Dailydave mailing list archives
Re: Source Code Analysis
From: Alexander Sotirov <asotirov () determina com>
Date: Thu, 07 Sep 2006 09:35:23 -0700
Dave Aitel wrote:
CoolQ gave a talk on his efforts regarding source code analysis via gcc AST translation and state-table analysis at XCon 2006. I thought it was well put together for people who are not completely wrapped in static analysis to understand the basic concepts. I don't think his paper is available publicly yet, but he found some bugs in the Linux kernel with his tool relating to lock/unlock issues. His tool is also not public, but the concepts don't seem that hard to implement for the GCC team or someone familiar with the code-base.
Here's some work I did on static analysis last year (as a gcc patch): http://gcc.vulncheck.org/ I used taint propagation and value range propagation to detect things like: n = read_int_from_network(); memcpy(src, dst, n); which is exactly the same C pattern that caused OpenSSL remote vulnerability a few years ago, and surely many others. The value range propagation allows us to correctly flag this as safe: n = read_int_from_network(); if (n < 255) memcpy(src, dst, n); It never got to the point where it's useful as a product, but the paper should be a decent intro to the algorithms you need for the analysis. I hope it's useful to somebody. When the GCC team completes their whole program analysis project (LTO) and improves the inter-procedural analysis infrastructure, this kind of gcc patches will become more useful. Alex _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Source Code Analysis Dave Aitel (Sep 07)
- Re: Source Code Analysis Alexander Sotirov (Sep 07)
- Re: Source Code Analysis Matt (Sep 07)
- Re: Source Code Analysis Alexander Sotirov (Sep 18)
- Re: Source Code Analysis Matt (Sep 07)
- Re: Source Code Analysis Mateusz Berezecki (Sep 07)
- Re: Source Code Analysis Matt (Sep 07)
- <Possible follow-ups>
- Source Code Analysis kcope (Sep 16)
- Re: Source Code Analysis Alexander Sotirov (Sep 07)