address-sanitizer
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAddressSanitizer (ASan)
AddressSanitizer (ASan)
AddressSanitizer (ASan) is a widely adopted memory error detection tool used extensively during software testing, particularly fuzzing. It helps detect memory corruption bugs that might otherwise go unnoticed, such as buffer overflows, use-after-free errors, and other memory safety violations.
AddressSanitizer (ASan)是一款被广泛采用的内存错误检测工具,在软件测试(尤其是模糊测试fuzzing)中大量使用。它能检测出原本可能被忽略的内存损坏漏洞,例如缓冲区溢出、释放后使用错误以及其他内存安全违规问题。
Overview
概述
ASan is a standard practice in fuzzing due to its effectiveness in identifying memory vulnerabilities. It instruments code at compile time to track memory allocations and accesses, detecting illegal operations at runtime.
由于ASan在识别内存漏洞方面的有效性,它已成为模糊测试中的标准实践。它会在编译阶段对代码进行插桩(Instrumentation),以跟踪内存分配与访问情况,在运行时检测非法操作。
Key Concepts
核心概念
| Concept | Description |
|---|---|
| Instrumentation | ASan adds runtime checks to memory operations during compilation |
| Shadow Memory | Maps 20TB of virtual memory to track allocation state |
| Performance Cost | Approximately 2-4x slowdown compared to non-instrumented code |
| Detection Scope | Finds buffer overflows, use-after-free, double-free, and memory leaks |
| Concept | 描述 |
|---|---|
| Instrumentation | ASan会在编译阶段为内存操作添加运行时检查 |
| Shadow Memory | 映射20TB虚拟内存以跟踪内存分配状态 |
| Performance Cost | 与未插桩的代码相比,性能大约下降2-4倍 |
| Detection Scope | 可检测缓冲区溢出、释放后使用、重复释放以及内存泄漏问题 |
When to Apply
适用场景
Apply this technique when:
- Fuzzing C/C++ code for memory safety vulnerabilities
- Testing Rust code with unsafe blocks
- Debugging crashes related to memory corruption
- Running unit tests where memory errors are suspected
Skip this technique when:
- Running production code (ASan can reduce security)
- Platform is Windows or macOS (limited ASan support)
- Performance overhead is unacceptable for your use case
- Fuzzing pure safe languages without FFI (e.g., pure Go, pure Java)
以下场景适用该技术:
- 对C/C++代码进行模糊测试以查找内存安全漏洞
- 测试包含unsafe块的Rust代码
- 调试与内存损坏相关的崩溃问题
- 运行疑似存在内存错误的单元测试
以下场景不适用该技术:
- 运行生产环境代码(ASan会降低安全性)
- 运行在Windows或macOS平台(ASan支持有限)
- 性能开销不符合你的使用需求
- 对纯安全语言进行模糊测试且无FFI调用(例如纯Go、纯Java)
Quick Reference
快速参考
| Task | Command/Pattern |
|---|---|
| Enable ASan (Clang/GCC) | |
| Enable verbosity | |
| Disable leak detection | |
| Force abort on error | |
| Multiple options | |
| 任务 | 命令/配置 |
|---|---|
| 启用ASan(Clang/GCC) | |
| 启用详细日志 | |
| 禁用泄漏检测 | |
| 检测到错误时强制终止 | |
| 多选项配置 | |
Step-by-Step
操作步骤
Step 1: Compile with ASan
步骤1:使用ASan编译代码
Compile and link your code with the flag:
-fsanitize=addressbash
clang -fsanitize=address -g -o my_program my_program.cThe flag is recommended to get better stack traces when ASan detects errors.
-g使用标志编译并链接代码:
-fsanitize=addressbash
clang -fsanitize=address -g -o my_program my_program.c推荐添加标志,以便在ASan检测到错误时获取更清晰的堆栈跟踪。
-gStep 2: Configure ASan Options
步骤2:配置ASan选项
Set the environment variable to configure ASan behavior:
ASAN_OPTIONSbash
export ASAN_OPTIONS=verbosity=1:abort_on_error=1:detect_leaks=0设置环境变量来配置ASan的行为:
ASAN_OPTIONSbash
export ASAN_OPTIONS=verbosity=1:abort_on_error=1:detect_leaks=0Step 3: Run Your Program
步骤3:运行程序
Execute the ASan-instrumented binary. When memory errors are detected, ASan will print detailed reports:
bash
./my_program执行经过ASan插桩的二进制文件。当检测到内存错误时,ASan会打印详细的报告:
bash
./my_programStep 4: Adjust Fuzzer Memory Limits
步骤4:调整模糊测试工具的内存限制
ASan requires approximately 20TB of virtual memory. Disable fuzzer memory restrictions:
- libFuzzer:
-rss_limit_mb=0 - AFL++:
-m none
ASan需要约20TB的虚拟内存。请禁用模糊测试工具的内存限制:
- libFuzzer:
-rss_limit_mb=0 - AFL++:
-m none
Common Patterns
常见使用模式
Pattern: Basic ASan Integration
模式:基础ASan集成
Use Case: Standard fuzzing setup with ASan
Before:
bash
clang -o fuzz_target fuzz_target.c
./fuzz_targetAfter:
bash
clang -fsanitize=address -g -o fuzz_target fuzz_target.c
ASAN_OPTIONS=verbosity=1:abort_on_error=1 ./fuzz_target使用场景: 标准模糊测试环境下的ASan配置
配置前:
bash
clang -o fuzz_target fuzz_target.c
./fuzz_target配置后:
bash
clang -fsanitize=address -g -o fuzz_target fuzz_target.c
ASAN_OPTIONS=verbosity=1:abort_on_error=1 ./fuzz_targetPattern: ASan with Unit Tests
模式:ASan与单元测试结合
Use Case: Enable ASan for unit test suite
Before:
bash
gcc -o test_suite test_suite.c -lcheck
./test_suiteAfter:
bash
gcc -fsanitize=address -g -o test_suite test_suite.c -lcheck
ASAN_OPTIONS=detect_leaks=1 ./test_suite使用场景: 为单元测试套件启用ASan
配置前:
bash
gcc -o test_suite test_suite.c -lcheck
./test_suite配置后:
bash
gcc -fsanitize=address -g -o test_suite test_suite.c -lcheck
ASAN_OPTIONS=detect_leaks=1 ./test_suiteAdvanced Usage
高级用法
Tips and Tricks
技巧与建议
| Tip | Why It Helps |
|---|---|
Use | Provides detailed stack traces for debugging |
Set | Confirms ASan is enabled before program starts |
| Disable leaks during fuzzing | Leak detection doesn't cause immediate crashes, clutters output |
Enable | Some fuzzers require |
| 技巧 | 作用 |
|---|---|
使用 | 提供详细的堆栈跟踪以辅助调试 |
设置 | 在程序启动前确认ASan已启用 |
| 模糊测试时禁用泄漏检测 | 泄漏检测不会导致立即崩溃,会使输出信息杂乱 |
启用 | 部分模糊测试工具需要 |
Understanding ASan Reports
理解ASan报告
When ASan detects a memory error, it prints a detailed report including:
- Error type: Buffer overflow, use-after-free, etc.
- Stack trace: Where the error occurred
- Allocation/deallocation traces: Where memory was allocated/freed
- Memory map: Shadow memory state around the error
Example ASan report:
==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff4 at pc 0x00000048e6a3
READ of size 4 at 0x60300000eff4 thread T0
#0 0x48e6a2 in main /path/to/file.c:42当ASan检测到内存错误时,会打印包含以下内容的详细报告:
- 错误类型:缓冲区溢出、释放后使用等
- 堆栈跟踪:错误发生的位置
- 分配/释放跟踪:内存分配与释放的位置
- 内存映射:错误发生区域的影子内存状态
ASan报告示例:
==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff4 at pc 0x00000048e6a3
READ of size 4 at 0x60300000eff4 thread T0
#0 0x48e6a2 in main /path/to/file.c:42Combining Sanitizers
与其他Sanitizer结合使用
ASan can be combined with other sanitizers for comprehensive detection:
bash
clang -fsanitize=address,undefined -g -o fuzz_target fuzz_target.cASan可与其他Sanitizer结合使用以实现全面检测:
bash
clang -fsanitize=address,undefined -g -o fuzz_target fuzz_target.cPlatform-Specific Considerations
平台特定注意事项
Linux: Full ASan support with best performance
macOS: Limited support, some features may not work
Windows: Experimental support, not recommended for production fuzzing
Linux:完全支持ASan,性能最佳
macOS:支持有限,部分功能可能无法正常工作
Windows:实验性支持,不推荐用于生产环境模糊测试
Anti-Patterns
反模式
| Anti-Pattern | Problem | Correct Approach |
|---|---|---|
| Using ASan in production | Can make applications less secure | Use ASan only for testing |
| Not disabling memory limits | Fuzzer may kill process due to 20TB virtual memory | Set |
| Ignoring leak reports | Memory leaks indicate resource management issues | Review leak reports at end of fuzzing campaign |
| 反模式 | 问题 | 正确做法 |
|---|---|---|
| 在生产环境中使用ASan | 会降低应用程序的安全性 | 仅在测试阶段使用ASan |
| 未禁用内存限制 | 模糊测试工具可能因20TB虚拟内存需求而终止进程 | 设置 |
| 忽略泄漏报告 | 内存泄漏表明存在资源管理问题 | 在模糊测试结束后查看泄漏报告 |
Tool-Specific Guidance
工具特定指南
libFuzzer
libFuzzer
Compile with both fuzzer and address sanitizer:
bash
clang++ -fsanitize=fuzzer,address -g harness.cc -o fuzzRun with unlimited RSS:
bash
./fuzz -rss_limit_mb=0Integration tips:
- Always combine with
-fsanitize=fuzzer-fsanitize=address - Use for detailed stack traces in crash reports
-g - Consider for better crash handling
ASAN_OPTIONS=abort_on_error=1
同时使用模糊测试工具和地址Sanitizer编译:
bash
clang++ -fsanitize=fuzzer,address -g harness.cc -o fuzz无限制内存运行:
bash
./fuzz -rss_limit_mb=0集成技巧:
- 始终将与
-fsanitize=fuzzer结合使用-fsanitize=address - 使用标志以在崩溃报告中获取详细堆栈跟踪
-g - 考虑设置以优化崩溃处理
ASAN_OPTIONS=abort_on_error=1
AFL++
AFL++
Use the environment variable:
AFL_USE_ASANbash
AFL_USE_ASAN=1 afl-clang-fast++ -g harness.cc -o fuzzRun with unlimited memory:
bash
afl-fuzz -m none -i input_dir -o output_dir ./fuzzIntegration tips:
- automatically adds proper compilation flags
AFL_USE_ASAN=1 - Use to disable AFL++'s memory limit
-m none - Consider for programs with large coverage maps
AFL_MAP_SIZE
使用环境变量:
AFL_USE_ASANbash
AFL_USE_ASAN=1 afl-clang-fast++ -g harness.cc -o fuzz无限制内存运行:
bash
afl-fuzz -m none -i input_dir -o output_dir ./fuzz集成技巧:
- 会自动添加正确的编译标志
AFL_USE_ASAN=1 - 使用禁用AFL++的内存限制
-m none - 对于覆盖范围较大的程序,考虑调整
AFL_MAP_SIZE
cargo-fuzz (Rust)
cargo-fuzz(Rust)
Use the flag:
--sanitizer=addressbash
cargo fuzz run fuzz_target --sanitizer=addressOr configure in :
fuzz/Cargo.tomltoml
[profile.release]
opt-level = 3
debug = trueIntegration tips:
- ASan is useful for fuzzing unsafe Rust code or FFI boundaries
- Safe Rust code may not benefit as much (compiler already prevents many errors)
- Focus on unsafe blocks, raw pointers, and C library bindings
使用标志:
--sanitizer=addressbash
cargo fuzz run fuzz_target --sanitizer=address或在中配置:
fuzz/Cargo.tomltoml
[profile.release]
opt-level = 3
debug = true集成技巧:
- ASan对测试不安全的Rust代码或FFI边界非常有用
- 安全的Rust代码可能受益有限(编译器已阻止许多错误)
- 重点关注unsafe块、原始指针和C库绑定
honggfuzz
honggfuzz
Compile with ASan and link with honggfuzz:
bash
honggfuzz -i input_dir -o output_dir -- ./fuzz_target_asanCompile the target:
bash
hfuzz-clang -fsanitize=address -g target.c -o fuzz_target_asanIntegration tips:
- honggfuzz works well with ASan out of the box
- Use feedback-driven mode for better coverage with sanitizers
- Monitor memory usage, as ASan increases memory footprint
使用ASan编译目标并链接honggfuzz:
bash
honggfuzz -i input_dir -o output_dir -- ./fuzz_target_asan编译目标程序:
bash
hfuzz-clang -fsanitize=address -g target.c -o fuzz_target_asan集成技巧:
- honggfuzz与ASan开箱即用,兼容性良好
- 使用反馈驱动模式以结合Sanitizer实现更好的覆盖范围
- 监控内存使用情况,因为ASan会增加内存占用
Troubleshooting
故障排除
| Issue | Cause | Solution |
|---|---|---|
| Fuzzer kills process immediately | Memory limit too low for ASan's 20TB virtual memory | Use |
| "ASan runtime not initialized" | Wrong linking order or missing runtime | Ensure |
| Leak reports clutter output | LeakSanitizer enabled by default | Set |
| Poor performance (>4x slowdown) | Debug mode or unoptimized build | Compile with |
| ASan not detecting obvious bugs | Binary not instrumented | Check with |
| False positives | Interceptor conflicts | Check ASan FAQ for known issues with specific libraries |
| 问题 | 原因 | 解决方案 |
|---|---|---|
| 模糊测试工具立即终止进程 | ASan需要20TB虚拟内存,而工具的内存限制过低 | 使用 |
| "ASan runtime not initialized" | 链接顺序错误或缺少运行时库 | 确保编译和链接阶段都使用了 |
| 泄漏报告使输出杂乱 | LeakSanitizer默认启用 | 设置 |
| 性能极差(慢于4倍) | 调试模式或未优化的构建 | 结合 |
| ASan未检测到明显的bug | 二进制文件未被插桩 | 使用 |
| 误报 | 拦截器冲突 | 查看ASan FAQ了解特定库的已知问题 |
Related Skills
相关技术
Tools That Use This Technique
使用该技术的工具
| Skill | How It Applies |
|---|---|
| libfuzzer | Compile with |
| aflpp | Use |
| cargo-fuzz | Use |
| honggfuzz | Compile target with |
| 技术 | 应用方式 |
|---|---|
| libfuzzer | 使用 |
| aflpp | 编译时使用 |
| cargo-fuzz | 使用 |
| honggfuzz | 使用 |
Related Techniques
相关技术
| Skill | Relationship |
|---|---|
| undefined-behavior-sanitizer | Often used together with ASan for comprehensive bug detection (undefined behavior + memory errors) |
| fuzz-harness-writing | Harnesses must be designed to handle ASan-detected crashes and avoid false positives |
| coverage-analysis | Coverage-guided fuzzing helps trigger code paths where ASan can detect memory errors |
| 技术 | 关系 |
|---|---|
| undefined-behavior-sanitizer | 常与ASan结合使用,实现全面的漏洞检测(未定义行为+内存错误) |
| fuzz-harness-writing | 测试桩需要设计为能处理ASan检测到的崩溃并避免误报 |
| coverage-analysis | 覆盖导向的模糊测试有助于触发ASan可检测到内存错误的代码路径 |
Resources
资源
Key External Resources
主要外部资源
The official ASan documentation covers:
- Algorithm and implementation details
- Complete list of detected error types
- Performance characteristics and overhead
- Platform-specific behavior
- Known limitations and incompatibilities
Common configuration flags shared across all sanitizers:
- : Control diagnostic output level
verbosity - : Redirect sanitizer output to files
log_path - : Enable/disable symbol resolution in reports
symbolize - : Use custom symbolizer
external_symbolizer_path
ASan-specific configuration options:
- : Control memory leak detection
detect_leaks - : Call
abort_on_errorvsabort()on error_exit() - : Detect stack use-after-return bugs
detect_stack_use_after_return - : Find initialization order bugs
check_initialization_order
Common pitfalls and solutions:
- Linking order issues
- Conflicts with other tools
- Platform-specific problems
- Performance tuning tips
Clang-specific guidance:
- Compilation flags and options
- Interaction with other Clang features
- Supported platforms and architectures
GCC-specific ASan documentation:
- GCC-specific flags and behavior
- Differences from Clang implementation
- Platform support in GCC
Original research paper with technical details:
- Shadow memory algorithm
- Virtual memory requirements (historically 16TB, now ~20TB)
- Performance benchmarks
- Design decisions and tradeoffs
官方ASan文档涵盖:
- 算法与实现细节
- 可检测错误类型的完整列表
- 性能特征与开销
- 平台特定行为
- 已知限制与不兼容性
所有Sanitizer共享的通用配置标志:
- :控制诊断输出级别
verbosity - :将Sanitizer输出重定向到文件
log_path - :启用/禁用报告中的符号解析
symbolize - :使用自定义符号解析工具
external_symbolizer_path
ASan特定的配置选项:
- :控制内存泄漏检测
detect_leaks - :检测到错误时调用
abort_on_error而非abort()_exit() - :检测栈上的释放后使用漏洞
detect_stack_use_after_return - :查找初始化顺序错误
check_initialization_order
常见问题与解决方案:
- 链接顺序问题
- 与其他工具的冲突
- 平台特定问题
- 性能调优技巧
Clang特定指南:
- 编译标志与选项
- 与其他Clang功能的交互
- 支持的平台与架构
GCC特定的ASan文档:
- GCC特定的标志与行为
- 与Clang实现的差异
- GCC中的平台支持
包含技术细节的原始研究论文:
- 影子内存算法
- 虚拟内存需求(历史为16TB,当前约20TB)
- 性能基准测试
- 设计决策与权衡