Lecture 12

Software Engineering Group

Philipp D. Schubert

C++ Programming

1. Cyber attacks

2. Program analysis

3. Static analysis

4. Designing code analysis (DECA)

5. Job offer

Contents

Usual Cyber-Attack

Find vulnerability or place backdoor

Inject malicious code

Circumvent detection

Surveil system, infect more machines if required

Execute payload

[Image taken from https://i.ytimg.com/vi/C-3FqOUf3nY/maxresdefault.jpg]

Who is responsible?

According to a recent study by the DHS, more than 90% of all current cyber attacks succeed because of

vulnerabilities in the application layer!

How can we reduce the number of vulnerabilities?

Write your code carefully

Test your code excessively

Use dynamic analysis

Use static analysis

Use manual reviews

Rice´s theorem

Program analysis is mathematically provable hard

All non-trivial semantic properties of programs are undecidable!

A semantic property is one about the behavior

An example

Does a program terminate for all inputs?

A property is non-trivial if

It is neither true for every program

Nor for no program

That are quite a lot of properties!

https://en.wikipedia.org/wiki/Rice's_theorem

Contains proof sketch as well as complete proof

We have to use an over-approximation then!

Program analysis

Dynamic analysis

Retrieve information about a program behavior by executing it

Execute on real or virtual processor

Must be executed with sufficient test inputs (code coverage)

Discover a set of possible behaviors

Uncertainty principle, make sure code instrumentalization don´t cause side-effects

Inadequate testing leads to catastrophic failures runtime error in Ariane 5 rocket

Static analysis

Retrieve information about a program without executing it

Analysis performed on source code or intermediate code

Over-approximation of the program behaviour

Program understanding

Done by humans: program comprehension, code review, software walkthroughs

[https://en.wikipedia.org/wiki/Dynamic_program_analysis, https://en.wikipedia.org/wiki/Static_program_analysis]

Workflow in static analysis

Parse method (as source code, bytecode or some other intermediate representation)

Convert into control-flow graph (CFG)

Perform an analysis on the CFG

int i = 10;

int j = 20;

if (p) {

i = 100;

} else {

j = i;

}

print(i);

Find interesting properties

int i = 10;

int j = 10;

i = 100; j = i;

print(i)

if (p)

Workflow in static analysis

Another example

int y = x;

if (p) x = y;

if (!p) z = 2;

b = y;

Depending on complexity of p

Mutual exclusiveness cannot be inferred

CFG are conservative

If control may flow from stmt A to stmt B then there is an edge from A to B

Opposite is not true!

Problem is undecidable

Over-approximation

Real CFGs contain exceptional edges as well

Unsound otherwise

int y = x;

if (p)

if (!p)

b = y;

x = y;

z = 2;

Intermediate representations

; Function Attrs: norecurse nounwind uwtable

define i32 @main() #0 {

%1 = alloca i32, align 4

%2 = alloca i32, align 4

%3 = alloca i32, align 4

store i32 0, i32* %1, align 4

store i32 0, i32* %2, align 4

store i32 0, i32* %3, align 4

br label %4

; <label>:4: ; preds = %10, %0

%5 = load i32, i32* %3, align 4

%6 = icmp slt i32 %5, 10

br i1 %6, label %7, label %13

; <label>:7: ; preds = %4

%8 = load i32, i32* %2, align 4

%9 = add nsw i32 %8, 1

store i32 %9, i32* %2, align 4

br label %10

; <label>:10: ; preds = %7

%11 = load i32, i32* %3, align 4

%12 = add nsw i32 %11, 1

store i32 %12, i32* %3, align 4

br label %4

; <label>:13: ; preds = %4

ret i32 0

}

Analysis usually done on an intermediate

representation (IR)

Simpler than source language

Just a few op codes

Uses jumps (goto) to represent loops

int main()

{

int counter = 0;

for (int i = 0; i < 10; ++i) {

counter++;

}

return 0;

}

LLVM IR to the right

LLVM

Compiler infrastructure

Provide many helpful mechanisms to write:

Compiler optimizations

Static analyses

Intermediate representation LLVM IR

Abstracted from concrete input language

Pros

No nesting

Looping/ branches through jumps (goto)

Simple basic operations

3 address code

Cons

No direct mapping from LLVM IR back to source

Front-endOptimization/

analysisSource languages Target languageBack-end

Static analysis

Intra-procedural analysis

Function f Property 𝝋

Analysis

Does the property 𝜑 hold at statement s?

Some properties & corresponding analyses

Is this variable still used later on?

Live-variables analysis

Can this code ever execute?

Dead-code analysis

Can this pointer ever be null?

Nullness analysis

Is this file handle ever closed?

Typestate analysis

There are many more

Data flow analysis

Control flow

Data flow

Analysis: What values are printed?

Reaching definition analysis

int x = 1;

print(x);

if (z > 0) {

x = 2;

}

print(x)

Use data flow analysis

int x = 1;

print(x);

if (z > 0)

x = 2;

print(x);

𝑥 = ?

𝑥 = 1

𝑥 = 1

𝑥 = 1

𝑥 =1

𝑥 = 2

𝑥 ∈ {1, 2}

A more advanced example

Which assignments are unnecessary?

Live variables analysis

int z = // some value;

int x = 1;

int y = 2;

if (z > 0) {

y = z;

if (z > 1) {

z = 7;

}

}

print(y);

Findings

Assignment to z and x can be eliminated

int z = // some val

int x = 1;

int y = 2;

if (z > 0)

y = z;

if (z > 1)

z = 7;

print(y);

∅

{𝑦} {𝑦}

{𝑦}

{𝑦, 𝑧}

{𝑧}{𝑦, 𝑧}

{𝑦, 𝑧}

{𝑧}

{𝑧}

∅

Overwrite y,

don’t need

old y

Loops?

Reaching definitions revisited

int x = 1;

while (...) {

x++;

}

print(x);

Problem!

This does not terminate

Number of iterations must be bound

int x = 1;

while( … )

x++;

print(x);

𝑥 =?

𝑥 = 1

𝑥 = 2

𝑥 = 1

𝑥 ∈ {2,3, … }𝑥 ∈ {1,2, … }

𝑥 ∈ {1,2, … }

𝑥 = 1

Monotone framework

1. Analysis direction (forward or backward)

2. Analysis domain (lattice)

3. Effect of statements on information (flow functions)

4. Initial values (values of the lattice)

5. Merge information (binary operator on sets of lattice values)

Flow functions

Initial values

Concrete

static

analysis

Uniform

evaluation

algorithm

Overview and more examples

SEPL Goethe University, Frankfurt am Main

Lecture “Foundations of Programming Languages”, Christoph Reichenbach

Have a look at the following youtube playlist (one lecture unit)

https://www.youtube.com/watch?v=sxiFwiCgoVo&list=PLgJZZQPiH1mHIZAyIF1baZbMpIzxXn90o

Optimizations and static analysis

What?

Why?

How?

Inter-procedural program analysis

Why is inter-procedural analysis hard?

Inter-procedural program analysis

How to overcome unrealizable paths?

Use context-sensitive analysis

Inlining

Easy

Not efficient

Call-strings approach

Annotate data flow facts with ´call strings´

Summary approach

Compute function summaries describing their effect

Plug-in summary when function is called

We use the summary approach

Every approach has advantages/ disadvantages

Designing code analysis for large-scale software systems (DECA)

Summer semester 2017

Lead by Eric Bodden

Contents

Intra-procedural data-flow analysis

Call-graph construction algorithms

Context-insensitive inter-procedural data-flow analysis

Context-sensitivity using the call-strings approach

Value-based context

Context-sensitivity using the functional approach

Efficiently solving distributed problems in the IFDS and IDE frameworks

Current challenges in inter-procedural static program analysis

Applications to software security

Job offer

Topic

Static analysis

C++ programming

LLVM compiler framework

Benefits

Money ;-)

Fun

Learn a lot

Invitations to our professional and social events

Opportunity for bachelor/ master thesis

Lots of career options

Working on an important topic

Just send me an email

It´s about creativityenum _multiply { multiply, times };,

struct _multiply_Int : Int {

_multiply_Int(const Int& i) : Int(i.val) {}

};

inline _multiply_Int operator/ (const Int& lhs, _multiply rhs) {

return _multiply_Int(i);

}

inline Int operator/ (const _multiply_Int& lhs, const Int& rhs) {

return lhs.val * rhs.val;

}

int main()

{

Int a(10);

Int b(20);

Int c = a /multiply/ b;

cout << c << endl;

return 0;

}

You cannot define custom operators

How about that?

Int a(10);

Int b(20);

Int c = a /multiply/ b;

Int c = a /times/ b;

cout << c << endl;

This can be realized in C++

#include <iostream>

using namespace std;

struct Int {

int val;

Int(int i) : val(i) {}

friend ostream& operator<< (ostream& os,

const Int& i)

{ return os << i.val; }

};

Be critical

Sadly not everything about C++ is great!

A nice talk that sums up some of the biggest oddities of C++

C++ bashing: “A case against C++”, Felix von Leitner

“Why C++ is bad for the environment, causes global warming and kills puppies”

https://media.ccc.de/v/cccamp07-en-1951-A_Case_Against_C++

However, at the end I hope you find C++ somewhat useful!

Questions?

Thank you for your attention