Re: Source Code Analysis

[Alexander Sotirov <asotirov () determina com>]

Dave Aitel wrote:
> CoolQ gave a talk on his efforts regarding source code analysis via
> gcc AST translation and state-table analysis at XCon 2006. I thought
> it was well put together for people who are not completely wrapped in
> static analysis to understand the basic concepts. I don't think his
> paper is available publicly yet, but he found some bugs in the Linux
> kernel with his tool relating to lock/unlock issues. His tool is also
> not public, but the concepts don't seem that hard to implement for the
> GCC team or someone familiar with the code-base.

Here's some work I did on static analysis last year (as a gcc patch):
http://gcc.vulncheck.org/

I used taint propagation and value range propagation to detect things like:

        n = read_int_from_network();
        memcpy(src, dst, n);

which is exactly the same C pattern that caused OpenSSL remote vulnerability a
few years ago, and surely many others. The value range propagation allows us to
correctly flag this as safe:

        n = read_int_from_network();
        if (n < 255)
                memcpy(src, dst, n);

It never got to the point where it's useful as a product, but the paper should
be a decent intro to the algorithms you need for the analysis. I hope it's
useful to somebody.

When the GCC team completes their whole program analysis project (LTO) and
improves the inter-procedural analysis infrastructure, this kind of gcc patches
will become more useful.

Alex
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave