librelist archives

« back to archive

clang static analyzer

clang static analyzer

From:
Athos Ribeiro
Date:
2014-01-03 @ 20:06
Hello guys,

We are not sure if you are aware of it, but Kanashiro and I are working
on adding clang static analyzer (scan-build) to our extractors so we can
get metrics on security as well.

We want your opinion on how we should proceed:

Shall we add all the metrics it provides at once (below are the metrics
we can get from it)?
	-Called function pointer is an uninitalized pointer value
	-Branch condition evaluates to a garbage value
	-Return of address to stack-allocated memory
	-Stack address stored into global variable
	-Result of operation is garbage or undefined
	-Assigned value is garbage or undefined
	-The left expression of the compound assignment is an uninitialized
value. The computed value will also be garbage
	-Illegal whence argument
	-NULL stream pointer
	-Double fclose
	-Resource Leak
	-Uninitialized value used as mutex for @synchronized
	-Nil value used as mutex for @synchronized() (no synchronization will
occur)
	-Returning null reference
	-Garbage return value
	-Dangerous pointer arithmetic
	-Use fixed address
	-Pointer subtraction
	-Out-of-bound array access
	-Cast region with wrong size.
	-Cast from non-struct type to struct type
	-Division by zero
	-Array subscript is undefined
	-Return of pointer value outside of expected range
	-Branch condition evaluates to a garbage value
	-Dereference of undefined pointer value
	-Dereference of null pointer
	-Assignment of a non-Boolean value
	-Break out of jail
	-uninitialized variable captured by block
	-Out-of-bound access
	-Dangerous variable-length array (VLA) declaration
	-Sum of expressions causes overflow

How should it work in the command line, should it run with doxyparse for
C/C++ projects or with some specific flag?

-- 
Athos Ribeiro
athoscribeiro@gmail.com
+55 61 8446-0606

Re: [analizo] clang static analyzer

From:
Antonio Terceiro
Date:
2014-01-06 @ 14:21
On Fri, Jan 03, 2014 at 06:06:24PM -0200, Athos Ribeiro wrote:
> Hello guys,
> 
> We are not sure if you are aware of it, but Kanashiro and I are working
> on adding clang static analyzer (scan-build) to our extractors so we can
> get metrics on security as well.
> 
> We want your opinion on how we should proceed:
> 
> Shall we add all the metrics it provides at once (below are the metrics
> we can get from it)?
> 	-Called function pointer is an uninitalized pointer value
> 	-Branch condition evaluates to a garbage value
> 	-Return of address to stack-allocated memory
> 	-Stack address stored into global variable
> 	-Result of operation is garbage or undefined
> 	-Assigned value is garbage or undefined
> 	-The left expression of the compound assignment is an uninitialized
> value. The computed value will also be garbage
> 	-Illegal whence argument
> 	-NULL stream pointer
> 	-Double fclose
> 	-Resource Leak
> 	-Uninitialized value used as mutex for @synchronized
> 	-Nil value used as mutex for @synchronized() (no synchronization will
> occur)
> 	-Returning null reference
> 	-Garbage return value
> 	-Dangerous pointer arithmetic
> 	-Use fixed address
> 	-Pointer subtraction
> 	-Out-of-bound array access
> 	-Cast region with wrong size.
> 	-Cast from non-struct type to struct type
> 	-Division by zero
> 	-Array subscript is undefined
> 	-Return of pointer value outside of expected range
> 	-Branch condition evaluates to a garbage value
> 	-Dereference of undefined pointer value
> 	-Dereference of null pointer
> 	-Assignment of a non-Boolean value
> 	-Break out of jail
> 	-uninitialized variable captured by block
> 	-Out-of-bound access
> 	-Dangerous variable-length array (VLA) declaration
> 	-Sum of expressions causes overflow

These are not metrics ... the metrics you will be adding is the number
of these security problems by module, or something like that?

> How should it work in the command line, should it run with doxyparse for
> C/C++ projects or with some specific flag?

Here I agree with Paulo

-- 
Antonio Terceiro <terceiro@softwarelivre.org>
http://softwarelivre.org/terceiro

Re: [analizo] clang static analyzer

From:
Athos Ribeiro
Date:
2014-01-06 @ 19:13
Em Seg, 2014-01-06 às 11:21 -0300, Antonio Terceiro escreveu:
> On Fri, Jan 03, 2014 at 06:06:24PM -0200, Athos Ribeiro wrote: 
> > Shall we add all the metrics it provides at once (below are the metrics
> > we can get from it)?
> > 	-Called function pointer is an uninitalized pointer value
> > 	-Branch condition evaluates to a garbage value
> > 	-Return of address to stack-allocated memory
> > 	-Stack address stored into global variable
> > 	-Result of operation is garbage or undefined
> > 	-Assigned value is garbage or undefined
> > 	-The left expression of the compound assignment is an uninitialized
> > value. The computed value will also be garbage
> > 	-Illegal whence argument
> > 	-NULL stream pointer
> > 	-Double fclose
> > 	-Resource Leak
> > 	-Uninitialized value used as mutex for @synchronized
> > 	-Nil value used as mutex for @synchronized() (no synchronization will
> > occur)
> > 	-Returning null reference
> > 	-Garbage return value
> > 	-Dangerous pointer arithmetic
> > 	-Use fixed address
> > 	-Pointer subtraction
> > 	-Out-of-bound array access
> > 	-Cast region with wrong size.
> > 	-Cast from non-struct type to struct type
> > 	-Division by zero
> > 	-Array subscript is undefined
> > 	-Return of pointer value outside of expected range
> > 	-Branch condition evaluates to a garbage value
> > 	-Dereference of undefined pointer value
> > 	-Dereference of null pointer
> > 	-Assignment of a non-Boolean value
> > 	-Break out of jail
> > 	-uninitialized variable captured by block
> > 	-Out-of-bound access
> > 	-Dangerous variable-length array (VLA) declaration
> > 	-Sum of expressions causes overflow
> 
> These are not metrics ... the metrics you will be adding is the number
> of these security problems by module, or something like that?

Yes, sorry, I just copied clang strings here! The metrics would be
something like "Divisions by zero: Q", "Fixed address usage: Q"... Where
Q is the number of occurrences How about that?

> > How should it work in the command line, should it run with doxyparse for
> > C/C++ projects or with some specific flag?
> 
> Here I agree with Paulo
Ok!

@Paulo:
We are filtering these metrics according to the NIST list then instead
of using them all, is that what you meant?

-- 
Athos Ribeiro
athoscribeiro@gmail.com
+55 61 8446-0606

Re: [analizo] clang static analyzer

From:
Paulo Meirelles
Date:
2014-01-08 @ 00:18
2014/1/6 Athos Ribeiro <athoscribeiro@gmail.com>

> Em Seg, 2014-01-06 às 11:21 -0300, Antonio Terceiro escreveu:
> > On Fri, Jan 03, 2014 at 06:06:24PM -0200, Athos Ribeiro wrote:
> > > Shall we add all the metrics it provides at once (below are the metrics
> > > we can get from it)?
> > >     -Called function pointer is an uninitalized pointer value
> > >     -Branch condition evaluates to a garbage value
> > >     -Return of address to stack-allocated memory
> > >     -Stack address stored into global variable
> > >     -Result of operation is garbage or undefined
> > >     -Assigned value is garbage or undefined
> > >     -The left expression of the compound assignment is an uninitialized
> > > value. The computed value will also be garbage
> > >     -Illegal whence argument
> > >     -NULL stream pointer
> > >     -Double fclose
> > >     -Resource Leak
> > >     -Uninitialized value used as mutex for @synchronized
> > >     -Nil value used as mutex for @synchronized() (no synchronization
> will
> > > occur)
> > >     -Returning null reference
> > >     -Garbage return value
> > >     -Dangerous pointer arithmetic
> > >     -Use fixed address
> > >     -Pointer subtraction
> > >     -Out-of-bound array access
> > >     -Cast region with wrong size.
> > >     -Cast from non-struct type to struct type
> > >     -Division by zero
> > >     -Array subscript is undefined
> > >     -Return of pointer value outside of expected range
> > >     -Branch condition evaluates to a garbage value
> > >     -Dereference of undefined pointer value
> > >     -Dereference of null pointer
> > >     -Assignment of a non-Boolean value
> > >     -Break out of jail
> > >     -uninitialized variable captured by block
> > >     -Out-of-bound access
> > >     -Dangerous variable-length array (VLA) declaration
> > >     -Sum of expressions causes overflow
> >
> > These are not metrics ... the metrics you will be adding is the number
> > of these security problems by module, or something like that?
>
> Yes, sorry, I just copied clang strings here! The metrics would be
> something like "Divisions by zero: Q", "Fixed address usage: Q"... Where
> Q is the number of occurrences How about that?
>

All right... don't worry ;)

Terceiro and Joenio, what you think guys?


> > > How should it work in the command line, should it run with doxyparse
> for
> > > C/C++ projects or with some specific flag?
> >
> > Here I agree with Paulo
> Ok!
>
> @Paulo:
> We are filtering these metrics according to the NIST list then instead
> of using them all, is that what you meant?
>

Yes, that's it \o/

thanks,
-- 
Paulo Meirelles
FGA-UnB (http://fga.unb.br)
CCSL-IME/USP (http://ccsl.ime.usp.br)

Re: [analizo] clang static analyzer

From:
Antonio Terceiro
Date:
2014-01-08 @ 12:14
On Tue, Jan 07, 2014 at 10:18:53PM -0200, Paulo Meirelles wrote:
> 2014/1/6 Athos Ribeiro <athoscribeiro@gmail.com>
> 
> > Em Seg, 2014-01-06 às 11:21 -0300, Antonio Terceiro escreveu:
> > > On Fri, Jan 03, 2014 at 06:06:24PM -0200, Athos Ribeiro wrote:
> > > > Shall we add all the metrics it provides at once (below are the metrics
> > > > we can get from it)?
> > > >     -Called function pointer is an uninitalized pointer value
> > > >     -Branch condition evaluates to a garbage value
> > > >     -Return of address to stack-allocated memory
> > > >     -Stack address stored into global variable
> > > >     -Result of operation is garbage or undefined
> > > >     -Assigned value is garbage or undefined
> > > >     -The left expression of the compound assignment is an uninitialized
> > > > value. The computed value will also be garbage
> > > >     -Illegal whence argument
> > > >     -NULL stream pointer
> > > >     -Double fclose
> > > >     -Resource Leak
> > > >     -Uninitialized value used as mutex for @synchronized
> > > >     -Nil value used as mutex for @synchronized() (no synchronization
> > will
> > > > occur)
> > > >     -Returning null reference
> > > >     -Garbage return value
> > > >     -Dangerous pointer arithmetic
> > > >     -Use fixed address
> > > >     -Pointer subtraction
> > > >     -Out-of-bound array access
> > > >     -Cast region with wrong size.
> > > >     -Cast from non-struct type to struct type
> > > >     -Division by zero
> > > >     -Array subscript is undefined
> > > >     -Return of pointer value outside of expected range
> > > >     -Branch condition evaluates to a garbage value
> > > >     -Dereference of undefined pointer value
> > > >     -Dereference of null pointer
> > > >     -Assignment of a non-Boolean value
> > > >     -Break out of jail
> > > >     -uninitialized variable captured by block
> > > >     -Out-of-bound access
> > > >     -Dangerous variable-length array (VLA) declaration
> > > >     -Sum of expressions causes overflow
> > >
> > > These are not metrics ... the metrics you will be adding is the number
> > > of these security problems by module, or something like that?
> >
> > Yes, sorry, I just copied clang strings here! The metrics would be
> > something like "Divisions by zero: Q", "Fixed address usage: Q"... Where
> > Q is the number of occurrences How about that?
> >
> 
> All right... don't worry ;)
> 
> Terceiro and Joenio, what you think guys?

Well, his original answer is OK. i.e. the metrics are the count of those
security flaws by module, what makes sense.

-- 
Antonio Terceiro <terceiro@softwarelivre.org>
http://softwarelivre.org/terceiro

Re: [analizo] clang static analyzer

From:
Paulo Meirelles
Date:
2014-01-04 @ 00:24
2014/1/3 Athos Ribeiro <athoscribeiro@gmail.com>

> Hello guys,
>
> We are not sure if you are aware of it, but Kanashiro and I are working
> on adding clang static analyzer (scan-build) to our extractors so we can
> get metrics on security as well.
>

Great ;)


>
> We want your opinion on how we should proceed:
>
> Shall we add all the metrics it provides at once (below are the metrics
> we can get from it)?
>

I think more (metrics) is better (for Analizo). At the first moment, you
can add some metrics according to NIST priority list.

What you and Kanashiro think?



>         -Called function pointer is an uninitalized pointer value
>         -Branch condition evaluates to a garbage value
>         -Return of address to stack-allocated memory
>         -Stack address stored into global variable
>         -Result of operation is garbage or undefined
>         -Assigned value is garbage or undefined
>         -The left expression of the compound assignment is an uninitialized
> value. The computed value will also be garbage
>         -Illegal whence argument
>         -NULL stream pointer
>         -Double fclose
>         -Resource Leak
>         -Uninitialized value used as mutex for @synchronized
>         -Nil value used as mutex for @synchronized() (no synchronization
> will
> occur)
>         -Returning null reference
>         -Garbage return value
>         -Dangerous pointer arithmetic
>         -Use fixed address
>         -Pointer subtraction
>         -Out-of-bound array access
>         -Cast region with wrong size.
>         -Cast from non-struct type to struct type
>         -Division by zero
>         -Array subscript is undefined
>         -Return of pointer value outside of expected range
>         -Branch condition evaluates to a garbage value
>         -Dereference of undefined pointer value
>         -Dereference of null pointer
>         -Assignment of a non-Boolean value
>         -Break out of jail
>         -uninitialized variable captured by block
>         -Out-of-bound access
>         -Dangerous variable-length array (VLA) declaration
>         -Sum of expressions causes overflow
>
> How should it work in the command line, should it run with doxyparse for
> C/C++ projects or with some specific flag?


For now, It should work with doxyparse as well as doxyparse extractor works
with sloccont extrator for example. Maybe, in the future, we can provide an
option to select the extract/parser to collect metrics. What your opinion?

Also, Doxyparse is the default extractor: we can change this...

See lib/Analizo/Extractor.pm:

sub sanitize {
  my ($extractor_name) = @_;
  if ($extractor_name && $extractor_name =~ /^\w+$/) {
    return $extractor_name;
  } else {
    return 'Doxyparse';
  }
}

thanks a lot for your collaboration...
-- 
Paulo Meirelles
FGA-UnB (http://fga.unb.br)
CCSL-IME/USP (http://ccsl.ime.usp.br)