically harvesing reports of crashes triggered by Address Sanitizer from the users' systems to facilitate crowdsourced testing of address-sanitized binaries, if time permits.
Synopsis: Develop infrastructure for automated building of Debian packages with Adress Sanitizer, the fast memory error detector, and ensure that all packages where Address Sanitizer is applicable build successfully with the said infrastructure.
Benefits to Debian: Having an official Debian archive with Address Sanitizer will help turn up a multitude of previously undetected memory errors, including security vulnerabilities.
Deliverables: Code for automated rebuilding of Debian packages with Address Sanitizer via Debile infrastructure. I'll also produce binary builds of Debian packages using the said infrastructure, covering as many packages as available computational resources permit.
- 19 April - 24 May: Community bonding. Familiarize myself with Debile.
- 25 May - 7 June: Initial imlementation of ASan build mode in Debile; some packages buildable with Address Sanitizer.
- 8 June - 25 June: More robust implementation of ASan build mode in Debile; start building Debian packages with it en masse to identify remaining failure points.
- 26 June - 26 July: Fix causes of the remaining build failures; these may range from Debile itself to build system quirks, specific packaging bugs, etc. Look into enabling Underfined Behavior Sanitizer as well.
- 26 July - 17 August: Commence mass rebuild of Debian archive with Address Sanititizer, work on the remaining rare or resilient build failures it reveals. Look into allocating a separate architecture "sanitized-amd64". Look into automated submission of ASan crash reports from users' systems through Apport or Debian BTS tools.
Exams and other commitments: I'm in the final year of bachelor course, so I'll have finals sometime in May (should take 2-3 days total). I'll be presenting my graduation thesis it the end of June or beginning of July, which also shouldn't require more than a few days time.
Other summer plans: I'll probably be unavailable since the 1st till the 9th of May (Russian national holidays). I will make up for the community bonding time I miss by starting earlier because this is the only SoC project I'm applying for. Depending on the completeness of SoC project I might undertake unrelated volunteer work in August.
Why Debian?: I've been experimenting with building packages under Address Sanitizer in elementary and I'm really glad to work on this project upstream instead, with a point of contact and 20,000 packages to experiment on. It's also nice to work on such a project in a distribution that takes QA seriously. It's a great opportunity to run Address Sanitizer on a wide variety of software, which was my goal from the beginning but I couldn't really pursue it in elementary.
I am not applying for any other projects this year.