BTRFS from basic master #3065
BTRFS from basic master #3065
Conversation
|
Still waiting for AppVeyor, but this now works on windows, linux and MacOS. It would be great for @bcarrier and @jayaramcs to take a look, as this is a new file system for TSK. That's pretty significant! @joachimmetz and @uckelman-sf are also invited to comment. |
|
The AppVeyor fails were because:
|
|
Nice, would recommend adding a fuzz target as well https://github.com/sleuthkit/sleuthkit/tree/develop/ossfuzz |
|
I don't know how to add the fuzz targets, but if you tell me how, I'll do it! |
sure, should not be too involved, let me ask a couple of questions first to get some more context
|
How about https://corp.digitalcorpora.org/corpora/drives/2015-basicmaster/btrfs_testimage_50MB.E01? btrfs sits on top of raw storage, like ext. |
to isolate just fuzzing the btrfs backend a smaller only btrfs raw file system (let me see if I can create a script and add it to https://github.com/dfirlabs/btrfs-specimens). also note that the ossfuzz build does not build with E01 support
the fls fuzz target likely can be reused then https://github.com/sleuthkit/sleuthkit/blob/develop/ossfuzz/fls_fuzzer.cc |
Looks like the minimum required size is 114294784, that might be too large. Note that the seed file is not required but helps with more targeted fuzzing. |
|
I’m unclear what the seed file does if it is not needed. Instead of making
the seed files once and downloading it, why not make it as part of the
fuzzing operation?
…On Tue, Oct 29, 2024 at 1:22 AM Joachim Metz ***@***.***> wrote:
let me see if I can create a script and add it to
https://github.com/dfirlabs/btrfs-specimens
Looks like the minimum required size is 114294784, that might be too
large. Note that the seed file is not required but helps with more targeted
fuzzing.
—
Reply to this email directly, view it on GitHub
<#3065 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMFHLDZ425S3QVKHFXOKW3Z54LPLAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBTGIZTSOJXGI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
tldr it helps with improving test coverage, maybe useful context https://google.github.io/oss-fuzz/getting-started/new-project-guide/#seed-corpus
not sure what you specifically are asking with this, but what the fuzzer does is invoke the fuzz targets with mutated input based on the seed corpus |
|
Since the fuzzer is running on a Linux system, instead of downloading the seed, perhaps it could just run the script to create the seed.
… On Oct 29, 2024, at 4:57 AM, Joachim Metz ***@***.***> wrote:
I’m unclear what the seed file does if it is not needed.
tldr it helps with improving test coverage, maybe useful context https://google.github.io/oss-fuzz/getting-started/new-project-guide/#seed-corpus
why not make it as part of the fuzzing operation?
not sure what you specifically are asking with this, but what the fuzzer does is invoke the fuzz targets with mutated input based on the seed corpus
—
Reply to this email directly, view it on GitHub <#3065 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMFHLEPCIMGC4DXVOENIUDZ55EWTAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBTGYYTKMRWGY>.
You are receiving this because you authored the thread.
|
|
The seed file is not required, adding the fuzz target should be sufficient for now. Seed file can always be added later as well. |
|
I clearly don’t understand how the fuzzer works. Doesn’t it need an
executable that it runs? So doesn’t it need a data file to run with the
executable? Can you point me at academic paper that describes how it works?
Thanks..
…On Tue, Oct 29, 2024 at 5:22 AM Joachim Metz ***@***.***> wrote:
The seed file is not required, adding the fuzz target should be sufficient
for now. Seed file can always be added later as well.
—
Reply to this email directly, view it on GitHub
<#3065 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMFHLEIMWD2FLLTZWW7KWLZ55HUFAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBTGY3TCNBVHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I'm unaware of academic paper specifically but the project documentation can be found here https://google.github.io/oss-fuzz/ The proposed changes to Makefile.am (in #3065 (comment)) and adding |
Thanks. I wonder how hard it would be to get it to work with bulk_extractor.
I'll look into it and see if I can add it to this PR. Meanwhile, I'm during this BT back to a draft until I hear from @jayaramcs. |
Oh, I get it. This compiles a fls_btrfs_fuzzer executable with the fuzzing engine linked in and I'm still unclear on where the code analysis is happening. Is the fuzz happening with source code inspection or object code inspection? This is presumably data mutation to cause more execution graph exploration, right? |
It is configured to run on clusterfuzz. Also see https://google.github.io/oss-fuzz/further-reading/clusterfuzz/ but you can also run it locally. Issues are available through https://issues.oss-fuzz.com/ Brian currently has access, given he is configure as project owner in https://github.com/google/oss-fuzz/tree/master/projects/sleuthkit |
|
Regarding 1f84b56#diff-0462e381b2fb3286568215681c8983490a37ac9ae0f0c5ee304df7fa6426d4afR807 you also need to add |
|
There should be a test image for validating how Sleuthkit reads BTRFS, to go with the other test images in #3044. Has there been any progress on that? |
Yes. We have one here: My understanding is that @joachimmetz is concerned about the size. |
|
How can I get access to the issues?
… On Oct 29, 2024, at 11:42 AM, Joachim Metz ***@***.***> wrote:
I'm still unclear on where the code analysis is happening. Is the fuzz happening with source code inspection or object code inspection?
It is configured to run on clusterfuzz. Also see https://google.github.io/oss-fuzz/further-reading/clusterfuzz/ but you can also run it locally.
Issues are available through https://issues.oss-fuzz.com/ Brian currently has access, given he is configure as project owner in https://github.com/google/oss-fuzz/tree/master/projects/sleuthkit
—
Reply to this email directly, view it on GitHub <#3065 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMFHLCHUSZ7DPGUSAPRCM3Z56UEXAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGY2TIOJVGQ>.
You are receiving this because you authored the thread.
|
tsk/fs/Makefile.am
Outdated
| @@ -0,0 +1,27 @@ | |||
| AM_CPPFLAGS = -I../.. -I$(srcdir)/../.. -Wall | |||
There was a problem hiding this comment.
New makefiles shouldn't be created in subdirectories. This should go into the main (and only) Makefile.am.
There was a problem hiding this comment.
Legacy cruft from the original PR. It's not being used. I'll delete it. Thanks for catching it.
|
It's unclear to me why the AppVeryor failed, so I'm doing an update branch and we will see if it fails again. |
Makefile.am
Outdated
| @@ -701,9 +704,6 @@ endif | |||
| tsk_jar = $(top_builddir)/bindings/java/dist/sleuthkit-$(PACKAGE_VERSION).jar | |||
| jardir = $(prefix)/share/java | |||
|
|
|||
| $(tsk_jar): | |||
| cd bindings/java ; ant dist $(ant_args) | |||
|
|
|||
There was a problem hiding this comment.
Why is this being removed?
There was a problem hiding this comment.
user error. I'll add it back.
|
fixed in d98b278
… On Nov 26, 2024, at 5:44 PM, Joel Uckelman ***@***.***> wrote:
@uckelman-sf commented on this pull request.
In .github/workflows/build-unix.yml <#3065 (comment)>:
> @@ -36,7 +36,7 @@ jobs:
linkage: "shared"
compiler: "gcc"
runner: "ubuntu-22.04"
- configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CFLAGS=\"-Wno-unused-command-line-argument -Werror\" CXXFLAGS=-Werror"
+ configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CFLAGS=\"-Wno-unused-command-line-argument -Werror -Wno-error=unused-parameter\" CXXFLAGS=\"-Werror -Wno-error=unused-parameter\""
This is still not fixed.
—
Reply to this email directly, view it on GitHub <#3065 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMFHLBQFC4GZPOGILXBBSD2CSQQRAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDINRSGEZDINJWGY>.
You are receiving this because you authored the thread.
|
| @@ -37,7 +37,7 @@ jobs: | |||
| linkage: "shared" | |||
| compiler: "gcc" | |||
| runner: "ubuntu-22.04" | |||
| configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CFLAGS=\"-Wno-unused-command-line-argument -Werror\" CXXFLAGS=-Werror" | |||
| configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CXXFLAGS=-Werror" | |||
There was a problem hiding this comment.
CFLAGS=-Werror should not be removed.
Makefile.am
Outdated
| @@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4 | |||
|
|
|||
| AM_CPPFLAGS = -I$(srcdir)/tsk | |||
| AM_CFLAGS = -Wall -Wextra | |||
| AM_CXXFLAGS = -Wall -Wextra -Woverloaded-virtual | |||
| AM_CXXFLAGS = -Wall -Wextra -Woverloaded-virtual | |||
|
got it.
… On Nov 26, 2024, at 6:30 PM, Joel Uckelman ***@***.***> wrote:
@uckelman-sf commented on this pull request.
In .github/workflows/build-unix.yml <#3065 (comment)>:
> @@ -37,7 +37,7 @@ jobs:
linkage: "shared"
compiler: "gcc"
runner: "ubuntu-22.04"
- configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CFLAGS=\"-Wno-unused-command-line-argument -Werror\" CXXFLAGS=-Werror"
+ configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CXXFLAGS=-Werror"
CFLAGS=-Werror should not be removed.
—
Reply to this email directly, view it on GitHub <#3065 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMFHLBNVGH4PK3WSLX6RYD2CSV5HAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDINRSGI3DIMRRGA>.
You are receiving this because you authored the thread.
|
.github/workflows/build-unix.yml
Outdated
| @@ -49,7 +49,7 @@ jobs: | |||
| linkage: "shared" | |||
| compiler: "clang" | |||
| runner: "ubuntu-22.04" | |||
| configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CC=clang CXX=clang++ CFLAGS=-Werror CXXFLAGS=-Werror" | |||
| configure_opts: "--with-libewf --with-libqcow --with-libvhdi --with-libvmdk --disable-java CC=clang CXX=clang++ CFLAGS=-Werror CXXFLAGS=-Werror | |||
There was a problem hiding this comment.
This is missing the trailing double quote.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #3065 +/- ##
===========================================
+ Coverage 16.50% 19.18% +2.68%
===========================================
Files 145 148 +3
Lines 34107 36233 +2126
===========================================
+ Hits 5627 6948 +1321
- Misses 28480 29285 +805
|
|
Thanks to @uckelman-sf for all of your help! |
|
Wait, this should not have been merged yet.
|
Whoops. |
How do you want to proceed? |
How? By hand? Against some expected results? |
By hand. I created the test image and ran fiwalk on it and I got results that I expected. |
|
Ok. I'd like to have a look through |
|
And we are excited to have you go through the code! We really appreciate
the attention.
…On Wed, Nov 27, 2024 at 5:36 PM Joel Uckelman ***@***.***> wrote:
Ok. I'd like to have a look through tsk/fs/btrfs.cpp and
tsk/fs/tsk_btrfs.h when I'm back on Tuesday.
—
Reply to this email directly, view it on GitHub
<#3065 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMFHLACAFTAEVDSHQRFPG32CXYHJAVCNFSM6AAAAABQVDU2J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMBUGMYTSOBZGI>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
This is #413 but brought up to develop.