Sanitizers, like:
- address sanitizer (ASAN);
- undefined behavior sanitizer (UBSAN)
- etc.
are frequently used during development and testing.
Are these tools used in released software?
Asked
Active
Viewed 88 times
1 Answers
0
Depends on your goals. Sanitizer developers suggest not to use them for production hardening (i.e. protecting against attacks) because instrumentation may enable different types of attacks. On the other hand they do recommend to occasionally run them in real workloads for detecting last 1% of bugs in released software (which e.g. only repro under heavy load).
yugr
- 19,769
- 3
- 51
- 96
-
Thank you for your answer! My friend told me, that "integer overflow sanitization" was applied to Google Android component in release (probably he meant media framework). Can it be true? – lol lol Jan 17 '20 at 08:58
-
@lollol It seems Android indeed [enables UBSan by default](https://android-developers.googleblog.com/2018/06/compiler-based-security-mitigations-in.html) for some media libraries. But note that they made additional changes to platform during UBSan integration (i.e. it wasn't simply about adding `-fsanitize=undefined`). – yugr Jan 17 '20 at 09:26
-
Under "additional changes" do you mean sanboxing? – lol lol Jan 17 '20 at 09:31