Cqual: A Tool For Adding Type Qualifiers To C

Report
CQual:
A Tool for Adding Type Qualifiers to C
Jeff Foster et al
UC Berkeley
OSQ Retreat, May 21-23 2002
Background
• Software is buggy!
• How can we improve the quality of software?
– We want to build tools to analyze source code
• Find bugs at compile-time
• Help programmers write correct code
• But tools need to know what is ‘‘correct’’
– ...they need specifications
Jeff Foster, OSQ Retreat, May 21-23 2002
2
Tools Need Specifications
spin_lock_irqsave(&tty->read_lock, flags);
put_tty_queue_nolock(c, tty);
spin_unlock_irqrestore(&tty->read_lock, flags);
• Goal: Add specifications to programs
In a way that...
– Programmers will accept
• Lightweight
– Scales to large programs
– Solves many different problems
Jeff Foster, OSQ Retreat, May 21-23 2002
3
Type Qualifiers
• Extend standard type systems (C, Java, ML)
– Programmers already use types
– Programmers understand types
– Get programmers to write down a little more...
const int
ANSI C
tainted char *
Security vulnerabilities
unlocked spinlock_t
Locking
Jeff Foster, OSQ Retreat, May 21-23 2002
4
CQual
• A tool for adding type qualifiers to C
– User-specified qualifiers
– Annotate some qualifiers by hand
– CQual infers the rest
• Version 1:
– Written in SML/NJ
– Used C parser from alias analysis
• Was lots of work to fix, extend to GNU C
– Constraints solved with BANE
Jeff Foster, OSQ Retreat, May 21-23 2002
5
Application: Const Inference
• Main use of const: non-modified parameters
void foo(const int *x);
/* foo does not write *x */
• How many more consts can we add?
– Left-hand side of assignment non-const
– Everything that's not non-const is const
• Analyzed six C programs
– 1496-36913 lines
– All make effort to use const
Jeff Foster, OSQ Retreat, May 21-23 2002
6
Const Inference Results
100%
Non-const
Poly
80%
Mono
60%
Declared
40%
20%
Jeff Foster, OSQ Retreat, May 21-23 2002
.0
4
-1
uu
cp
1.
2.
26
ss
h-
-2
.7
tils
di
f fu
m
4-
1.
4
.5
h2
pa
tc
w
om
an
-3
.0
a
0%
7
Carillon
• CQual for finding Y2K bugs
– Mark date strings with YYYY, YY, NONYEAR, ...
• Better user interface
– (Demo later)
• Found known bug in CVS 1.9
– Took only a few hours of work
Jeff Foster, OSQ Retreat, May 21-23 2002
8
Problems with CQual Version 1
• Bad error messages in parser
• Too slow, used too much memory
• Written in ML
–
–
–
–
No tools available (debugger, profiler, etc)
Hard to control memory usage, performance
|{know ML}| is small
|{know ML}  {care about C}| very small
Jeff Foster, OSQ Retreat, May 21-23 2002
9
CQual Version 2: Rewrite to C
• Use David Gay's parser
– Extracted/modified from gcc
– Very compatible
– Very good error messages
• Custom constraint solver
– Solves atomic subtyping constraints
– Dropped polymorphic qualifier inference
• But allow user-specified polymorphism
Jeff Foster, OSQ Retreat, May 21-23 2002
10
Application: Format-String Vulnerabilities
• Adversary-controlled format specifier
name := <data-from-network>
printf(name);
/* Oops */
– Attacker sets name = “%s%s%s” to crash program
– Attacker sets name = “...%n...” to write to memory
• Lots of these bugs in the wild
– New ones weekly on bugtraq mailing list
– Too restrictive to forbid variable format strings
Jeff Foster, OSQ Retreat, May 21-23 2002
11
Using Tainted and Untainted
• Add qualifier annotations
int printf(untainted char *fmt, ...)
tainted char *getenv(const char *)
tainted = may be controlled by adversary
untainted = must not be controlled by adversary
Jeff Foster, OSQ Retreat, May 21-23 2002
12
Demo of cqual
Results: Format String Vulnerabilities
• Analyzed 10 popular unix daemon programs
• Annotations shared across applications
– One annotated header file for standard libraries
– Taint flows across type casts
• Found several known vulnerabilities
– Including ones we didn’t know about
– CQual's user interface critical
Jeff Foster, OSQ Retreat, May 21-23 2002
14
Application: Locking
Lock x;
lock(x);
...critical section...
unlock(x);
Jeff Foster, OSQ Retreat, May 21-23 2002
x : locked Lock
x : unlocked Lock
15
Flow-Sensitivity
• Standard type systems are flow-insensitive
– Variable x has one type
– And one set of qualifiers
• We need flow-sensitivity
– Different qualifiers for x at each program point
• Enter CQual Version 3
– Support for flow-sensitive qualifiers
Jeff Foster, OSQ Retreat, May 21-23 2002
16
Demo of cqual
Results: Locking
• Looked for simple deadlocks in Linux 2.4.9
– Double acquires/releases
• Analyzed 892 files in linux/drivers individually
• Analyzed 513 modules (all linked files)
– 14 type errors  deadlocks
– ~41/892 fail to typecheck but appear correct
– ~196/513 fail to typecheck
• added restrict by hand to remove type errors
due to aliasing for 64/196
Jeff Foster, OSQ Retreat, May 21-23 2002
18
Running Time: Locking
Flow-sensitive
Flow-insensitive
Parsing
140
120
Time (sec)
100
80
60
40
20
0
0k
100k
200k
300k
400k
500k
600k
700k
800k
Size (preprocessed lines of code)
Jeff Foster, OSQ Retreat, May 21-23 2002
19
Memory Usage: Locking
Flow-sensitive
Flow-insensitive
Parsing
1000
900
Space (Mbytes)
800
700
600
500
400
300
200
100
0
0k
100k
200k
300k
400k
500k
600k
700k
800k
Size (preprocessed lines of code)
Jeff Foster, OSQ Retreat, May 21-23 2002
20
Applications
Published experiments:
const Inference
Y2K bug detection
Format-string vuln.
[Foster, Fahndrich, Aiken, PLDI99]
[Elsman, Foster, Aiken, 1999]
[Shankar, Talwar, Foster,
Wagner, Usenix Sec 01]
Locking, stream operations [Foster, Terauchi, Aiken,
PLDI 02]
Linux Security Modules
[Zhang, Edwards, Jaeger,
(IBM Watson)
Usenix Sec 02]
Other experiments:
Null pointer errors
User/kernel pointers
Jeff Foster, OSQ Retreat, May 21-23 2002
TinyOS (Intel)
File open/close
21
What's Next for CQual?
• Better version of restrict
• Polymorphic-recursive qualifier inference
– Adapt known tech. for flow-insensitive analysis
– Less clear for flow-sensitive analysis
• Better alias analysis
– Names vs. location abstraction
Jeff Foster, OSQ Retreat, May 21-23 2002
22
Conclusion
• CQual adds specifications to programs
In a way that...
– Programmers will accept
• Lightweight
– Scales to large programs
– Solves many different problems
• Flow-insensitive version available
http://www.cs.berkeley.edu/~jfoster/cqual
Jeff Foster, OSQ Retreat, May 21-23 2002
23

similar documents