1 / 25

Static Analyzer for Buffer Overflow Detection in C Programs

This paper presents a static analysis tool designed to identify buffer overrun errors in C programs without executing any tests. The tool, called Airac, ensures comprehensive analysis by covering all potential states in a program's execution. Utilizing techniques such as sound design through abstract interpretation, flow sensitivity, and static inlining, Airac improves accuracy while minimizing costs through efficient operations. The effectiveness of the analyzer is demonstrated through practical examples, showcasing its ability to identify errors and provide insight into program correctness.

elsie
Télécharger la présentation

Static Analyzer for Buffer Overflow Detection in C Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analyzer for MPSoC Project Yungbum Jung, Jaehwang Kim, Jaeho Shin, Kwangkeun Yi Programming Research Lab. Seoul National University 7/12/2005@MPSOC Project Workshop

  2. AiracStatic Analyzer for Detecting All Buffer Overrun Errors in C Programs • “static”: no test runs • “all”: no un-noticed overruns • “C”: full ANSI C + (GNU C) int *c = (int *)malloc(sizeof(int)*10); c[i] = 1; c[i + f()] = 1; c[*k + (*g)()] = 1; x = c+5; x[1] = 1; z->a = c; (z->a)[i] = 1; foo(c+2); int foo(int *d) {…d[i] = 1; …}

  3. Airac: internals x1 = F1(x1,…,xN) x2 = F2(x1,…,xN) … xN = FN(x1,…,xN) C files equation solver C’ files bug identification

  4. Technologies in Airac • sound design by abstract interpretation • accuracy improvement by • narrowing, flow-sensitivity, context pruning, static inlining(bounded polyvariance), static loop unrolling • cost reduction by • widening, economic join/partial-order operations • careful worklist order: lazy at join points

  5. Finite Approximation struct node {int x[10]; node *next;}; x = (node *)malloc(sizeof(node)); x->next = NULL; for (i=0;;i++) { y = (node *)malloc(sizeof(node)); y->next = NULL; x->next = y; x = y; } … y x ArrayPtr = Base x Offset x Size Offset = Size = Interval x y

  6. Caveats • soundness • typeful C programs • array sizes remain the same as declared • no semantics for error behavior (e.g. overrun, null deref.) • no semantics for completely unknown buffers • no main() then • analyzing procedure calls in their defined order • alarms • not for completely unknown buffers

  7. Airac: performance (1/3)(commercial softwares) 3.2GHz P4, 4GB RAM

  8. Airac: performance (2/3)

  9. Airac: performance (3/3)

  10. Airac: scalability

  11. Airac vs Swat (1/2)

  12. Airac vsSwat(2/2) Airac Bugs Coverity

  13. cdc_acm.c (Linux device driver)

  14. How to Analyze • We collect state at the each program point following semantics of a C program • We must cover all states of program

  15. Example int main() { int i=10; int (*farr[])(int)={incr,decr,incr}; body(farr,i); return 0; } static int incr(int i) { return i+1; } static int decr(int i) { return i-1; } int body(int (*farr[])(int), int i) { int arr[10]; int idx = rand() % 3; int num = farr[idx](i); printf(“num=%d\n”, num); if (num >= 0) then return arr[num]; else body(farr, num); } idx ! [0, 2] Result: array index out of bound at (file: "test/fptr.c", line: 20, column: 21) Array name: arr Overflow (array index: [9, 11], array size: [10, 10])

  16. Fixpoint Algorithm int A[10]; int i; int num = 10; for (i=0; i<num; i++) { A[i] = i; } A[i] = 10; start num  [10, 10] i=0; i  [0, 0] i<num; i  [0, 0] i  [0, 1] A[i] = i; i  [1, 1] i  [1, 2] A[0]  [0, 0] A[1]  [0, 1] A[0]  [0, 1] i++;

  17. Fixpoint Algorithm int A[10]; int i; int num = 10; for (i=0; i<num; i++) { A[i] = i; } A[i] = 10; start num  [10, 10] i=0; i  [0, 0] i<num; i  [10, 10] i  [0, 9] A[i] = 10; i  [1, 10] A[i] = i; A[0]  [0, 9]  A[9]  [0, 9] end i++;

  18. Fixpoint Algorithm With Widening int A[10]; int i; int num = rand(); for (i=0; i<num; i++) { A[i] = i; } A[i] = 10; start num  [-1, +1] i=0; i  [0, 0] i<num; i  [0, 0] i  [0, 1] i  [0, 0] i  [0, 1] A[i] = 10; A[i] = i; i  [1, 2] i  [1, 1] A[0]  [10, 10] A[0]  [10, 10] A[1]  [10, 10] A[0]  [0, 0] A[1]  [0, 1] A[0]  [0, 1] end i++;

  19. Fixpoint Algorithm With Widening int A[10]; int i; int num = rand(); for (i=0; i<num; i++) { A[i] = i; } A[i] = 10; start num  [-1, +1] i=0; i  [0,0] i<num; i  [0, 1] i  [0,+1] i  [0,+1] i  [1,+1] A[i] = 10; A[i] = i; A[0]  [0, +1]  A[9]  [0, +1] A[0]  [0,+1]  A[9]  [0,+1] A[0]  [10,10] A[1]  [10,10] end i++;

  20. cdc_acm.c (Linux device driver)

  21. Better than Airac • faster and more accurate • Implemented with • trace partitioning • error explanation • stack removal • code for open-source

  22. Trace Partitioning main(void) { int arr[10]; int *p = (int *)malloc(sizeof(int)*10); int n, k; scanf(“Type an integer:\n”,&n); if(n <10 && n >=0){ k = 1; arr[n] = n; } else { k = 0; *(p + n)= 10; } if(k){ p[n] = 10; false alarm! } } start num=readInput(); n  [-1,+1] n? n  [0,9] n  [-1,+1] k=1; k=0; k  [1,1] k  [0,0] arr[n]=n; *(p+n)=10; n  [-1,+1] k? k  [0,1] p[n]=10; end

  23. Trace Partitioning main(void) { int arr[10]; int *p = (int *)malloc(sizeof(int)*10); int n, k; scanf(“Type an integer:\n”,&n); if(n <10 && n >=0){ k = 1; arr[n] = n; } else { k = 0; *(p + n)= 10; } if(k){ p[n] = 10; } } start num=readInput(); n  [-1,+1] n? n  [0,9] n  [-1,+1] k=1; k=0; k  [1,1] k  [0,0] arr[n]=n; *(p+n)=10; k? k? p[n]=10; end end

  24. Error Explanation int str_length = 2; inline void double_length() { str_length <<= 1; /* index참조에 사용된 변수값이 변한 지점 */ } static void get_string(char *string) { int counter; for (counter = 0; counter < str_length; counter++) { ...... } double_length(); /* index참조에 사용된 변수값이 변한 호출 */ string[str_length-1] = '\0'; /* Index: [3, 3] */ ...... } main(void) { ...... char *device_string = (char*) malloc(sizeof(char) * str_length); /* alarm이 발생한 buffer가 선언된 지점 */ get_string(device_string); /* alarm이 발생한 호출 */ ...... }

  25. Thank you ropas.snu.ac.kr/airac

More Related