2016-6-4 DTS ( Defect Testing System ) Yang Zhao Hong, Gong Yun Zhan,Xiao Qing, Wang Ya Wen Beijing University of Posts and Telecommunications 2008.09.

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

2000 Prentice Hall, Inc. All rights reserved. 1 Capitolo 4 - Arrays Outline 4.1Introduction 4.2Arrays 4.3Declaring Arrays 4.4Examples Using Arrays 4.5Passing.
Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
 Pointers, Arrays, Destructors Is this random stuff or are these somehow connected?
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
ITEC 320 Lecture 11 Pointers(1). Pointers Review Packages –Generic –Child Homework 3 is posted.
C Lab 3 C Arraylist Implementation. Goals ●Review ○ Referencing/Dereferencing ○ Free ●realloc and memmove ●ArrayList ●Debugging with GDB.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Static code check – Klocwork
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.
Static and Dynamic Contract Verifiers For Java Hongming Liu.
RubyPolish: Static Bug Detection in Ruby Programs John Locke Alex Mont.
Memory and C++ Pointers.  C++ objects and memory  C++ primitive types and memory  Note: “primitive types” = int, long, float, double, char, … January.
Evaluating Static Analysis Tools Dr. Paul E. Black
CS784 (Prasad)L167AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
The foreach LooptMyn1 The foreach Loop The foreach loop gives an easy way to iterate over arrays. foreach works only on arrays, and will issue an error.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
Buffer Overflow Maddikayala, jagadish. CSCI 5931 Web Security Prof. T. Andrew Yang Monday Feb. 23.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
Embedded Software Programming and Implementation Guidelines Software Engineering for Embedded System Ch.7 Robert Oshana and Mark Kraeling Presented by.
1 Pointers Arrays have a disadvantage: Their size must be known at compile time. We would like the capability to allocate an array-like object of any needed.
Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.
Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.
CS Midterm Study Guide Fall General topics Definitions and rules Technical names of things Syntax of C++ constructs Meaning of C++ constructs.
SPL – Practical Session 2 Topics: – C++ Memory Management – Pointers.
Pointers in C++. 7a-2 Pointers "pointer" is a basic type like int or double value of a pointer variable contains the location, or address in memory, of.
Prachi A. Joshi Assistant Professor in CSE DIEMS,Aurangabad Unit 1 : Basic Concepts Pointers and dynamic memory allocation, Algorithm Specification, Data.
Static Program Analysis of Embedded Software Ramakrishnan Venkitaraman Graduate Student, Computer Science Advisor: Dr. Gopal Gupta
ICOM 4035 – Data Structures Dr. Manuel Rodríguez Martínez Electrical and Computer Engineering Department Lecture 3 – August 28, 2001.
1 Splint: A Static Memory Leakage tool Presented By: Krishna Balasubramanian.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
C Programming Lecture 16 Pointers. Pointers b A pointer is simply a variable that, like other variables, provides a name for a location (address) in memory.
Structuring Data: Arrays ANSI-C. Representing multiple homogenous data Problem: Input: Desired output:
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Computer Science: A Structured Programming Approach Using C1 Objectives ❏ To understand the relationship between arrays and pointers ❏ To understand the.
C++ Programming Lecture 14 Arrays – Part I The Hashemite University Computer Engineering Department (Adapted from the textbook slides)
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
CS223: Software Engineering Lecture 21: Unit Testing Metric.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Memory Management in Java Mr. Gerb Computer Science 4.
Pointers. What Is Pointer l every variable has memory address char c=’y’; int i=2; address of variable i is 0022 l address can used to refer to this variable.
C++ for Engineers and Scientists Second Edition Chapter 12 Pointers.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Recap Resizing the Vector Push_back function Parameters passing Mechanism Primitive Arrays of Constants Multidimensional Arrays The Standard Library string.
Findbugs Tin Bui-Huy September, Content What is bug? What is bug? What is Findbugs? What is Findbugs? How to use Findbugs? How to use Findbugs?
NULL pointer assignment error- AGNEL ANTO. What is NULL pointer assignment error ? My program comes up with the message 'Null pointer assignment' after.
Content Coverity Static Analysis Use cases of Coverity Examples
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
YAHMD - Yet Another Heap Memory Debugger
FIGURE 9-5 Integer Constants and Variables
Dynamic Memory CSCE 121 J. Michael Moore.
Dynamic Memory Allocation
Pointer Basics Psst… over there.
UNO Static Analysis With a Simple Twist.
High Coverage Detection of Input-Related Security Faults
Improving software quality using Visual Studio 11 C++ Code Analysis
Covering CWE with Programming Languages and Tools
Introduction to Static Analyzer
Pointer & Memory Allocation Review
Annotation-Assisted Lightweight Static Checking
Pointer Basics Psst… over there.
SPL – PS2 C++ Memory Handling.
Introduction to C CS 3410.
Presentation transcript:

DTS ( Defect Testing System ) Yang Zhao Hong, Gong Yun Zhan,Xiao Qing, Wang Ya Wen Beijing University of Posts and Telecommunications

Outline How does DTS work? Defects patterns Defects Testing Framework Testing an example-Tomcat

DTS Supports Java/C/C++ source code static analysis Tool is written by Java

Source Code Testing Precise Rules Program Analysis Engine Static Testing Tool Rules Defects How does DTS work?

Outline Defects patterns Defects Testing Framework Testing an example

Various defect patterns Memory Leak Fault Out of Bounds Array Access Fault Illegal Computing Fault Uninitialized Variable Fault buffer overflow vulnerability Tainted Data vulnerability Race Condition … Over 300 patterns

How to define defect patterns?

Defect defined by extended state machine - NULL Pointer Dereference

Defect Patterns - NULL Pointer Dereference Fault State TransitionThe State transition conditions 0 Start  NOTNULL Variable’s value is NOTNULL 1 Start  NULL_OR_NOTNULL Variable’s value is NULL 2 Start  NULL_OR_NOTNULL Variable’s value is NULL_OR_NOTNULL 3 NOTNULL  NULL_OR_NOTNULL Variable’s value is NULL 4 NOTNULL  NULL_OR_NOTNULL Variable’s value is NULL_OR_NOTNULL 5 NOTNULL  END Out of variable’s scope 6 NULL_OR_NOTNULL  NOTNULL Variable’s value is NOTNULL 7 NULL_OR_NOTNULL  END Out of variable’s scope 8 NULL_OR_NOTNULL  ERROR The variable is dereferenced 9 ERROR  END No conditions

Common elements for description Syntax elements ( Xpath) Variable’s scope Variable’s value range Control flow information Dataflow information

Schema of description methods

Outline How does DTS work? Defects patterns Defects Testing Framework Testing an example

Outline How does DTS work? Defects patterns Defects Testing Framework Testing an example-Tomcat