2

I'm reading about AddressSanitizer, a tool that can be used to find memory bugs for Chrome (and other C/C++ software). I'm a little curious about what the process of using the tool involves:

1) Is it just a matter of running Chrome compiled with AddressSanitizer, playing around with Chrome, and hoping for AddressSanitizer to flag a warning?

2) If the answer to 1) is "yes", can I use tools like Selenium to automate the process?

3) If the answer to 1) is "no", should I instead be scrutinising the source code of Chrome, and then AddressSanitizer using to confirm/exploit the bug? Or should I be using AddressSanitizer in some other way?

Randomblue
  • 1,685
  • 3
  • 15
  • 17

1 Answers1

1

  1. That's one way to use AddressSanitizer, but it's not the only way. AddressSanitizer is just a tool. It's up to you how you want to use it.

    AddressSanitizer is much like Valgrind, if you're familiar with it. (If you're not familiar with Valgrind, you could think of AddressSanitizer as being roughly similar to Purify, if you're familiar with that.) It is a runtime tool that monitors the execution of the program and flags a warning if it happens to see something that looks like a memory-related bug.

    If you want to use AddressSanitizer to find new bugs, it will be up to you to figure out how to exercise as much of the application as you want and how get good coverage. You could do anything from "run it once" to "comprehensive fuzzing plus running on a detailed regression testsuite".

  2. Yes, if you want. It's up to you how you want to generate tests.

I suggest that you read about fuzz-testing. There are lots of resources. See, e.g., slide decks from Charlie Miller and the questions tagged with on this site. You might also check out this effort from Google and my experiments on how compilation flags affected fuzz-testing.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572