Home

Working with Rose - Carnegie Mellon University

1. D D CERT Software Engineering Institute Carnegie Mellon 54 Useful ROSE Functions isSg node unparseToString querySubTree SgNode node type Gen Software Engineering Institute Carnegie Mellon 55 unparseToString Returns a string representation of the source code associated with a node Useful for debugging const SgNode node cout lt lt Node lt lt node gt unparseToString lt lt endl CERT Software Engineering Institute Carnegie Mellon 56 Traverses the AST that descends from node Returns a list a std vector actually of all subnodes of appropriate type const SgNode node Rose STL Container lt SgNode gt nodes NodeQuery querySubTree const cast lt SgNode gt def V_SgVarRefExp Rose STL Container SgNode iterator i for i nodes begin i nodes end i cout lt lt A SgVarRefExp lt lt i gt unparseToString lt lt endl Note that querySubTree requires a non const SgNode as 15 argument CERT Software Engineering Institute Carnegie Mellon 57
2. SgVarRefExp co 13 v SgCastExp com 14 rr EE Gen Software Engineering Institute Carnegie Mellon 36 Whole Syntax Tree The AST does not contain semantic information such as Type Definitions Symbol Tables Variable Definitions The Whole AST adds these bits of information to the AST Gen Software Engineering Institute Carnegie Mellon 37 Whole Syntax Tree 2 char strcpy char char char getenv char int main char buff 256 strcpy buff getenv EDITOR return 0 dest 7 InitializedName src InitializedName ZTN NX FunctionDeclaration E gt P d P ParameterList FunctionDefinition body Vi BasicBlock LN Cn VariableDeclaration ExprStatement A OM InitializedName FunctionCallExpr fundtion args N i bs 0 Es buff A VariableRefExpr FunctionCallExpr function args oi ExprListExpr p StringValue main V FunctionTypeSymbol getenv y FunctionTypeSymbol strcpy A FunctionTypeTable FunctionSymbol main i getenv wy FunctionSymbol strcpy 7 FunctionSymbo LLL I d Ll S N V strcpy Functions nv On Lum ParameterTypeList ki ParameterTypeList ParameterTypeList ki claration Ee strcpy N V FunctionDeclaration FunctionDeclaration vi vi
3. body l 7 EIST Current Link legend mE ber E l SS EE lt allocation mutex allocation mutex z 7 n rd zT SgLabelRefExp Current Link allocation mutex 1 d i l l Di p numeric label SgSymbolTable Current Link allocation mutex Sa I I I allocation mutex 2 Done GI Software Engineering Institute Carnegie Mellon 13 Programmer s Reference 3 m D Im dit View History Bookmarks Tools Help gt EC G O file nome svoboda Desktop D void set conditional SgStatement conditional SgAssociateStatem Access function for p conditional See conditional conditio B SgAsteriskShapeExp for documentation Lea SgBasicBlock get true body const d SgAst ksh 8 qup c Access function for p true body See const true body for 8 SgAttribute documentation E SgAttributeSpecificat void set true body SgBasicBlock true body Access function for p true body See true body true body B SgAttributeSpecifica documentation E SgAttributeStorageC SgBasicBlock get false_body const Access function for p false body See const false body for B SgBackspaceStatem documentation El SgBackspaceStatem void set false body SgBasicBlock false body Access function for p false body See false body false bod B SgBaseClass do
4. e G O file nome svoboda Desktop D gt Cl EI s3yorapmivouesturayge B SgGraphStorageClas El SgGreaterOrEqualOp E SgGreaterOrEqualOp E SgGreaterThanOp El SgGreaterThanOpSto E SglfdefDirectiveStat include xx Grammar h El SglfdefDirectiveStat El SgHDirectiveStatem B SgHDirectiveStatem 8 SgIfndefDirectiveSta 8 SglfndefDirectiveSta El SgHStmtStorageClas El SgImplicitStatement 8 SgImplicitStatement 8 SgImpliedDo 8 SgImpliedDoStorage 8 SgImportStatement 8 SgImportStatement E SgIncludeDirective B SgIncludeDirective E SgInitializedName 8 SgInitializedNameSt B SgInitializer 8 SgInitializerStorage Main Page Modules Namespace List Class Hierarchy Class List File List Namespace Members Class Members File Members Related Pages SglfStmt Class Reference Inheritance diagram for SgIfStmt SgLocatedNode SgStatement SgScopeStatement SglfStmt legend Collaboration diagram for SgIfStmt Done Gen Software Engineering Institute Carnegie Mellon 12 Programmer s Reference 2 File Edit View History Bookmarks Tools Help lt G DO file Ikome svoboda Desktop Documents Work ros G x ge Current Link p symbol table jallocation mutex else numeric label p end numeric label p_conditional i p true body p false
5. start VM Player Gen Software Engineering Institute Carnegie Mellon 6 Rosebud 3 In VMPlayer select Open an Existing Virtual Machine When it prompts you for a virtual machine VM to open go to the rosebud directory and Select rosebud vmx This boots up the Rosebud virtual machine After a few seconds a login prompt will appear Enter username rose password roserose The system will then re prompt you for the password re enter it The system will then give you a command line prompt a single Type startx lt RETURN gt This will bring up the GUI CERT Software Engineering Institute Carnegie Mellon 7 Rosebud 4 After desktop turns blue right click on the desktop This brings up the program menu You should now be able to build and test the rules you can do this with these commands in a terminal cd src rosecheckers make tests Gen Software Engineering Institute Carnegie Mellon 8 ROSE Setup on Andrew Your environment should contain the following setenv ROSE afs andrew usr svoboda public rose setenv LD LIBRARY PATH SROSE 1ib SLD LIBRARY PATH setenv PATH ROSE bin S PATH Check out the Rosecheckers project from SourceForge svn checkout https anonymous rosecheckers svn sourceforge net s vnroot rosecheckers trunk rosecheckers You should now be able to build and test the rules CERT Software Engineering Institute Carnegie Mellon 9 ROSE Homepage File Edit View
6. 0 3 the variable s type is a if ref NULL fixed length array AND pe 4 2 d argument s type is NOT a fixed length array the 15 arg of strepy epee avon of and it is a variable 222 At this point ref refers to cent Software Engineering Institute Carnegie Mellon 49 Current Status bool STR31 C const SgNode node if isCallOfFunctionNamed Traverse AST node strcpy For each strepy function return false call sous pra cee 1 Get both arguments to isSgVarRefExp getFnArg strcpy If isSgFunctionRefExp node 0 2 1s argument isa if ref NULL variable AND return false 3 the variable s type is a if Type getRefDecl DONE L l SE rer DONE fixed length array AND return false 4 2 argument s type is NOT a fixed length 222 array Report a violation of STR31 C Ger Software Engineering Institute Carnegie Mellon 50 Current Status const SgVarRefExp ref gr Traverse AST ge rg l isSgFunctionRefExp node For each strcpy function 0 call 1E APAE NI 1 Get both arguments to return false strcpy If if Type getRefDecl raef 2 18 argument is a gt get type isArray variable AND return false 3 the variable s type is a if Type getFnArg fixed length array AND isSgFunctionRefExp node 4 2nd argument s type is 1 gt get_type isArray NOT a fixed length return false array Re
7. Attributes The command cpp2pdf foo c produces a PDF foo c pdf that contains the source code AST and also shows each class s attributes On rosebud the xpdf program can be used to view PDFs xpdf foo c pdf CERT Software Engineering Institute Carnegie Mellon AST Attributes cont File Edit View Go Help Index pointer 0xb35360 4 4 D gt SgFile Click here to go to the parent node v SgGlobal compilerGenerated SgNode p parent Oxb4ca7d bool p isModified 0 CLASSNAME p freepointer Oxffffffffffffffff static SgFunctionTypeTable p globalFunctionTypeTable Oxbaf0 static std map lt SgNode std string gt p globalMangledNameMap i static std map lt std string int p shortMangledNameCache ct Sg File Info p startOfConstruct 0xb1e7a0 Sg File Info p endOfConstruct 0xb1e800 ttachedPreprocessingInfoType p attachedPreprocessinginfoPtr stAttributeMechanism p attributeMechanism 0 bool p need paren 0 bool p Ivalue 0 bool p global qualified name 0 Sg File Info p operatorPosition 0 SgFunctionSymbol p symbol i 0x7d6b80 varsym strcpy declari SgFunctionType p function type 0 v SgFunctionDeclaration com SgFunctionParameterList v SgFunctionDefinition com v SgBasicBlock compilerG v SgVariableDeclaration SglnitializedName WD ON DoH P MM ta v SgExprStatement co v SgFunctionCallExp c 10 SgFunctionRefExp 11 v SgExprListExp co 12
8. History Bookmarks Tools Help gt EC G O file home svoboda Desktop Documen gt G Je R OFS E ROSE is a project to define a new type of compiler technology which allows compilation techniques to address the optimization Privacy amp Legal Notice Home of user defined abstractions Due to the nature of the solution we provide it is also an open compiler infrastructure that can be used User Manual pd for a wide number of other purposes The software developed to Tutsrsiiad support ROSE research work provides an open general purpose Tutorial pdf and robust compiler infrastructure to support numerous tools and JET RE external collaborations in C C and F90 Publications User defined abstractions are built from within an existing base language and carry specific semantic information which can t be Download Software communicated to the base language s compiler In many situations the semantic information could be useful within program Done Gen Software Engineering Institute Carnegie Mellon 10 ROSE Documentation User Manual Full documentation for the Rose features and techniques Tutorial Guide to installing ROSE and some of its utilities Programmer s Reference Web based documentation for each class and method in ROSE CERT Software Engineering Institute Carnegie Mellon 11 Programmer s Reference 1 File Edit View History Bookmarks Tools Help gt
9. Software Engineering Institute CarnegieMellon 43 ROSE Checker Skeleton include rose h include utilities h bool STR31 C const SgNode node ensure sufficient storage for strings 222 This routine will be called for every node in bool STR const SgNode node the AST We want it to bool violation false print an error message nd return tr xactl violation STR31 C node and return true e actly return violation once when run on our non compliant example CERT Software Engineering Institute Carnegie Mellon 44 Current Status Traverse AST For each strcpy function bool STR31 C const SgNode node call 222 1 Get both arguments to strcpy lf bool STR const SgNode node 2 1st argument is a bool violation false variable AND co 3 the variable s type is a violation STR31_C node o eaa E fixed length array AND 4 279 argument s type is NOT a fixed length array Report a violation of STR31 C Ger Software Engineering Institute Carnegie Mellon 45 Utility Functions from utilities h Returns non NULL if node is a call of function with given name const SgFunctionSymbol isCallOfFunctionNamed const SgNode node const std string amp name Returns reference to ith argument of function reference Dives through typecasts Returns NULL if no such parm const SgExpression getFnArg const SgFunctionRefExp node int
10. arg to strcpy is a char char buff 256 strcpy buff getenv EDITOR FE desk getenv makes no promise about the size of the string it returns return 0 15 arg to strcpy is a local char We could flag any instance of strcpy where the 1 arg is a local fixed array and the 2 arg is a pointer Ger Software Engineering Institute Carnegie Mellon Other Test Cases STR31 C has many other positive and negative examples which we could include when testing our rule Can we test them all Will our idea of checking strcpy s arguments work on them If not how can we check them CERT Software Engineering Institute Carnegie Mellon 20 Non Compliant Code Example off by 1 char dest ARRAY SIZE char src ARRAY SIZE size t 1 for i 0 src i S 1 lt sizeof dest itt dest i src 1i dest i 0O CERT Software Engineering Institute Carnegie Mellon 21 Non Compliant Code Example strcpy int main int argc char argv char prog name 128 strcpy prog name argv 0 CERT Software Engineering Institute Carnegie Mellon 22 Compliant Code Example strcpy s int main int argc char argv char prog name size t prog size prog size strlen argv 0 1 prog name char malloc prog size if prog name NULL if strcpy s prog name prog
11. ariableDeclaration ExprStatement ReturnStatement A Y UA InitializedName FunctionCallExpr fundtion Kid SEH pe expres sbi EE variab1eRetexer Functioncal1Expr functi n args 1 FunctionReference ExprListExpr p A StringValue Source Code Syntax Tree The command cpp2ps t foo c foo c ps dot2ps foo c dot produce a PostScript file oo c dot ps that contains the Abstract Syntax Tree AST of the source code On rosebud the gv program can be used to view PostScript files gv foo c dot ps EN ip Software Engineering Institute CarnegieMellon 31 Abstract Syntax Tree 1 Hinclude lt string h gt include lt stdlib h gt int main eer char buff 256 strcpy buff getenv EDITOR Fan return 0 Gen gt Software Engineering Institute Carnegie Mellon Abstract Syntax Tree 2 5 SgBasicBlock 3 Ox2ba3df4732f8 6 SgVariableDeclaration 2 Ox2ba3df32b8e0 21 SgExprStatement l 0xb79640 SgReturnStmt l Ox9c8ebQ baseTypeDefiningDeclaration 1 E SglnitializedName l 0x2ba3df15d670 22 SgIntVal l Oxa0dc90 SgFunctionCallExp e Oxb2cd70 Gen Software Engineering Institute Carnegie Mellon 33 Y ParameterList y S ei d y StringValue GI Software Engineering Institute Carnegie Mellon AST
12. cent Working with ROSE David Svoboda Software Engineering Institute Carnegie Mellon Overview The Problem e How to recognize Insecure Code Techniques e Automated Security Checking e Static Analysis e Abstract Syntax Tree AST e ROSE So how do we actually use ROSE CERT Software Engineering Institute Carnegie Mellon We will build a rule checker showing how ROSE helps us ROSE Setup e ROSE Documentation e Background e Design e Examining Source Code using ROSE Code e Run amp Test Useful ROSE Functions Gen Software Engineering Institute Carnegie Mellon 3 What is ROSE Developed at Lawrence Livermore National Labs LLNL e Analyzes program source code e Produces Abstract Syntax Tree AST Can then be used for static analysis We will use ROSE to enforce secure coding rules http rosecompiler org Gen gt Software Engineering Institute Carnegie Mellon 4 Rosebud Rosebud is a Virtual Machine that is useful for working with Rose Rose and the checkers are already built no need to compile Cross platform runs as a VM Includes popular developer tools Eclipse emacs etc Gen Software Engineering Institute Carnegie Mellon Rosebud 2 Download the rosebud VM from rosecheckers sourceforge net You will need VMWare Player to run Rosebud VMWare Player is freely available at downloads vmware com Extract the Rosebud package and
13. cumentation E SgBaseClassModifier std string get string label const E e void set string label std string string label E EE EEE SgLabelRefExp get end numeric label const B SgBaseClassStorageC virtual Sgifstmt This is the destructor There are a lot of things to delete but E SgBasicBlock nothing is deleted in this destructor E SgBasicBlockStorag SglfStmt Sg File Info startOfC onstruct SgStatement a conditional NULL SgBasicBlock true_body NULL SyBinaryNode SgBasicBlock false a GO LL lt lt Done Gen Software Engineering Institute CarnegieMellon 14 Building a Rule Checker We ll study rule STR31 C File Edit View History Bookmarks Tools Help a Getting Started amp Latest BBC Headlines C E RT Software Assurance Secure Systems Organizational Security Coordinated Response Training 3 1 gt gt Dashboard ecure Coding gt STR31 C Guarantee PSY search hat storage for strings has sufficient space for KE data and the null terminator AY CH KI dad Log In Sign Up e ecure ding Standards Overview STR31 1 C Guarantee that storage for s rings h C Language icient space Tor cC aracter data an C terminator Added by Confluence Administrator last edited by Robert Seacord on Dec 07 2007 view change CERT Websites alla ip he arca R www securecoding cert org amp Gen Software Engineering Institute Carnegi
14. eMellon 15 Test Cases Before coding we need at least one positive test case and one negative test case These will prove to us that the code Works The test directory contains compliant and noncompliant code examples all compliant examples pass all the secure coding rules The noncompliant code examples each fail a single secure coding rule Our first two test files will be test c ncce wiki STR c and test c cce wiki STR c Gen gt Software Engineering Institute Carnegie Mellon 16 Non Compliant Code Example finclude lt string h gt include lt stdlib h gt int main char buff 256 strcpy buff getenv EDITOR return 0 From test c ncce wiki STR c Gen gt Software Engineering Institute Carnegie Mellon Compliant Code Example include lt string h gt include lt stdlib h gt int main PE char editor char buff editor getenv EDITOR if editor buff char malloc strlen editor 1 if buff handle malloc error strcpy buff editor IF ws From test c cce wiki STR c return 0 Gen Software Engineering Institute Carnegie Mellon 18 Design Idea include lt string h gt An attacker can compromise the include lt stdlib h gt system by setting the EDITOR environment variable to a string int main larger than 256 chars In 2
15. gn Conclusions Designing checkers helps to flesh out secure coding rules Be aware of false positives false negatives A checker does not need to be complete to be useful Its OK to write more than one checker for a rule Don t worry about pathological cases focus primarily on violations likely to occur in the wild D D CERT Software Engineering Institute Carnegie Mellon 27 ROSE in Action When we run our ROSE program called diagnose on our insecure source code we get an error message Q rosecheckers test c ncce wiki STR c c ncce wiki STR c 7 error STR31 C String copy destination must contain sufficient storage If we run rosecheckers on a secure program we get no output Q rosecheckers test c cce wiki STR c So our rosecheckers program acts like a compiler or Lint Gen Software Engineering Institute Carnegie Mellon 28 ROSE integrated with Emacs int mainO i y vr sar buff 256 strcpy buff getenvC EDITOR STR31_C_getenv c 1 error s O warning s in 0 27 second s Gen Software Engineering Institute Carnegie Mellon 29 Example Source Code CG include lt string h gt include lt stdlib h gt wol N int main char buff 256 T strcpy buff getenv EDITOR Paranetertist Functionberinizion bogy di name A SEH 0 V 2 InitializedName Gre 1 X src 7 w Co NA InitializedName V
16. i void print error const SgNode node const char rule const char desc bool warning false B D D CERT Software Engineering Institute CarnegieMellon 46 Current Status bool STR31 C const SgNode node if isCallOfFunctionNamed node strcpy return false 299 At this point node will always point to a strcpy function call Ger Software Engineering Institute CarnegieMellon Traverse AST For each strepy function call 1 Get both Mom strcpy If 2 1 argument is a variable AND 3 the variable s type is a fixed length array AND 4 2 argument s type is NOT a fixed length array Report a violation of STR31 C The issg Family A set of useful functions that are useful for typecasting a SgNode into an appropriate node type They return NULL if the node is the wrong type const SgNode node const SgFunctionRefExp sig fn isSgFunctionRefExp node if sig fn NULL cerr lt lt Node is not a lt lt SgFunctionRefExp lt lt endl Software Engineering Institute CarnegieMellon Current Status Traverse AST For each strepy function bool STR31 C const SgNode node call if isCallOfFunctionNamed 1 Get both arguments to node strcpy return false strcpy If 2 1 argument Sa const SgVarRefExp ref variable AND isSgVarRefExp getFnArg A j isSgFunctionRefExp node
17. is Y bod dest Y InitializedName 5 name Y BasicBlock InitializedName s E UnsignedLongVal src Y A n A InitializedName VariableDeclaration VariableSymbol j V V QW InitializedName FunctionCallExpr args funqtion V FunctionReference ExprListExpr buff d ei VariableRefExpr FunctionCallExpr functi n args ES d y V StringValue Whole Syntax Tree 3 File View Help Gen Software Engineering Institute Carnegie Mellon Whole Syntax Tree 4 Ge Software Engineering Institute CarnegieMellon 41 How rosecheckers Uses ROSE include rose h include utilities h ROSE parses source code int main int argc char argv SgProject project frontend argc argv ROSE ASSERT project visitorTraversal exampleTraversal exampleTraversal traverseInputFiles project preorder return 0 Traverse AST examine each node CERT Software Engineering Institute Carnegie Mellon 42 AST Node Analysis This is called for each node in the AST bool EXP const SgNode node bool violation false violation EXP01_A node violation EXP09 A node violation EXP34 C node return violation Each routine here enforces a single CERT Secure Coding Rule and returns true if the node indicates a violation Similar code exists for other sections STR MEM etc B D CERT
18. porta violation of STR31 C Gen gt Software Engineering Institute Carnegie Mellon 51 ROSE Checker for STR31 C include rose h include utilities h Called for every node in the AST bool STR31 C const SgNode node ensure sufficient storage for strings if isCallOfFunctionNamed node strcpy return false We have an instance of strcpy const SgVarRefExp ref isSgVarRefExp getFnArg isSgFunctionRefExp node 0 if ref NULL return false strcpy not copying into simple var if Type getRefDecl ref gt get type isArray Ee 15t arg is a local fixed arr if Type getFnArg isSgFunctionRefExp node arg IS C array 1 gt get_type isArray return false 2nd arg is a pointer eg NOT an array print error node STR31 C String copy destination must contain sufficient storage return true Gen Software Engineering Institute Carnegie Mellon 52 Build and Test To rebuild rosecheckers with a new rule type make pgms To test rosecheckers on all rules type make tests Gen Software Engineering Institute Carnegie Mellon 53 Testing New Rule When run on the bad example rosecheckers produces an error message Q rosecheckers test c ncce wiki EXP c EXP c 5 error EXP09 A malloc called using something other than sizeof When run on the good example rosecheckers produces nothing rosecheckers test c cce wiki EXP c oo oe
19. size argv 0 Handle strcpy s error else Couldn t get the memory recover CERT Software Engineering Institute Carnegie Mellon 23 Testing Conclusions We can t handle the off by 1 example with our design at all Our current design will work on the strcpy example without any modifications We should add the strcpy example to our test suite in test c ncce wiki STR c Our design won t work on the strcpy_s example but we could always extend it to recognize the arguments to strcpy_s as well as strcpy We should note this as a task to be done later CERT Software Engineering Institute Carnegie Mellon 24 Checker Design for STR31 C 1 Traverse AST 2 For each strepy function call Get both arguments to strcpy If 15 argument is a variable AND the variable s type is a fixed length array AND 2 argument s type is NOT a fixed length array Report a violation of STR31 C po ll 2 Ger Software Engineering Institute Carnegie Mellon 25 Design Limitations Will report all cases of strcpy char char including false positives Will not report any other cases of strcpy including false negatives Will not catch other string copy functions like strncpy strcpy s Of memcpy Will not catch string copying done by hand for instance our off by 1 example B D CERT Software Engineering Institute CarnegieMellon 26 Desi

Working with Rose - Carnegie Mellon University

Contents

Download Pdf Manuals

Related Search

Related Contents