[Dailydave] Source Code Analysis
Alexander Sotirov
asotirov at determina.com
Thu Sep 7 11:35:23 EST 2006
Dave Aitel wrote:
> CoolQ gave a talk on his efforts regarding source code analysis via
> gcc AST translation and state-table analysis at XCon 2006. I thought
> it was well put together for people who are not completely wrapped in
> static analysis to understand the basic concepts. I don't think his
> paper is available publicly yet, but he found some bugs in the Linux
> kernel with his tool relating to lock/unlock issues. His tool is also
> not public, but the concepts don't seem that hard to implement for the
> GCC team or someone familiar with the code-base.
Here's some work I did on static analysis last year (as a gcc patch):
http://gcc.vulncheck.org/
I used taint propagation and value range propagation to detect things like:
n = read_int_from_network();
memcpy(src, dst, n);
which is exactly the same C pattern that caused OpenSSL remote vulnerability a
few years ago, and surely many others. The value range propagation allows us to
correctly flag this as safe:
n = read_int_from_network();
if (n < 255)
memcpy(src, dst, n);
It never got to the point where it's useful as a product, but the paper should
be a decent intro to the algorithms you need for the analysis. I hope it's
useful to somebody.
When the GCC team completes their whole program analysis project (LTO) and
improves the inter-procedural analysis infrastructure, this kind of gcc patches
will become more useful.
Alex
More information about the Dailydave
mailing list