Presentation is loading. Please wait.

Presentation is loading. Please wait.

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland."— Presentation transcript:

1 Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland

2 2 Motivation Software has bugs Would like to allow programmers to specify and check additional program properties in a way that... –Programmers will accept Lightweight –Scales to large programs –Solves many different problems

3 3 Type Qualifiers Create new analyses by extending standard type systems – C, Java, ML... –Programmers already use types –Programmers understand types –Just get programmers to write down a little more... intconstANSI C ptr( char)taintedSecurity vulnerabilities int  ptr( FILE) File operations open

4 4 Example: Format String Vulnerabilities I/O functions in C use format strings printf("Hello!");Hello! printf("Hello, %s!", name);Hello, name ! Instead of printf("%s", name); Why not printf(name);?

5 5 Format String Attacks Adversary-controlled format specifier name := printf(name);/* Oops */ –Attacker sets name = “%s%s%s” to crash program –Attacker sets name = “...%n...” to write to memory Particular bug not too common any more –People know to look out for them Similar issues still exist –User/kernel pointers in Linux kernel –But more complicated to explain…

6 6 Using Tainted and Untainted Add qualifier annotations to library functions int printf(untainted char *fmt,...) tainted char *getenv(const char *) tainted = may be controlled by adversary untainted = must not be controlled by adversary Use subtyping to express relationships between qualifiers

7 7 Subtyping void f(tainted int); untainted int a; f(a); void g(untainted int); tainted int b; f(b); OK f accepts tainted or untainted data Error g accepts only untainted data untainted  tainted tainted  untainted / untainted  tainted

8 8 Demo Eclipse interface... show taint1.c file run cqual on it click along path and explain type inference

9 9 Type Qualifier Inference Two kinds of qualifiers –Explicit qualifiers: tainted, untainted,... –Unknown qualifiers: a 0, a 1,... Program yields constraints on qualifiers tainted  a 0 a 0  untainted Solve constraints for unknown qualifiers –Error if no solution

10 10  ptr int f ptr int y z Constraint Generation ptr(int) f(x : int) = {... }y := f(z) a0a0 a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a 6  a 1 a 2  a 4 a 3 = a 5

11 11 Constraints as Graphs a0a0 a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a 6  a 1 a 2  a 4 a 3 = a 5 a8a8 untainted tainted a7a7 a9a9

12 12 Satisfiability via Graph Reachability a0a0 a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a 6  a 1 a 2  a 4 a 3 = a 5 a8a8 untainted tainted a7a7 a9a9 Is there an inconsistent path through the graph?

13 13 Satisfiability via Graph Reachability a0a0 a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a 6  a 1 a 2  a 4 3 = 53 = 5 a8a8 untainted tainted a7a7 a9a9 Is there an inconsistent path through the graph?

14 14 Satisfiability in Linear Time Initial program of size n –Fixed set of qualifiers tainted, untainted,... Constraint generation yields O(n) constraints –Recursive abstract syntax tree walk Constraint solution takes O(n) time –Works for semi-lattices, discrete p.o., products

15 15 About the Interface CQual run as a background process –Communicates with Eclipse via stdin/stdout Information sent in blocks as s-expressions –Could also use XML –Information only sent as needed by interface Eclipse controls display –More tightly integrated than previous version

16 16 Analyses Using CQual Const inference –A Theory of Type Qualifiers (PLDI’99) Format-string vulnerabilities –Detecting Format-String Vulnerabilities with Type Qualifiers (USENIX Sec’01) User/kernel pointer bugs in the Linux kernel –Johnson and Wagner, Finding User/Kernel Pointer Bugs with Type Inference (USENIX Sec’04) Others –Locking in linux kernel (PLDI’03), file operations, Y2K, initialization in kernel, …

17 17 Future Work Integrate into Eclipse compilation process Improve error path heuristics –Where do we report an error? –Which path do we show the user? JQual – type qualifier analysis for Java –Basic version available real soon now

18 18 For More Information http://cqual.sourceforge.net (Contact us directly for Eclipse plugin)

Download ppt "Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland."

Similar presentations

Static Analysis for Security

Static Analysis for Security
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Kathleen Fisher cs242 Reading: “Concepts in Programming Languages”, Chapter 6.

Kathleen Fisher cs242 Reading: “Concepts in Programming Languages”, Chapter 6.
Visual Scripting of XML

Visual Scripting of XML
Effective Static Deadlock Detection

Effective Static Deadlock Detection
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.

Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.
Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.

Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Type Qualifiers CS 6340 1. 2 Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors (bugs).

Type Qualifiers CS Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors ("bugs").
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)

Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)
GUI Threading Explained and Verified Michael Ernst U. of Washington, Seattle, USA IMDEA Software Institute, Madrid, Spain joint work with Colin Gordon,

GUI Threading Explained and Verified Michael Ernst U. of Washington, Seattle, USA IMDEA Software Institute, Madrid, Spain joint work with Colin Gordon,
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.

Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
Specialized Reference Counting Garbage Collection using Data Structure Annotations By Eric Watkins and Dzin Avots for CS 343 Spring 2002.

Specialized Reference Counting Garbage Collection using Data Structure Annotations By Eric Watkins and Dzin Avots for CS 343 Spring 2002.

Similar presentations

Ads by Google