Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O.

Published byHortense Douglas Modified over 7 years ago

Similar presentations

Presentation on theme: "University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O."— Presentation transcript:

1 University of Virginia Computer Science Extensible Lightweight Static Checking David Evans evans@cs.virginia.edu http://lclint.cs.virginia.edu On the I/O Streams Challenge Problem LCLint

2 14 August 2001Spec-n-Check2 Everyone Likes Types Easy to Understand Easy to Use Quickly Detect Many Programming Errors Useful Documentation …even though they are lots of work! –1/4 of text of typical C program is for types

3 14 August 2001Spec-n-Check3 Limitations of Standard Types Type of reference never changes Language defines checking rules One type per reference

4 14 August 2001Spec-n-Check4 Type of reference never changes State changes along program paths Language defines checking rules Programmer defines checking rules One type per reference Many attributes per reference Attributes Similar to Vault, linear types, typestates, etc. Limitations of Standard Types

5 14 August 2001Spec-n-Check5 LCLint Lightweight static analysis tool [FSE’94, PLDI’96] – “quick and dirty” Simple dataflow analyses Unsound and Incomplete Several thousand users…perhaps ¼ adding annotations to code: gradual learning curve Detects inconsistencies between code and specifications Examples: memory management (leaks, dead references), null dereferences, information hiding, undocumented modifications, etc. annotations documented assumptions

6 14 August 2001Spec-n-Check6 I/O Streams Challenge Many properties can be described in terms of state attributes –A file is open or closed fopen: returns an open file fclose: open  closed fgets, etc. require open files –Reading/writing – must reset between certain operations

7 14 August 2001Spec-n-Check7 Defining Openness attribute openness context reference FILE * oneof closed, open annotations open ==> open closed ==> closed transfers open as closed ==> error closed as open ==> error merge open + closed ==> error losereference open ==> error "file not closed" defaults reference ==> open end Cannot abandon FILE in open state Object cannot be open on one path, closed on another

8 14 August 2001Spec-n-Check8 Specifying I/O Functions /*@open@*/ FILE *fopen (const char *filename, const char *mode); int fclose (/*@open@*/ FILE *stream) /*@ensures closed stream@*/ ; char *fgets (char *s, int n, /*@open@*/ FILE *stream);

9 14 August 2001Spec-n-Check9 Reading, ‘Riting, ‘Rithmetic attribute rwness context reference FILE * oneof rwnone, rwread, rwwrite, rweither annotations read ==> rwread write ==> rwwrite rweither ==> rweither rwnone ==> rwnone merge rwread + rwwrite ==> rwnone rwnone + * ==> rwnone rweither + rwread ==> rwread rweither + rwwrite ==> rwwrite transfers rwread as rwwrite ==> error "Must reset file between read and write." rwwrite as rwread ==> error "Must reset file between write and read." rwnone as rwread ==> error "File in unreadable state." rwnone as rwwrite ==> error "File in unwritable state." rweither as rwwrite ==> rwwrite rweither as rwread ==> rwread defaults reference ==> rweither end

10 14 August 2001Spec-n-Check10 Reading, ‘Righting /*@rweither@*/ FILE *fopen (const char *filename, const char *mode) ; int fgetc (/*@read@*/ FILE *f) ; int fputc (int, /*@write@*/ FILE *f) ; /* fseek resets the rw state of a stream */ int fseek (/*@rweither@*/ FILE *stream, long int offset, int whence) /*@ensures rweither stream@*/ ;

11 14 August 2001Spec-n-Check11 Checking Simple dataflow analysis Intraprocedural – except uses annotations to alter state around procedure calls Integrates with other LCLint analyses (e.g., nullness, aliases, ownership, etc.)

12 14 August 2001Spec-n-Check12 Example FILE *f = fopen (fname, “rw”); int i = fgetc (f); if (i != EOF) { fputc (i, f); fclose (f); } f:openness = open, f:rwness = rwread Attribute mismatch – passed read where write FILE * expected. Possibly null reference f passed where non-null expected f:openness = open f:rwness = rweither Branches join in incompatible states: f is closed on true branch,open on false branch f:openness = closed, f:rwness = rwnone

13 14 August 2001Spec-n-Check13 Results On my code…works great –Checked LCLint sources (178K lines, takes 240 seconds on Athlon 1.2GHz) –No annotations: 2 errors –Added 1 ensures clause static void loadrc (FILE *p_rcfile, cstringSList *) /*@ensures closed p_rcfile@*/ ; –No more warnings

14 14 August 2001Spec-n-Check14 Results – “Real” Code wu-ftpd 2.6.1 (20K lines, ~4 seconds) No annotations: 7 warnings After adding ensures clause for ftpd_pclose –4 spurious warnings 1 used function pointer to close FILE 1 reference table 2 convoluted logic involving function static variables –2 real bugs (failure to close ftpservers file on two paths)

15 14 August 2001Spec-n-Check15 Taintedness attribute taintedness context reference char * oneof untainted, tainted annotations tainted reference ==> tainted untainted reference ==> untainted anytainted parameter ==> tainted transfers tainted as untainted ==> error merge tainted + untainted ==> tainted defaults reference ==> tainted literal ==> untainted null ==> untainted end

16 14 August 2001Spec-n-Check16 tainted.xh int fprintf (FILE *stream, /*@untainted@*/ char *format,...) ; /*@tainted@*/ char *fgets (char *s, int n, FILE *) /*@ensures tainted s@*/ ; char *strcpy (/*@returned@*/ /*@anytainted@*/ char *s1, /*@anytainted@*/ char *s2) /*@ensures s1:taintedness = s2:taintedness@*/ ; char *strcat (/*@returned@*/ /*@anytainted@*/ char *s1, /*@anytainted@*/ char *s2) /*@ensures s1:taintedness = s1:taintedness | s2:taintedness@*/ ;

17 14 August 2001Spec-n-Check17 Buffer Overflows Most commonly exploited security vulnerability –1988 Internet Worm –Still the most common attack Code Red exploited buffer overflow in IIS >50% of CERT advisories, 23% of CVE entries in 2001 Finite-state attributes not good enough –Need to know about lengths of allocated buffers

18 14 August 2001Spec-n-Check18 Detecting Buffer Overflows More expressive annotations –e.g., maxSet is the highest index that can safely be written to Checking uses axiomatic semantics with simplification rules Heuristics for analyzing common loop idioms Detected known and unknown vulnerabilities in wu-ftpd and BIND Paper (with David Larochelle) in USENIX Security 2001

19 14 August 2001Spec-n-Check19 Will Programmers Add Annotations? C in 1974: char *strcpy (); C in 1978: char *strcpy (char *s1, char *s2); C in 1989: char *strcpy (char *s1, const char *s2); C in 1999: char *strcpy (char * restrict s1, const char * restrict s2); C in 20??: nullterminated char *strcpy (returned char *restrict s1, nullterminated const char *restrict s2) requires maxSet(s1) >= maxRead (s2) ensures s1:taintedness = s2:taintedness ensures maxRead(s1) = maxRead (s2);

Download ppt "University of Virginia Computer Science Extensible Lightweight Static Checking David Evans On the I/O."

Similar presentations

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi – 110 025

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi –
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
BITS Pilani, Pilani Campus TA C252 Computer Programming - II Vikas Singh File Handling.

BITS Pilani, Pilani Campus TA C252 Computer Programming - II Vikas Singh File Handling.
Files in C Rohit Khokher. Files in C Real life situations involve large volume of data and in such cases, the console oriented I/O operations pose two.

Files in C Rohit Khokher. Files in C Real life situations involve large volume of data and in such cases, the console oriented I/O operations pose two.
Chapter 11: Data Files & File Processing In this chapter, you will learn about Files and streams Creating a sequential access file Reading data from a.

Chapter 11: Data Files & File Processing In this chapter, you will learn about Files and streams Creating a sequential access file Reading data from a.
FILES Files types and operations. Files Files are used to store data Data can be Text (ASCII only: 0  127) Binary (Full range: 0  256) Each file resides.

FILES Files types and operations. Files Files are used to store data Data can be Text (ASCII only: 0  127) Binary (Full range: 0  256) Each file resides.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Chapter 10.

Chapter 10.
Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May 21-23 2002.

CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
Console and File I/O - Basics Rudra Dutta CSC 230 - Spring 2007, Section 001.

Console and File I/O - Basics Rudra Dutta CSC Spring 2007, Section 001.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
Files COP3275 – PROGRAMMING USING C DIEGO J. RIVERA-GUTIERREZ.

Files COP3275 – PROGRAMMING USING C DIEGO J. RIVERA-GUTIERREZ.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
C Basic File Input/Output Manipulation. - 1 - C Programming – File Outline v File handling in C - opening and closing. v Reading from and writing to files.

C Basic File Input/Output Manipulation C Programming – File Outline v File handling in C - opening and closing. v Reading from and writing to files.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
David Evans These slides: Introduction to Static Analysis.

David Evans These slides: Introduction to Static Analysis.
Introduction to Programming Using C Files. 2 Contents Files Working with files Sequential files Records.

Introduction to Programming Using C Files. 2 Contents Files Working with files Sequential files Records.

Similar presentations

Ads by Google