Static Analysis of Memory Errors
description
Transcript of Static Analysis of Memory Errors
![Page 1: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/1.jpg)
Static Analysis of Memory Errors
Mooly Sagiv
Tel Aviv University
![Page 2: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/2.jpg)
Project Goals
• Statically determine that data are used in a sound way
• No unexpected software behavior• In C
• No undefined semantics (ANSI C)• Prevent bad programming styles
• In Java• Certain exceptions will never be raised
• Sound analysis• Minimal false alarms
![Page 3: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/3.jpg)
Sample Cleanness Problems
1. C String related errors1. Unsafe calls to strcpy(), strcat()…
2. Out of bound references
3. Pointer arithmetic
2. Java interface requirements for library usages
![Page 4: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/4.jpg)
Nurit Dor & Greta Yorsh
http://www.cs.tau.ac.il/~nurr
![Page 5: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/5.jpg)
Are String Violations Common?
FUZZ study (1995)• Random test programs on various
systems 9 different UNIX systems 18% – 23% hang or crash 80% are string related errors
CERT advisory• 50% of attacks are abuses of buffer
overflows
![Page 6: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/6.jpg)
Example – unsafe call to strcpy()
simple(){
char s[20];char *p;char t[10];
strcpy(s,”Hello”);p = s + 5;strcpy(p,” world!”);strcpy(t,s);
}
![Page 7: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/7.jpg)
Example – unsafe call to strcpy()
simple(){
char s[20];char *p;char t[10];
strcpy(s,”Hello”);p = s + 5;strcpy(p,” world!”);strcpy(t,s);
}
cleanness is always violated:alloc(t) = 10
len(s) = 12
![Page 8: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/8.jpg)
Example – unsafe pointer arithmetic
/* from web2c [strpascal.c] */
void null_terminate(char *s)
{
while ( *s != ‘ ‘ )
s++;
*s = 0;
}
![Page 9: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/9.jpg)
Example – unsafe pointer arithmetic
/* from web2c [strpascal.c] */
void null_terminate(char *s)
{
while ( *s != ‘ ‘ )
s++;
*s = 0;
}
Cleanness is potentially violated:offtset(s) =alloc(buff(s))
![Page 10: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/10.jpg)
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];…
for (i = 0; &buf[i] < cp ; ++i)
temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);…
cp
buf
(long)temp
![Page 11: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/11.jpg)
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];…
for (i = 0; &buf[i] < cp ; ++i)
temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);…
cp
buf
( l o n g )temp
Cleanness is potentially violated:7 + offset (cp) BUFSIZ
![Page 12: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/12.jpg)
Complicated Example
/* from web2c [fixwrites.c] */
#define BUFSIZ 1024
char buf[BUFSIZ];
char insert_long(char *cp)
{
char temp[BUFSIZ];…
for (i = 0; &buf[i] < cp ; ++i)
temp[i] = buf[i];
strcpy(&temp[i],”(long)”);
strcpy(&temp[i+6],cp);…
cp
buf
(long)temp
Cleanness is potentially violated:offset(cp)+7 +len(cp) BUFSIZ7 + offset (cp) < BUFSIZ
![Page 13: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/13.jpg)
Vulnerable String Manipulation
Pointers to buffers char *p= buffer; … while( ) p++;
Standard string manipulation functions
strcpy(), strcat(), … NULL termination
strncpy(), …
![Page 14: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/14.jpg)
C Static String Verifier (CSSV) Objectives
• Modular analysis– Procedure pre-condition/post-condition/mod
• Automatically generate procedure specification • Handle full C
– Multi-level pointers
– Structures
• Reduce complexity of transformation– Linear in the number of variables
![Page 15: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/15.jpg)
CSSV
Cfiles
Procedure’sPointer info
Pointer Analysis
C2IP
PreModPost Integer Proc
Integer AnalysisPotential
Error Messages
Procedure name
Cfiles
AWP
![Page 16: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/16.jpg)
Advantages of Procedure Specification
• Modular analysis – Not all the code is available– Enables more expensive analyses
• User control of the verification– Detect errors at point of logical error– Improve the precision of the analysis– Check additional properties
• Beyond ANSI-C
![Page 17: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/17.jpg)
Specification and Soundness
• All errors are detected
• Violation of procedure’s precondition– Call
• Violation of procedure's postcondition– Return
• Violation of statement’s precondition– …a[i]…
![Page 18: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/18.jpg)
char* strcpy(char* dst, char *src)requires
modensures
Specification – strcpy
( string(src) alloc(dst) > len(src))
len(dst), is_nullt(dst)
( len(dst) = = pre@len(src) return = = pre@dst)
![Page 19: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/19.jpg)
Specification – insert_long()/* insert_long.c */#include "insert_long.h" char buf[BUFSIZ];char * insert_long (char *cp) { char temp[BUFSIZ]; int i; for (i=0; &buf[i] < cp; ++i){ temp[i] = buf[i]; } strcpy (&temp[i],"(long)"); strcpy (&temp[i + 6], cp); strcpy (buf, temp); return cp + 6; }
char * insert_long(char *cp) requires( string(cp)
buf cp < buf + BUFSIZ
) mod cp.strlen ensures ( len(cp) = = pre[len(cp) + 6]
return_value = = cp + 6 ;
)
![Page 20: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/20.jpg)
CSSV
Cfiles
Pointer Analysis
C2IP
PreModPost Integer proc
Integer AnalysisPotential
Error Messages
Procedure name
Cfiles
AWP
Procedure’sPointer info
![Page 21: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/21.jpg)
CSSV
Cfiles
Pointer Analysis
C2IPside effect
ModInteger proc
LeafProcedure
Cfiles
AWP
Pre
Procedure’sPointer info
![Page 22: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/22.jpg)
CSSV
Cfiles
PreMod
LeafProcedure
Cfiles
Integer AnalysisPotential
Error Messages
Post
Pointer Analysis
C2IP
Integer proc
Procedure’sPointer info
![Page 23: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/23.jpg)
char * insert_long (char *cp) {
char temp[BUFSIZ]
int i
require string(cp);
for(i=0; &buf[i] < cp; ++i) { temp[i]=cp[i]; }
assert(0 i < 6 - stemp.msize );assume(stemp.len == i + 6);…
int cp.offset;int temp.offset = 0; int stemp.msize = BUFSIZ; int stemp.len ; int stemp.is_nullt;
int i
assume(sbuf.is_nullt 0 cp.offset sbuf.len sbuf.alloc );
for (i=0; i< cp.offset ; ++i ) { assert(0 i stemp.msize (stemp.is_nullt i stemp.len)); assert(-i cp.offset< -i +sbuf.len); if (sbuf.is_nullt sbuf.len == i ) { stemp.len = i; stemp.is_nullt = true; } else …
strcpy(&temp[i],"(long)");
C2IP
![Page 24: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/24.jpg)
AWP
• Approximate the Weakest Precondition
• Backward integer analysis
• Generates a precondition
![Page 25: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/25.jpg)
AWP – insert_long()
• Generate the following precondition:string(cp) len(buf) offset(cp) + 1017
Not the weakest precondition:string(cp) len(buf) 1017
![Page 26: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/26.jpg)
Implementation
• Using:– ASToolKit [Microsoft]
– GOLF [Microsoft – Manuvir Das]
– New Polka [IMAG - Bertrand Jeannet]
• Main steps:– Simplifier
– Pointer analysis
– C2IP
– Integer Analysis
![Page 27: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/27.jpg)
Preliminary results (web2C)
Proc line coreCline
time(sec)
space(Mb)
errors FA
insert_long 14 64 2.0 13 2 0
fprintf_pascal_string 10 25 0.1 0.3 2 0
space_terminate 9 23 0.1 0.2 0 0
external_file_name 14 28 0.2 1.7 2 0
join 15 53 0.6 5.2 2 1
remove_newline 25 105 0.6 4.6 0 0
null_terminate 9 23 0.1 0.2 2 0
Up to four times faster than SAS01
![Page 28: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/28.jpg)
Preliminary results (EADS/RTC_Si)
Proc line coreCline
time(sec)
space(Mb)
errors FA
FiltrerCarNonImp 19 34 1.6 0.5 0 0
SkipLine 12 42 0.8 1.9 0 0
StoreIntInBuffer 37 134 7.9 21 0 0
![Page 29: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/29.jpg)
The Canvas Project Component ANnotation, Verification
And Stuff
J. Field D. Goyal.
G. Ramalingam
http://www.research.ibm.com/menage/canvas
IBM Research
![Page 30: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/30.jpg)
The problem
• Class libraries and software components are supposed to– make building complex applications from "parts" easier– make a market for pre-packaged code...
• ...but in practice– programming with components is hard
• inadequate documentation• lack of source code• increased API complexity (to allow for customization)
• Programmers often resort to iterative trial-and-error methods to get components to work in their application
![Page 31: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/31.jpg)
Canvas Goals
• The component designers specify component conformance constraints
• Develop automated certification tools to determine whether the client satisfies the component's conformance constraints
• focus on JavaTM libraries and JavaBeansTM
![Page 32: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/32.jpg)
Our Approach
• Specify component behavior in a Java like language (EASL)
• Use TVLA for statically analyzing Java heap
• Specialize the algorithm for the component
![Page 33: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/33.jpg)
The Concurrent Modification Problem(PLDI’02 Berlin)
• Static analysis of Java programs manipulating Java 2 collections
• Inconsistent usages of iterators– An Iterator object i defined on a collection
object c
– No use of i may be preceded by update to the contents of c, unless the update was also made via i
![Page 34: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/34.jpg)
class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) { ...; worklist = new Worklist(); ... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){ ...;
doSubproblem(...);} void doSubproblem(...) { ... worklist.addItem(newitem); ... }}
public class Worklist { Set s; public Worklist() {. ..; s = new HashSet(); ... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; }}return rev; }
![Page 35: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/35.jpg)
EASL Specificationclass Collection { Version version; Collection() { version = new Version(); } boolean add(Object o) { version = new Version(); } Iterator iterator() { return new Iterator(this); }}
class Iterator { Collection set; Version definingVersion; Iterator (Collection s){ definingVersion = s.version; set = s; } void remove() { requires (definingVersion == set.version); set.ver = new Version(); definingVersion = set.version; } Object next() { requires (definingVersion == set.version); }
class Version {}
![Page 36: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/36.jpg)
Prototype
Three Value Logic Analyzer
Analysis result Potential cleanness violations
JavaJava
actiondefinition
actiondefinition
Soot JimpleAST
JimpleAST
CFG +
actions
CFG +
actions
J2TVPTranslator
Specialize
EASL
![Page 37: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/37.jpg)
Empirical Results
Benchmark Loc Err. FA Time
(sec)
Space
(MB)
Structs.
Kernel 683 15 0 60 19 4363
MapTest 335 1 0 61 20 4937
Iterator
Test
126 0 0 0.23 4 208
JFE 2896 1 1 236 49 9878
![Page 38: Static Analysis of Memory Errors](https://reader035.fdocuments.net/reader035/viewer/2022062305/56815987550346895dc6c7f8/html5/thumbnails/38.jpg)
Conclusion
Ambitious sound analyses Very few false alarmsScaling is an issue
– Use staged analyses– Use modular analysis– Use encapsulation