frabert 10 hours ago

C-reduce is meant to... Reduce your files, it would not add stuff that was not there in the first place. Also, I think it's meant to only be run against the "frontend" of most languages, not full execution

1
chubot 9 hours ago

Yeah but you could have a shell script that does

    rm -rf /foo/bar
and in theory it could reduce it to

    rm -rf /
The passes are very heuristic, so that doesn't seem like something you can rule out.

(and I actually want to run it on shell scripts! )

Cieric 9 hours ago

While I've used c-reduce before, I've never done it in a way where it could be destructive. However speculating based on what I do know. I think the 2 things I would do would be in the interesting-ness test, grep for already known harmful instructions and force them to be uninteresting (returning 1). And then if I was still unsure of the potential harm of the program and I had to run it to determine if it's interesting or not (segfault or something similar). I think I would hoist the binary/script into a docker container and run it there. That way the log and result can still be checked, but it's access to actual file system is minimized as much as possible.

TLDR; C-Reduce just gives you text to run/compile, if you're worried about things like that sandbox as much as possible.

btilly 6 hours ago

So just run it inside of a Docker instance.