cse504 class presentation
play

cse504 class presentation LCLint (PLDI96 paper) Splint (IEEE02 - PowerPoint PPT Presentation

Sep 03, 2023 •259 likes •736 views

cse504 class presentation LCLint (PLDI96 paper) Splint (IEEE02 paper) Prefix (Intrinsa SP&E00 paper) jaeyeon.jung@intel.com 04/07/2010 1 part I static detection of dynamic memory errors 2 the problem memory

  1. cse504 class presentation • LCLint (PLDI’96 paper) • Splint (IEEE’02 paper) • Prefix (Intrinsa SP&E’00 paper) jaeyeon.jung@intel.com 04/07/2010 1

  2. part I static detection of dynamic memory errors 2

  3. the problem • memory errors are hard to detect at compile-time • observations – many bugs result from invalid assumptions about the results of functions and the values of parameters and global variables. – these bugs are platform independent. 3

  4. memory errors • misuses of null pointers • lack of memory allocation or deallocation • uses of undefined storage • unexpected aliasing 4

  5. sample.c extern char *gname; void setName (char *pname) { gname = pname; } 5

  6. sample.c extern char *gname; 1. must not be a sole ref. void setName (char *pname) { gname = pname; } 6

  7. sample.c extern char *gname; void setName (char *pname) { gname = pname; } 2. gname and pname are aliased. 7

  8. sample.c extern char *gname; void setName (char *pname) { gname = pname; } 3. gname may not be dereferenced if pname is a null pointer. 8

  9. sample.c extern char *gname; void setName (char *pname) { gname = pname; } 4. gname may not be dereferenced as a rvalue unless pname pointed to defined storage. 9

  10. the approach • make assumptions explicit with annotations – function interfaces, variables, types • extend LCLint to statically detect the errors – LCLint became secure programming Lint http://www.splint.org/ 10

  11. annotations • syntactic comments – e.g., /* @null@ */ • used in – type declaration – function parameter or return value declarations – global and static variable declarations 11

  12. annotations --- null pointers extern char *gname; 1 2 void setName (/*@null@*/ char *pname) { 3 gname = pname; 4 } 5 sample.c:5: function returns with non-null global gname referencing null storage. sample.c:4: storage gname may become null. 12

  13. annotations --- null pointers extern char *gname; extern /*@truenull@*/ isNull (/*@null@*/ char *x); void setName (/*@null@*/ char *pname) { If (!isNull(pname)) { gname = pname; } } 13

  14. annotations --- definition • out: referenced storage need not be defined • in/partial/undef: referenced storage is completely/partially/not defined • reldef: value assumed to be defined when it is used, but need not be assigned to defined storage 14

  15. annotations --- allocation extern /*@only@*/ char *gname; 1 2 void setName (/*@temp@*/ char *pname) { 3 gname = pname; 4 } 5 1. memory leak 2. gname will become a dead pointer if the caller deallocates the actual parameter 15

  16. annotations --- aliasing • unique: parameter aliasing • returned: a reference to the parameter may be returned 16

  17. evaluation --- toy program • employee database program (1K LoC) • adding annotations is an iterative process – 13 only, 1 out, 1 null • found three bugs – null pointers, allocation, aliasing 17

  18. evaluation --- toy program 18

  19. evaluation --- LCLint • 100K lines of code • < 4 minutes to check • adding all annotations required a few days over the course of a few weeks by one person • revealed limitations of strict annotations – e.g., handling an error condition 19

  20. summary • the annotations improve – static checking – maintaining and developing code • a combination of static checking and run-time checking is promising to producing reliable code. 20

  21. part II Improving security using extensible lightweight static analysis 21

  22. the problem • the techniques for avoiding security vulnerabilities are not codified into the software development process • C is difficult to secure – unsafe functions – confusing APIs 22

  23. the solution • Splint: a lightweight static analysis tool for ANSI C – detects stack and heap-based buffer overflow vulnerabilities – support user-defined checks • constrain the values of attributes at interface points • specify how attributes change 23

  24. the challenges • false positive & false negatives • tradeoff between precision and scalability – limited to data flow analysis within procedure bodies – merges possible paths at branch points – use heuristics to analyze loop 24

  25. example --- buffer overflow analysis • requires, ensures • maxSet – highest index that can be safely written to • maxRead – highest index that can be safely read • char buffer[100]; – ensures maxSet(buffer) == 99 25

  26. SecurityFocus.com Example char *strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) >=maxRead(s1) + n@*/ void func(char *str){ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); return; uninitialized array } Source: Secure Programming working document, SecurityFocus.com 26 http://www.cs.virginia.edu/evans/talks/usenix.ppt

  27. Warning Reported char * strncat (char *s1, char *s2, size_t n) /*@requires maxSet(s1) >= maxRead(s1) + n @*/ char buffer[256]; strncat(buffer, str, sizeof(buffer) - 1); strncat.c:4:21: Possible out-of-bounds store: strncat(buffer, str, sizeof((buffer)) - 1); Unable to resolve constraint: requires maxRead (buffer @ strncat.c:4:29) <= 0 needed to satisfy precondition: requires maxSet (buffer @ strncat.c:4:29) >= maxRead (buffer @ strncat.c:4:29) + 255 derived from strncat precondition: requires maxSet (<parameter 1>) >= maxRead (<parameter1>) + <parameter 3> 27 http://www.cs.virginia.edu/evans/talks/usenix.ppt

  28. example --- taint analysis http://www.cs.virginia.edu/~evans/pubs/ieeesoftware.pdf 28

  29. example --- taint analysis char *strcat (/*@returned@*/ char *s1, char *s2) /*@ensures s1:taintedness = s1:taintedness | s2.taintedness@*/ annotated declarations define taint propagation at the interface for standard library functions 29

  30. evaluation --- wu-ftpd • 20K LoC • < 4 seconds to check the code on a slow (1.2GHz) machine • found a few known bugs using the taint analysis • 101 warnings after adding 66 annotations – 76 false positives • external assumptions, arithmetic limitations, alias analysis, flow control, loop heuristics 30

  31. wu-ftpd vulnerablity int acl_getlimit(char *class, char *msgpathbuf) int access_ok( int msgcode) { /*@requires maxSet(msgpathbuf) >= 1023 @*/ /*@requires maxSet(msgpathbuf) >= 199 @*/ char class[1024], msgfile[200]; { int limit; struct aclmember *entry = NULL; while (getaclentry("limit", &entry)) { … … strncpy(msgpathbuf, entry->arg[3], 1023); strncpy(msgpathbuf, entry->arg[3], 199); strcpy(msgpathbuf, entry->arg[3]); msgpathbuf[1023] = ‘ \ 0’; msgpathbuf[199] = ‘ \ 0’; limit = acl_getlimit(class, msgfile); LCLint reports a possible buffer overflow for LCLint reports an error at a call site of acl_getlimit strcpy(msgpathbuf, entry->arg[3]); 31 http://www.cs.virginia.edu/evans/talks/usenix.ppt

  32. summary • static analysis is promising but – limited to finding problems that manifest as inconsistencies between the code and assumptions documented in annotations – annotating legacy code is laborious • static analysis helps codifying knowledge into tools not to avoid making same mistakes 32

  33. part III A static analyzer for finding dynamic programming errors 33

  34. the problem • many bugs are caused by the interaction of multiple functions and may be revealed only in unusual cases – compilers, Lint are limited to intra- procedural checks – annotation checkers require too much work – debugging tools incur performance overhead 34

  35. the design goals • practical – effectively check C/C++ programs – leverage information automatically derived from the program text • analysis limited to achievable paths • actionable – automatic characterization of defects 35

  36. PREfix’s key concept • simulate functions using VM – achievable paths • automatically generate a function’s model • bottom-up analysis 36

  37. PREfix • parse the source code into abstract syntax tree • run topological sort for simulating functions from the leaf • load existing models for relevant functions • simulate functions – simulate achievable paths – per-path simulation 37

  38. per-path simulation • memory: exact values and predicates – known exact value, initialized but unknown value, uninitialized value – dereference • operations on memory – setting, testing, assuming • conditions, assumptions and choice points • end-of-path analysis – leak analysis 38

  39. model -- deref 39

  40. model -- deref 40

  41. model generation • record all the per-path memory state – tests -> constraints • save externally visible states – parameters, return values and globals • merge states – for performance – equivalent merging (e.g., one assumes x>0 and the other assumes x<=0) – no aggressive merging (e.g., [merge *p=5 and *p=8 -> *p is initialized] caused accuracy issues 41

  42. evaluation OK performance on a slow machine 42

  43. evaluation false +s: 10% - 25% (Apache) 43

  44. evaluation the decrease in coverage as more models are introduced 44

Recommend

Better Glue for Pipelines CSE504 Project Proposal Luheng He 1 Motivation: Pipelined Software

Better Glue for Pipelines CSE504 Project Proposal Luheng He 1 Motivation: Pipelined Software

Better Glue for Pipelines CSE504 Project Proposal Luheng He 1 Motivation: Pipelined Software for NLP/ML Tasks (Mostly) task-independent, off-the-shelf tools Typical subtasks for NLP Typical subtasks for ML 1 Input Reader Input Reader

396 views • 4 slides
Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who

Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who

Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who first became an active member of PSERS on or after July 1, 2019, you are automatically enrolled as a Class TG member. Class TG is a hybrid of both

538 views • 17 slides
First-Class Values A value is first-class if it satisfies all of these properties: First-Class

First-Class Values A value is first-class if it satisfies all of these properties: First-Class

First-Class Values A value is first-class if it satisfies all of these properties: First-Class Functions in Racket It can be named by a variable It can be passed as an argument to a function; It can be returned as the result of a

341 views • 3 slides
TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving

TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving

TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving Terms Linear Dispersion Coupling Chromatic Beating Conclusion To do TwissOptics Class 3 The TwissOptics Class TwissOptics Class 4 New class

450 views • 24 slides
Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use

Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use

Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use object composition . Class A will have a field (variable) of class B in its implementation. When class A is a specific kind of another class B,

700 views • 12 slides
Class Specifications } A class diagram only gives a sketch of that class } More detail is

Class Specifications } A class diagram only gives a sketch of that class } More detail is

Class Specifications } A class diagram only gives a sketch of that class } More detail is given by the full specification of a class } Every useful Java class should have such a specification } When you write code, its up to you to create

64 views • 4 slides
CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 14 Class Overview

436 views • 15 slides
CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 16 Class Overview

344 views • 17 slides
CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class

CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class

CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 11 Class Overview

515 views • 12 slides
Previous*Courses Digital*Logic*Design Boolean*Algebra

Previous*Courses Digital*Logic*Design Boolean*Algebra

Preliminary*Information Instructor*Introduction Class*Policies Disabilities/Religious*Holidays Cheating/Copying Class*Web*Site Class*Notes Class*Schedule Laboratories

795 views • 18 slides
The header file is a class declaration class Dice What the class looks like, but now how it

The header file is a class declaration class Dice What the class looks like, but now how it

Classes: From Use to Implementation Anatomy of the Dice class The class Dice, need #include &quot; dice.h &quot; Weve used several classes, a class is a collection of objects sharing similar characteristics Objects: six-sided dice,

299 views • 8 slides
Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS

Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS

Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS report CLASS Webinar Series -Scope &amp; Sequence Title Description Why the DECE uses the CLASS tool What the CLASS tool measures CLASS 101

447 views • 41 slides
Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is

Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is

Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is the separation of class implementation details from the use of the class. The class creator provides a description of the class to let users know

420 views • 24 slides
Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly

Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly

Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly braces of another class, but outside any method or other code block. An inner class is a full-fledged member of the enclosing (outer) class, so it can

381 views • 6 slides
Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A

Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A

Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A Uniform CLASS A UNIFORM C1. Wear the Class A Uniform to standard. Class A Uniform Known as Black Service Uniform or Class A Worn mainly

502 views • 14 slides
Logos Class Letters to the Corinthians online class for Oct 11, 2020 Logos Class. Mod 1 Room

Logos Class Letters to the Corinthians online class for Oct 11, 2020 Logos Class. Mod 1 Room

Logos Class Letters to the Corinthians online class for Oct 11, 2020 Logos Class. Mod 1 Room 1 10/10/20 1 Agenda for todays class Open chat room from 8:50am to 9:05am 9:05-9:15 Prayer time and updates Welcome our guests today

710 views • 19 slides
UML Class Diagrams Steven Zeil February 25, 2013 UML Class Diagrams Outline Class

UML Class Diagrams Steven Zeil February 25, 2013 UML Class Diagrams Outline Class

UML Class Diagrams UML Class Diagrams Steven Zeil February 25, 2013 UML Class Diagrams Outline Class Diagrams 1 A Class, in Isolation 2 Attributes Operations Generalization Relationships 3 Associations 4 Naming Your

948 views • 68 slides
DINNER Class of '61 Class of '61 Welcome Peter Turner Chairman of the 2016 Reunion

DINNER Class of '61 Class of '61 Welcome Peter Turner Chairman of the 2016 Reunion

2016 2016 DINNER Class of '61 Class of '61 Welcome Peter Turner Chairman of the 2016 Reunion Organizing Committee Class of '61 Ted Forsyth Laird King Tony De Kock Tony Sherrard Bevan Rudolph Class of '61 ROGER WEBBER Class of

626 views • 40 slides
3/14/16 Review Class/Object Type Class Keyword class class Point

3/14/16 Review Class/Object Type Class Keyword class class Point

3/14/16 Review Class/Object Type Class Keyword class class Point { // Fields int x; Object Declares a new type int y; color c; Data fields ( class variables)

318 views • 3 slides
Logos Class Letter to the Philippian Church Online class for June 28, 2020 6/28/20 1

Logos Class Letter to the Philippian Church Online class for June 28, 2020 6/28/20 1

Logos Class Letter to the Philippian Church Online class for June 28, 2020 6/28/20 1 Agenda for todays class Open chat room from 8:50am to 9:10am 9:10-9:15 Prayer time and general class discussion Welcome our guests today

453 views • 17 slides
Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010

Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010

Vector Class Grid Class Stack Class Queue Class Map Class Lexicon Class Scanner Class Iterators Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010 Vector Class Grid Class Stack Class Queue Class

586 views • 54 slides
ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

Consumer Cases Brought under Rule 23(b)(3) STRATEGIES FOR DEFEATING CLASS CERTIFICATION By Thomas A. Dye and Dean A. Morande A lawsuit founded defeating succeed in class tainable. consumer A class definition fails if it is on to ever even

502 views • 4 slides
class Orange { } class Pork {

class Orange { } class Pork {

Name: _____________________________ Date:______________________ Student #: _________________________________ COMP3021: Java Programming In-class Exercise The

275 views • 4 slides
AR Stars! 6 th Grade Students 30% Goal Ms. Bartels Class Ms. Lopezs Class Mr. Chos Class

AR Stars! 6 th Grade Students 30% Goal Ms. Bartels Class Ms. Lopezs Class Mr. Chos Class

Honoring our Cortez AR Stars! 6 th Grade Students 30% Goal Ms. Bartels Class Ms. Lopezs Class Mr. Chos Class Kaylee Dominguez Amaiah Barba Sara Santamaria Gwen Gelabert Adrian Chavez Ethan Serrano Miley Matos Julian Chavez

382 views • 16 slides

More recommend