Address Sanitizer for Bare-metal Firmware

Android firmware is increasingly vulnerable to attack due to its lower scrutiny compared to Android userspace and kernel. Kernel Address Sanitizer (KASan) is a tool that can proactively detect firmware vulnerabilities by identifying invalid memory access operations during runtime. KASan can be used for a wide range of firmware targets and is applicable to both heap and stack memory. To enable KASan for bare-metal firmware, a custom runtime must be implemented to verify memory access operations and manage shadow memory, which tracks the state of memory regions covered by KASan. Shadow memory is a dedicated memory region where each byte corresponds to an 8-byte memory region and encodes its state. The KASan runtime includes functions to perform memory access checks, manage shadow memory, and hook heap memory allocation routines. By instrumenting memory access operations with these functions, KASan can detect memory corruption vulnerabilities, including out-of-bounds memory access, use-after-free, double/invalid free, and use-after-return. To avoid false positives for noreturn functions, the __asan_handle_no_return routine is used to remove red zones around stack variables. KASan can be enabled for heap, stack, and global variables by using specific compiler options during compilation. A small project is provided to demonstrate an implementation of KASan for bare-metal targets using the QEMU system emulator. This implementation can be used as a reference for technical details. KASan has been used to proactively find and fix over 40 memory safety bugs and vulnerabilities in firmware targets, including some of critical severity. By leveraging KASan in firmware development, device security can be significantly improved.