scientific edition of Bauman MSTU
SCIENCE & EDUCATION
Bauman Moscow State Technical University. El № FS 77 - 48211. ISSN 1994-0408
An Incorrect Index Search Method for C++ String Accesses
# 05, May 2016
Article file: SE-BMSTU...o186.pdf (346.78Kb)
Since C++ is a commonly used programming language that is also in wide use for programming the mobile OS such as Tizen the static analysis of C++ programs is in high demand. The article is devoted to searching the accesses to C++ strings with an incorrect index. As opposed to the buffer overflows in C, this kind of defect in rarely detected by industrial static analyzers due to complexity of its modeling. In the work, we formalize the criteria of this defect and propose the formal modeling rules of C++ string-related methods and a number of STL functions. These rules allow modeling of string length and access index. The rules for summary-based inter-procedural analysis are introduced as well. The article simulates only the length of a string to provide a compromise between the search precision and the volume of data processing. A checker based on these modeling rules is implemented for the Clang Static Analyzer - a symbolic execution static analyzer for C++ code. This checker was tested on the C++ code of Android OS and OS Tizen user-mode packages (totally about 20 million strings of code). The results of an eye-inspection of warnings produced by this checker prove its precision, which is appropriate for industrial static analyzer: nearly 70% of warnings were considered to be true positive. A presented approach may be extended for analysis of C++ STL container classes or modified to analyze programs written in other languages. Modeling of string content is of interest too because its lack causes a number of false positives.References
1. Working Draft, Standard for Programming Language C++. ISO/IEC N4296, 2014.
2. Robert C. Seacord Secure Coding in C and C++. Addison-Wesley Professional, 2013. 545 p.
3. STR53-CPP. Range check element access. . Range check element access // CERT: web-site. Available at: https://www.securecoding.cert.org/confluence/display/cplusplus/STR53-CPP.+Range+check+element+access (accessed: 16.02.2016)
4. Lian Li, Cristina Cifuentes, Nathan Keynes. Practical and effective symbolic analysis for buffer overflow detection. In Proceedings of the Eighteenth ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE ’10,2010, New York, USA, ACM, pp. 317–326.
5. Ru-Gang Xu, Patrice Godefroid, Rupak Majumdar. Testing for Buffer Overflows with Length Abstraction. In Proceedings of the 2008 international symposium on Software testing and analysis, ISSTA ’08, 2008, New York, USA, ACM, pp 27–38.
6. Xavier Allamigeon, Wenceslas Godard, Charles Hymans. Static Analysis of String Manipulations in Critical Embedded C Programs. Static Analysis: 13th International Symposium, SAS 2006. Proceedings. Seoul, Korea, August 29–31, Pp. 35–51.
7. James C. King. Symbolic execution and program testing. Communications of the ACM, 1976, no. 7, vol. 19, pp. 385–394.
8. David Larochelle, David Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th conference on USENIX Security Symposium. 2001, CA, USA, USENIX Association Berkeley, Vol. 10, Article No. 14.
9. Belevantsev Andrey, Malikov Oleg. Using data flow analysis for detecting security vulnerabilities. Proceedings of ISP RAS. 2006, no. 11, pp. 83–98.
10. Romanova T.N., Sidorin A.V. Summary-based interprocedural analysis method for implementation in multi-purpose static C/C++ code analyzer. Vestnik MGTU im. N.E. Baumana. Seriya Priborostroenie = Ser. Instrument Engineering, 2015, no. 5, pp. 73–93. (In Russian). DOI: 10.18698/0236-3933-2015-5-75-96
11. Clang Static Analyzer. Clang Static Analyzer: web-site. Available at: http://clang-analyzer.llvm.org/ (accessed: 17.02.2016).
Publications with keywords: C++, STL, static code analysis, Clang Static Analyzer, string overflow
Publications with words: C++, STL, static code analysis, Clang Static Analyzer, string overflow