diff options
| author | Patrick Meyer <git@the-space.agency> | 2021-06-06 16:15:07 -0700 |
|---|---|---|
| committer | Gunnar Beutner <gunnar@beutner.name> | 2021-07-26 17:40:28 +0200 |
| commit | 83f88df7574c41bd3c7255d7f46930eef6744b6b (patch) | |
| tree | 4ec44f915b8c0c38f07493d344b39d8e71eac948 /Documentation | |
| parent | 67b3255fe84324e384a52e19fb5233ccb3665c1d (diff) | |
| download | serenity-83f88df7574c41bd3c7255d7f46930eef6744b6b.zip | |
Kernel: Add option to build with coverage instrumentation and KCOV
GCC and Clang allow us to inject a call to a function named
__sanitizer_cov_trace_pc on every edge. This function has to be defined
by us. By noting down the caller in that function we can trace the code
we have encountered during execution. Such information is used by
coverage guided fuzzers like AFL and LibFuzzer to determine if a new
input resulted in a new code path. This makes fuzzing much more
effective.
Additionally this adds a basic KCOV implementation. KCOV is an API that
allows user space to request the kernel to start collecting coverage
information for a given user space thread. Furthermore KCOV then exposes
the collected program counters to user space via a BlockDevice which can
be mmaped from user space.
This work is required to add effective support for fuzzing SerenityOS to
the Syzkaller syscall fuzzer. :^) :^)
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/AdvancedBuildInstructions.md | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Documentation/AdvancedBuildInstructions.md b/Documentation/AdvancedBuildInstructions.md index 2cd953efc5..0cd820f0e4 100644 --- a/Documentation/AdvancedBuildInstructions.md +++ b/Documentation/AdvancedBuildInstructions.md @@ -31,6 +31,7 @@ directory to `Build/i686` and then running `ninja <target>`: There are some optional features that can be enabled during compilation that are intended to help with specific types of development work or introduce experimental features. Currently, the following build options are available: - `ENABLE_ADDRESS_SANITIZER` and `ENABLE_KERNEL_ADDRESS_SANITIZER`: builds in runtime checks for memory corruption bugs (like buffer overflows and memory leaks) in Lagom test cases and the kernel, respectively. +- `ENABLE_KERNEL_COVERAGE_COLLECTION`: enables the KCOV API and kernel coverage collection instrumentation. Only useful for coverage guided kernel fuzzing. - `ENABLE_MEMORY_SANITIZER`: enables runtime checks for uninitialized memory accesses in Lagom test cases. - `ENABLE_UNDEFINED_SANITIZER`: builds in runtime checks for [undefined behavior](https://en.wikipedia.org/wiki/Undefined_behavior) (like null pointer dereferences and signed integer overflows) in Lagom test cases. - `ENABLE_FUZZER_SANITIZER`: builds [fuzzers](https://en.wikipedia.org/wiki/Fuzzing) for various parts of the system. |