|
Dailydave
mailing list archives
Re: Source Code Analysis
From: Alexander Sotirov <asotirov () determina com>
Date: Thu, 07 Sep 2006 09:35:23 -0700
Dave Aitel wrote:
CoolQ gave a talk on his efforts regarding source code analysis via
gcc AST translation and state-table analysis at XCon 2006. I thought
it was well put together for people who are not completely wrapped in
static analysis to understand the basic concepts. I don't think his
paper is available publicly yet, but he found some bugs in the Linux
kernel with his tool relating to lock/unlock issues. His tool is also
not public, but the concepts don't seem that hard to implement for the
GCC team or someone familiar with the code-base.
Here's some work I did on static analysis last year (as a gcc patch):
http://gcc.vulncheck.org/
I used taint propagation and value range propagation to detect things like:
n = read_int_from_network();
memcpy(src, dst, n);
which is exactly the same C pattern that caused OpenSSL remote vulnerability a
few years ago, and surely many others. The value range propagation allows us to
correctly flag this as safe:
n = read_int_from_network();
if (n < 255)
memcpy(src, dst, n);
It never got to the point where it's useful as a product, but the paper should
be a decent intro to the algorithms you need for the analysis. I hope it's
useful to somebody.
When the GCC team completes their whole program analysis project (LTO) and
improves the inter-procedural analysis infrastructure, this kind of gcc patches
will become more useful.
Alex
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
|
Intro
