Hi, My proposal is to write syscall/libc fuzzer, i've written down my thoughts, please let me know what you think about it. I would appreciate your feedback. I'm open for any ideas or comments.
1. What is fuzzing? Fuzz testing is a software testing technique that provides random/invalid data to the program and then checks if the program failed or something unexpected happened. More basic information and some historical background about it can be found on Barton Miller's site. [1] 2. What are the benefits of my project for NetBSD and community? There are still some bugs in kernels which can be discovered by simple fuzzers. [2] (As a simple fuzzer I understand here a fuzzer which pass totally random data into random syscall). I would like to help in making the project more solid,stable and secure, one of my goals is also to provide a tool for further testing. Auditing code by reading it is good, but can simple omit some errors which can be uncovered during fuzz testing. That's why it's good to have one in own toolbox. 3. My proposal more detailed: My idea is to write modern fuzzing tools directed on NetBSD which will be dedicated to test syscall/libc functions. Probably I will try to make it more elastic, in order to make it possible to test other libraries too. There are many techniques which I want to use: CFG fuzzing, evolutionary fuzzing [3], respecting types passed to functions etc. Today, fuzzing offers much more than blind seabattle game playing, since NetBSD is an open source project I shouldn't limit myself only to black-box testing. As a part of my work I would like to write a translator for C language and a small library. Their goal would be to detect integer overflows, stack overflows, problems with static array indexing, etc (when such occur during the program execution). It will enable me to uncover more bugs in the software. (Eg. int foo() { char d[10]; int i; i = 5; return d[i] } will be translate into: int foo() { char d[10]; int i; int _x; i = 5; _x = i; if ( _x < 0 || _x > 9 ) ERROR(); return d[_x]; } ) ...your ideas? 4. What are my main goals? * write syscall/libc fuzzer * develop additional tools to fuzzer environment * cover as much project code as possible during testing * create tool which will be useful for future stress tests Links: [1] http://pages.cs.wisc.edu/~bart/fuzz/Foreword1.html [2] http://archive.netbsd.se/?ml=dfbsd-kernel&a=2006-09&t=2348821 [3] http://www.vdalabs.com/tools/efs_gpf.html -- Mateusz Kocielski