1. CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May 21-23 2002

2. Jeff Foster, OSQ Retreat, May 21-23 20022 Background Software is buggy! How can we improve the quality of software? –We want to build tools to analyze source code Find bugs at compile-time Help programmers write correct code But tools need to know what is ‘‘correct’’ –...they need specifications

3. Jeff Foster, OSQ Retreat, May 21-23 20023 Tools Need Specifications put_tty_queue_nolock(c, tty); spin_lock_irqsave(&tty->read_lock, flags); spin_unlock_irqrestore(&tty->read_lock, flags); Goal: Add specifications to programs In a way that... –Programmers will accept Lightweight –Scales to large programs –Solves many different problems

4. Jeff Foster, OSQ Retreat, May 21-23 20024 Type Qualifiers Extend standard type systems (C, Java, ML) –Programmers already use types –Programmers understand types –Get programmers to write down a little more... intconstANSI C taintedSecurity vulnerabilities spinlock_tunlockedLocking char *

5. Jeff Foster, OSQ Retreat, May 21-23 20025 CQual A tool for adding type qualifiers to C –User-specified qualifiers –Annotate some qualifiers by hand –CQual infers the rest Version 1: –Written in SML/NJ –Used C parser from alias analysis Was lots of work to fix, extend to GNU C –Constraints solved with BANE

6. Jeff Foster, OSQ Retreat, May 21-23 20026 Application: Const Inference Main use of const: non-modified parameters void foo(const int *x); /* foo does not write *x */ How many more consts can we add? –Left-hand side of assignment non-const –Everything that's not non-const is const Analyzed six C programs –1496-36913 lines –All make effort to use const

7. Jeff Foster, OSQ Retreat, May 21-23 20027 Const Inference Results

8. Jeff Foster, OSQ Retreat, May 21-23 20028 Carillon CQual for finding Y2K bugs –Mark date strings with YYYY, YY, NONYEAR,... Better user interface –(Demo later) Found known bug in CVS 1.9 –Took only a few hours of work

9. Jeff Foster, OSQ Retreat, May 21-23 20029 Problems with CQual Version 1 Bad error messages in parser Too slow, used too much memory Written in ML –No tools available (debugger, profiler, etc) –Hard to control memory usage, performance –|{know ML}| is small –|{know ML}  {care about C}| very small

10. Jeff Foster, OSQ Retreat, May 21-23 200210 CQual Version 2: Rewrite to C Use David Gay's parser –Extracted/modified from gcc –Very compatible –Very good error messages Custom constraint solver –Solves atomic subtyping constraints –Dropped polymorphic qualifier inference But allow user-specified polymorphism

11. Jeff Foster, OSQ Retreat, May 21-23 200211 Application: Format-String Vulnerabilities Adversary-controlled format specifier name := printf(name);/* Oops */ –Attacker sets name = “%s%s%s” to crash program –Attacker sets name = “...%n...” to write to memory Lots of these bugs in the wild –New ones weekly on bugtraq mailing list –Too restrictive to forbid variable format strings

12. Jeff Foster, OSQ Retreat, May 21-23 200212 Using Tainted and Untainted Add qualifier annotations int printf(untainted char *fmt,...) tainted char *getenv(const char *) tainted = may be controlled by adversary untainted = must not be controlled by adversary

13. Demo of cqual

14. Jeff Foster, OSQ Retreat, May 21-23 200214 Results: Format String Vulnerabilities Analyzed 10 popular unix daemon programs Annotations shared across applications –One annotated header file for standard libraries –Taint flows across type casts Found several known vulnerabilities –Including ones we didn’t know about –CQual's user interface critical

15. Jeff Foster, OSQ Retreat, May 21-23 200215 Application: Locking Lock x; lock(x);...critical section... unlock(x); x : locked Lock x : unlocked Lock

16. Jeff Foster, OSQ Retreat, May 21-23 200216 Flow-Sensitivity Standard type systems are flow-insensitive –Variable x has one type –And one set of qualifiers We need flow-sensitivity –Different qualifiers for x at each program point Enter CQual Version 3 –Support for flow-sensitive qualifiers

17. Demo of cqual

18. Jeff Foster, OSQ Retreat, May 21-23 200218 Results: Locking Looked for simple deadlocks in Linux 2.4.9 –Double acquires/releases Analyzed 892 files in linux/drivers individually Analyzed 513 modules (all linked files) –14 type errors  deadlocks –~41/892 fail to typecheck but appear correct –~196/513 fail to typecheck added restrict by hand to remove type errors due to aliasing for 64/196

19. Jeff Foster, OSQ Retreat, May 21-23 200219 Running Time: Locking

20. Jeff Foster, OSQ Retreat, May 21-23 200220 Memory Usage: Locking

21. Jeff Foster, OSQ Retreat, May 21-23 200221 Applications Published experiments: const Inference[Foster, Fahndrich, Aiken, PLDI99] Y2K bug detection[Elsman, Foster, Aiken, 1999] Format-string vuln. [Shankar, Talwar, Foster, Wagner, Usenix Sec 01] Locking, stream operations [Foster, Terauchi, Aiken, PLDI 02] Linux Security Modules[Zhang, Edwards, Jaeger, (IBM Watson) Usenix Sec 02] Other experiments: Null pointer errorsTinyOS (Intel) User/kernel pointersFile open/close

22. Jeff Foster, OSQ Retreat, May 21-23 200222 What's Next for CQual? Better version of restrict Polymorphic-recursive qualifier inference –Adapt known tech. for flow-insensitive analysis –Less clear for flow-sensitive analysis Better alias analysis –Names vs. location abstraction

23. Jeff Foster, OSQ Retreat, May 21-23 200223 Conclusion CQual adds specifications to programs In a way that... –Programmers will accept Lightweight –Scales to large programs –Solves many different problems Flow-insensitive version available http://www.cs.berkeley.edu/~jfoster/cqual