Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CFG improvements #4

Open
DavidKorczynski opened this issue Dec 6, 2021 · 2 comments
Open

CFG improvements #4

DavidKorczynski opened this issue Dec 6, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@DavidKorczynski
Copy link
Contributor

Fuzz-introspector relies on extracting control-flow graphs to determine reachability of the code under analysis. In addition to this, fuzz-introspector extracts more data than what is in a pure CFG and we use that data to do fine-grained analysis. However, relying on LTO and using a somewhat homegrown approach to CFG extraction may not be ideal. Other alternatives could be considered:

  • Non LTO-based
  • Extract analysis from runtime to improve CFG extraction. For example, if we run a fuzzer and observe coverage in a function that is not included in the reachability graph, then this should be included.
  • use other implementations of reachability/callgraph extraction: https://groups.google.com/g/llvm-dev/c/SWIiEBWaJVg/m/Jmf_8jVoAQAJ

The benefit of using our own is that it enables fast development (until technical debt grows too large), and this is of fairly high priority atm.

@DavidKorczynski
Copy link
Contributor Author

An example case in the form of systemd where some parts of the project forces a build with bfd, i.e. is incompatible with gold and LTO, which means fuzz-introspector won't work: google/oss-fuzz#7573 (comment)

@Navidem
Copy link
Contributor

Navidem commented Oct 4, 2022

One solution to enhance statically extracted Call Graph specifcally for indirect calls is using this feature of sancov:

With an additional ...=trace-pc,indirect-calls flag __sanitizer_cov_trace_pc_indirect(void *callee) will be inserted on every indirect call.

What we should do is building the fuzz target with those flags and implement __sanitizer_cov_trace_pc_indirect() to capture the actuall callee of the indirect call at the run-time. Then via running the instrumented fuzz target with the available corpus we can collect the indirect calls callees.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants