CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May 21-23 2002 Background • Software is buggy! • How can we improve the quality of software? – We want to build tools to analyze source code • Find bugs at compile-time • Help programmers write correct code • But tools need to know what is ‘‘correct’’ – ...they need specifications Jeff Foster, OSQ Retreat, May 21-23 2002 2 Tools Need Specifications spin_lock_irqsave(&tty->read_lock, flags); put_tty_queue_nolock(c, tty); spin_unlock_irqrestore(&tty->read_lock, flags); • Goal: Add specifications to programs In a way that... – Programmers will accept • Lightweight – Scales to large programs – Solves many different problems Jeff Foster, OSQ Retreat, May 21-23 2002 3 Type Qualifiers • Extend standard type systems (C, Java, ML) – Programmers already use types – Programmers understand types – Get programmers to write down a little more... const int ANSI C tainted char * Security vulnerabilities unlocked spinlock_t Locking Jeff Foster, OSQ Retreat, May 21-23 2002 4 CQual • A tool for adding type qualifiers to C – User-specified qualifiers – Annotate some qualifiers by hand – CQual infers the rest • Version 1: – Written in SML/NJ – Used C parser from alias analysis • Was lots of work to fix, extend to GNU C – Constraints solved with BANE Jeff Foster, OSQ Retreat, May 21-23 2002 5 Application: Const Inference • Main use of const: non-modified parameters void foo(const int *x); /* foo does not write *x */ • How many more consts can we add? – Left-hand side of assignment non-const – Everything that's not non-const is const • Analyzed six C programs – 1496-36913 lines – All make effort to use const Jeff Foster, OSQ Retreat, May 21-23 2002 6 Const Inference Results 100% Non-const Poly 80% Mono 60% Declared 40% 20% Jeff Foster, OSQ Retreat, May 21-23 2002 .0 4 -1 uu cp 1. 2. 26 ss h- -2 .7 tils di f fu m 4- 1. 4 .5 h2 pa tc w om an -3 .0 a 0% 7 Carillon • CQual for finding Y2K bugs – Mark date strings with YYYY, YY, NONYEAR, ... • Better user interface – (Demo later) • Found known bug in CVS 1.9 – Took only a few hours of work Jeff Foster, OSQ Retreat, May 21-23 2002 8 Problems with CQual Version 1 • Bad error messages in parser • Too slow, used too much memory • Written in ML – – – – No tools available (debugger, profiler, etc) Hard to control memory usage, performance |{know ML}| is small |{know ML} {care about C}| very small Jeff Foster, OSQ Retreat, May 21-23 2002 9 CQual Version 2: Rewrite to C • Use David Gay's parser – Extracted/modified from gcc – Very compatible – Very good error messages • Custom constraint solver – Solves atomic subtyping constraints – Dropped polymorphic qualifier inference • But allow user-specified polymorphism Jeff Foster, OSQ Retreat, May 21-23 2002 10 Application: Format-String Vulnerabilities • Adversary-controlled format specifier name := <data-from-network> printf(name); /* Oops */ – Attacker sets name = “%s%s%s” to crash program – Attacker sets name = “...%n...” to write to memory • Lots of these bugs in the wild – New ones weekly on bugtraq mailing list – Too restrictive to forbid variable format strings Jeff Foster, OSQ Retreat, May 21-23 2002 11 Using Tainted and Untainted • Add qualifier annotations int printf(untainted char *fmt, ...) tainted char *getenv(const char *) tainted = may be controlled by adversary untainted = must not be controlled by adversary Jeff Foster, OSQ Retreat, May 21-23 2002 12 Demo of cqual Results: Format String Vulnerabilities • Analyzed 10 popular unix daemon programs • Annotations shared across applications – One annotated header file for standard libraries – Taint flows across type casts • Found several known vulnerabilities – Including ones we didn’t know about – CQual's user interface critical Jeff Foster, OSQ Retreat, May 21-23 2002 14 Application: Locking Lock x; lock(x); ...critical section... unlock(x); Jeff Foster, OSQ Retreat, May 21-23 2002 x : locked Lock x : unlocked Lock 15 Flow-Sensitivity • Standard type systems are flow-insensitive – Variable x has one type – And one set of qualifiers • We need flow-sensitivity – Different qualifiers for x at each program point • Enter CQual Version 3 – Support for flow-sensitive qualifiers Jeff Foster, OSQ Retreat, May 21-23 2002 16 Demo of cqual Results: Locking • Looked for simple deadlocks in Linux 2.4.9 – Double acquires/releases • Analyzed 892 files in linux/drivers individually • Analyzed 513 modules (all linked files) – 14 type errors deadlocks – ~41/892 fail to typecheck but appear correct – ~196/513 fail to typecheck • added restrict by hand to remove type errors due to aliasing for 64/196 Jeff Foster, OSQ Retreat, May 21-23 2002 18 Running Time: Locking Flow-sensitive Flow-insensitive Parsing 140 120 Time (sec) 100 80 60 40 20 0 0k 100k 200k 300k 400k 500k 600k 700k 800k Size (preprocessed lines of code) Jeff Foster, OSQ Retreat, May 21-23 2002 19 Memory Usage: Locking Flow-sensitive Flow-insensitive Parsing 1000 900 Space (Mbytes) 800 700 600 500 400 300 200 100 0 0k 100k 200k 300k 400k 500k 600k 700k 800k Size (preprocessed lines of code) Jeff Foster, OSQ Retreat, May 21-23 2002 20 Applications Published experiments: const Inference Y2K bug detection Format-string vuln. [Foster, Fahndrich, Aiken, PLDI99] [Elsman, Foster, Aiken, 1999] [Shankar, Talwar, Foster, Wagner, Usenix Sec 01] Locking, stream operations [Foster, Terauchi, Aiken, PLDI 02] Linux Security Modules [Zhang, Edwards, Jaeger, (IBM Watson) Usenix Sec 02] Other experiments: Null pointer errors User/kernel pointers Jeff Foster, OSQ Retreat, May 21-23 2002 TinyOS (Intel) File open/close 21 What's Next for CQual? • Better version of restrict • Polymorphic-recursive qualifier inference – Adapt known tech. for flow-insensitive analysis – Less clear for flow-sensitive analysis • Better alias analysis – Names vs. location abstraction Jeff Foster, OSQ Retreat, May 21-23 2002 22 Conclusion • CQual adds specifications to programs In a way that... – Programmers will accept • Lightweight – Scales to large programs – Solves many different problems • Flow-insensitive version available http://www.cs.berkeley.edu/~jfoster/cqual Jeff Foster, OSQ Retreat, May 21-23 2002 23