CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May

Jeff Foster, OSQ Retreat, May Background Software is buggy! How can we improve the quality of software? –We want to build tools to analyze source code Find bugs at compile-time Help programmers write correct code But tools need to know what is ‘‘correct’’ –...they need specifications

Jeff Foster, OSQ Retreat, May Tools Need Specifications put_tty_queue_nolock(c, tty); spin_lock_irqsave(&tty->read_lock, flags); spin_unlock_irqrestore(&tty->read_lock, flags); Goal: Add specifications to programs In a way that... –Programmers will accept Lightweight –Scales to large programs –Solves many different problems

Jeff Foster, OSQ Retreat, May Type Qualifiers Extend standard type systems (C, Java, ML) –Programmers already use types –Programmers understand types –Get programmers to write down a little more... intconstANSI C taintedSecurity vulnerabilities spinlock_tunlockedLocking char *

Jeff Foster, OSQ Retreat, May CQual A tool for adding type qualifiers to C –User-specified qualifiers –Annotate some qualifiers by hand –CQual infers the rest Version 1: –Written in SML/NJ –Used C parser from alias analysis Was lots of work to fix, extend to GNU C –Constraints solved with BANE

Jeff Foster, OSQ Retreat, May Application: Const Inference Main use of const: non-modified parameters void foo(const int *x); /* foo does not write *x */ How many more consts can we add? –Left-hand side of assignment non-const –Everything that's not non-const is const Analyzed six C programs – lines –All make effort to use const

Jeff Foster, OSQ Retreat, May Const Inference Results

Jeff Foster, OSQ Retreat, May Carillon CQual for finding Y2K bugs –Mark date strings with YYYY, YY, NONYEAR,... Better user interface –(Demo later) Found known bug in CVS 1.9 –Took only a few hours of work

Jeff Foster, OSQ Retreat, May Problems with CQual Version 1 Bad error messages in parser Too slow, used too much memory Written in ML –No tools available (debugger, profiler, etc) –Hard to control memory usage, performance –|{know ML}| is small –|{know ML}  {care about C}| very small

Jeff Foster, OSQ Retreat, May CQual Version 2: Rewrite to C Use David Gay's parser –Extracted/modified from gcc –Very compatible –Very good error messages Custom constraint solver –Solves atomic subtyping constraints –Dropped polymorphic qualifier inference But allow user-specified polymorphism

Jeff Foster, OSQ Retreat, May Application: Format-String Vulnerabilities Adversary-controlled format specifier name := printf(name);/* Oops */ –Attacker sets name = “%s%s%s” to crash program –Attacker sets name = “...%n...” to write to memory Lots of these bugs in the wild –New ones weekly on bugtraq mailing list –Too restrictive to forbid variable format strings

Jeff Foster, OSQ Retreat, May Using Tainted and Untainted Add qualifier annotations int printf(untainted char *fmt,...) tainted char *getenv(const char *) tainted = may be controlled by adversary untainted = must not be controlled by adversary

Demo of cqual

Jeff Foster, OSQ Retreat, May Results: Format String Vulnerabilities Analyzed 10 popular unix daemon programs Annotations shared across applications –One annotated header file for standard libraries –Taint flows across type casts Found several known vulnerabilities –Including ones we didn’t know about –CQual's user interface critical

Jeff Foster, OSQ Retreat, May Application: Locking Lock x; lock(x);...critical section... unlock(x); x : locked Lock x : unlocked Lock

Jeff Foster, OSQ Retreat, May Flow-Sensitivity Standard type systems are flow-insensitive –Variable x has one type –And one set of qualifiers We need flow-sensitivity –Different qualifiers for x at each program point Enter CQual Version 3 –Support for flow-sensitive qualifiers

Demo of cqual

Jeff Foster, OSQ Retreat, May Results: Locking Looked for simple deadlocks in Linux –Double acquires/releases Analyzed 892 files in linux/drivers individually Analyzed 513 modules (all linked files) –14 type errors  deadlocks –~41/892 fail to typecheck but appear correct –~196/513 fail to typecheck added restrict by hand to remove type errors due to aliasing for 64/196

Jeff Foster, OSQ Retreat, May Running Time: Locking

Jeff Foster, OSQ Retreat, May Memory Usage: Locking

Jeff Foster, OSQ Retreat, May Applications Published experiments: const Inference[Foster, Fahndrich, Aiken, PLDI99] Y2K bug detection[Elsman, Foster, Aiken, 1999] Format-string vuln. [Shankar, Talwar, Foster, Wagner, Usenix Sec 01] Locking, stream operations [Foster, Terauchi, Aiken, PLDI 02] Linux Security Modules[Zhang, Edwards, Jaeger, (IBM Watson) Usenix Sec 02] Other experiments: Null pointer errorsTinyOS (Intel) User/kernel pointersFile open/close

Jeff Foster, OSQ Retreat, May What's Next for CQual? Better version of restrict Polymorphic-recursive qualifier inference –Adapt known tech. for flow-insensitive analysis –Less clear for flow-sensitive analysis Better alias analysis –Names vs. location abstraction

Jeff Foster, OSQ Retreat, May Conclusion CQual adds specifications to programs In a way that... –Programmers will accept Lightweight –Scales to large programs –Solves many different problems Flow-insensitive version available