Download presentation
Presentation is loading. Please wait.
Published byHamdani Budiono Modified over 6 years ago
1
SUDS: An Infrastructure for Creating Bug Detection Tools
Eric Larson October 1, 2007 Seattle University
2
What is SUDS? SUDS is an infrastructure to facilitate the construction of software bug detection tools. SUDS primarily used to create dynamic bug detection tools. Contains static analysis phases used to improve / focus dynamic bug detection. At the heart of SUDS is a C to (instrumented) C converter.
3
Program (preprocessed
Overview of SUDS Program (preprocessed C source code) SUDS AST Parse Simplify Simplified AST Analyze Analysis Results Instrumentation Model Instrument Instrumented Source Code Instrumented Executable Link
4
Static Analysis Standard compiler analyses Tainted propagation
Control flow graph / call graph Data flow analysis (mostly intraprocedural) Flow-sensitive pointer analysis (Hind et. al.) Tainted propagation Propagates tainted attribute of variables (forward) User can modify infrastructure to change what tainted means Program slicing Propagates interesting uses backwards User can modify slicing criterion (can be all statements that have this property or characteristic) Context-insensitive
5
Instrumentation Direct SUDS where to add instrumentation.
Add instrumentation based on statement, expression, or event. Support functions allow users to easily pass parameters into the instrumentation functions. Write the instrumentation routines. Can use provided state table: allows the instrumented program to keep track of additional state when the program is running. Can take advantage of results from static analysis phases.
6
Example of how SUDS is used
Goal: To detect buffer overflows for array references that uses data that came from input. Tainted analysis: All input data is tainted. Program slicing: All data that can lead to an array reference is in the slice. Instrumentation: Track all arrays and their sizes. Track pointers to arrays. Track integers that are tainted and in the slice. At array references, check for bugs.
7
Results: Finding Bugs Program SUDS SPLINT VALGRIND Bugs Same Bugs
New Bugs anagram 2 ft ks 3 yacr2 betaftpd 1 gaim ghttpd openssh didn't work thttpd
8
Results: Performance 0.06 1.88 31.33 3.15 52.50 1.32 22.00 58.1% 0.18
Program Base line Valgrind SUDS Unoptimized SUDS Optimized Perf. Improve % Time Ratio anagram 0.06 1.88 31.33 3.15 52.50 1.32 22.00 58.1% ft 0.18 5.92 32.89 5.32 29.56 0.88 4.89 83.5% ks 0.05 4.16 83.20 3.96 79.20 0.45 9.00 88.6% yacr2 0.12 3.83 31.92 22.63 188.58 11.87 98.92 47.5% betaftpd 0.07 6.43 0.53 7.57 0.27 3.86 49.1% ghttpd 0.52 35.60 68.46 1.08 2.08 0.69 1.33 36.1% openssh 0.70 didn't work 1.00 1.43 0.91 1.30 9.0% thttpd 0.15 0.29 1.93 2.57 17.13 1.78 30.7%
9
Future Work Add phase(s) that attempt to detect bugs using static analysis. Certain types of bugs can use data flow analysis but need to prune false alarms. Develop static analysis phases that improve the quality of dynamic bug detection, not just the performance.
10
Questions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.