Static Value-Flow Analysis
Loading...
Searching...
No Matches
AEDetector.h
Go to the documentation of this file.
1//===- AEDetector.h -- Vulnerability Detectors---------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created on: May 1, 2025
26// Author: Xiao Cheng, Jiawei Wang, Mingxiu Wang
27//
28#pragma once
29#include <SVFIR/SVFIR.h>
30#include <AE/Core/AbstractState.h>
31#include "Util/SVFBugReport.h"
32
33namespace SVF
34{
35
36class AbstractInterpretation;
37class AbstractStateManager;
38
43class AEDetector
44{
45public:
56
60 AEDetector(): kind(UNKNOWN) {}
61
65 virtual ~AEDetector() = default;
66
72 static bool classof(const AEDetector* detector)
73 {
74 return detector->getKind() == AEDetector::UNKNOWN;
75 }
76
82 virtual void detect(const ICFGNode* node) = 0;
83
88 virtual void handleStubFunctions(const CallICFGNode* call) = 0;
89
93 virtual void reportBug() = 0;
94
99 DetectorKind getKind() const
100 {
101 return kind;
102 }
103
104protected:
105 DetectorKind kind;
106};
107
112class AEException : public std::exception
113{
114public:
119 AEException(const std::string& message)
120 : msg_(message) {}
121
126 virtual const char* what() const throw()
127 {
128 return msg_.c_str();
129 }
130
131private:
132 std::string msg_;
133};
134
139class BufOverflowDetector : public AEDetector
140{
141 friend class AbstractInterpretation;
142public:
151
155 ~BufOverflowDetector() = default;
156
162 static bool classof(const AEDetector* detector)
163 {
164 return detector->getKind() == AEDetector::BUF_OVERFLOW;
165 }
166
174 void updateGepObjOffsetFromBase(const ICFGNode* node,
175 AddressValue gepAddrs,
176 AddressValue objAddrs,
177 IntervalValue offset);
178
184 void detect(const ICFGNode*) override;
185
186
191 void handleStubFunctions(const CallICFGNode*) override;
192
202
208 bool hasGepObjOffsetFromBase(const GepObjVar* obj) const
209 {
210 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
211 }
212
218 IntervalValue getGepObjOffsetFromBase(const GepObjVar* obj) const
219 {
220 if (hasGepObjOffsetFromBase(obj))
221 return gepObjOffsetFromBase.at(obj);
222 else
223 {
224 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
225 abort();
226 }
227 }
228
236 IntervalValue getAccessOffset(NodeID objId, const GepStmt* gep);
237
243 void addBugToReporter(const AEException& e, const ICFGNode* node)
244 {
245
246 GenericBug::EventStack eventStack;
247 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
248 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
249
250 if (eventStack.empty())
251 {
252 return; // If the event stack is empty, return early
253 }
254
255 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
256
257 // Check if the bug at this location has already been reported
258 if (bugLoc.find(loc) != bugLoc.end())
259 {
260 return; // If the bug location is already reported, return early
261 }
262 else
263 {
264 bugLoc.insert(loc); // Otherwise, mark this location as reported
265 }
266
267 // Add the bug to the recorder with details from the event stack
268 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
269 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
270 }
271
275 void reportBug() override
276 {
277 if (!nodeToBugInfo.empty())
278 {
279 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
280 + " found)######################\n";
281 std::cerr << "---------------------------------------------\n";
282 for (const auto& it : nodeToBugInfo)
283 {
284 std::cerr << it.second << "\n---------------------------------------------\n";
285 }
286 }
287 }
288
292 void initExtAPIBufOverflowCheckRules();
293
299 void detectExtAPI(const CallICFGNode *call);
300
308 bool canSafelyAccessMemory(const ValVar *value, const IntervalValue &len, const ICFGNode* node);
309
310private:
316 bool detectStrcat(const CallICFGNode *call);
317
323 bool detectStrcpy(const CallICFGNode *call);
324
325private:
326 Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase;
327 Map<std::string, std::vector<std::pair<u32_t, u32_t>>> extAPIBufOverflowCheckRules;
328 Set<std::string> bugLoc;
329 SVFBugReport recoder;
330 Map<const ICFGNode*, std::string> nodeToBugInfo;
331};
332class NullptrDerefDetector : public AEDetector
333{
334 friend class AbstractInterpretation;
335public:
340
341 ~NullptrDerefDetector() = default;
342
343 static bool classof(const AEDetector* detector)
344 {
345 return detector->getKind() == AEDetector::NULL_DEREF;
346 }
347
353 void detect(const ICFGNode* node) override;
354
359 void handleStubFunctions(const CallICFGNode* call) override;
360
366 bool isUninit(AbstractValue v)
367 {
368 // uninitialized value has neither interval value nor address value
369 bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
370 return is;
371 }
372
378 void addBugToReporter(const AEException& e, const ICFGNode* node)
379 {
380 GenericBug::EventStack eventStack;
381 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
382 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
383
384 if (eventStack.empty())
385 {
386 return; // If the event stack is empty, return early
387 }
388 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
389
390 // Check if the bug at this location has already been reported
391 if (bugLoc.find(loc) != bugLoc.end())
392 {
393 return; // If the bug location is already reported, return early
394 }
395 else
396 {
397 bugLoc.insert(loc); // Otherwise, mark this location as reported
398 }
399 recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
400 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
401 }
402
406 void reportBug() override
407 {
408 if (!nodeToBugInfo.empty())
409 {
410 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
411 + " found)######################\n";
412 std::cerr << "---------------------------------------------\n";
413 for (const auto& it : nodeToBugInfo)
414 {
415 std::cerr << it.second << "\n---------------------------------------------\n";
416 }
417 }
418 }
419
425 void detectExtAPI(const CallICFGNode* call);
426
427
433 bool isNull(AbstractValue v)
434 {
435 return !v.isAddr() && !v.isInterval();
436 }
437
438 bool canSafelyDerefPtr(const ValVar* ptr, const ICFGNode* node);
439
440private:
441 Set<std::string> bugLoc;
442 SVFBugReport recoder;
443 Map<const ICFGNode*, std::string> nodeToBugInfo;
444};
445}
offset
buffer offset
Definition cJSON.cpp:1113
SVF::AEDetector
Base class for all detectors.
Definition AEDetector.h:44
SVF::AEDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the UNKNOWN kind.
Definition AEDetector.h:72
SVF::AEDetector::DetectorKind
DetectorKind
Enumerates the types of detectors available.
Definition AEDetector.h:51
SVF::AEDetector::NULL_DEREF
@ NULL_DEREF
Detector for nullptr dereference issues.
Definition AEDetector.h:53
SVF::AEDetector::UNKNOWN
@ UNKNOWN
Default type if the kind is not specified.
Definition AEDetector.h:54
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:52
SVF::AEDetector::handleStubFunctions
virtual void handleStubFunctions(const CallICFGNode *call)=0
Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:105
SVF::AEDetector::reportBug
virtual void reportBug()=0
Pure virtual function to report detected bugs.
SVF::AEDetector::AEDetector
AEDetector()
Constructor initializes the detector kind to UNKNOWN.
Definition AEDetector.h:60
SVF::AEDetector::~AEDetector
virtual ~AEDetector()=default
Virtual destructor for safe polymorphic use.
SVF::AEDetector::detect
virtual void detect(const ICFGNode *node)=0
Pure virtual function for detecting issues within a node.
SVF::AEDetector::getKind
DetectorKind getKind() const
Get the kind of the detector.
Definition AEDetector.h:99
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:113
SVF::AEException::what
virtual const char * what() const
Provides the error message.
Definition AEDetector.h:126
SVF::AEException::AEException
AEException(const std::string &message)
Constructor initializes the exception with a message.
Definition AEDetector.h:119
SVF::AEException::msg_
std::string msg_
The error message.
Definition AEDetector.h:132
SVF::AbstractInterpretation
AbstractInterpretation is same as Abstract Execution.
Definition AbstractInterpretation.h:55
SVF::BufOverflowDetector
Detector for identifying buffer overflow issues.
Definition AEDetector.h:140
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:198
SVF::BufOverflowDetector::detect
void detect(const ICFGNode *) override
Detect buffer overflow issues within a node.
Definition AEDetector.cpp:45
SVF::BufOverflowDetector::reportBug
void reportBug() override
Reports all detected buffer overflow bugs.
Definition AEDetector.h:275
SVF::BufOverflowDetector::~BufOverflowDetector
~BufOverflowDetector()=default
Destructor.
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:326
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:327
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:329
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:305
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(const ICFGNode *node, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:336
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:212
SVF::BufOverflowDetector::BufOverflowDetector
BufOverflowDetector()
Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow ru...
Definition AEDetector.h:146
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:328
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(const ValVar *value, const IntervalValue &len, const ICFGNode *node)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:460
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:218
SVF::BufOverflowDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the BUF_OVERFLOW kind.
Definition AEDetector.h:162
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:409
SVF::BufOverflowDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *) override
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:116
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:330
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:208
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:179
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:418
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:243
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::NullptrDerefDetector::canSafelyDerefPtr
bool canSafelyDerefPtr(const ValVar *ptr, const ICFGNode *node)
Definition AEDetector.cpp:666
SVF::NullptrDerefDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:441
SVF::NullptrDerefDetector::isNull
bool isNull(AbstractValue v)
Check if an Abstract Value is NULL (or uninitialized).
Definition AEDetector.h:433
SVF::NullptrDerefDetector::isUninit
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:366
SVF::NullptrDerefDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *call) override
Handles external API calls related to nullptr dereferences.
Definition AEDetector.cpp:557
SVF::NullptrDerefDetector::detect
void detect(const ICFGNode *node) override
Detects nullptr dereferences issues within a node.
Definition AEDetector.cpp:514
SVF::NullptrDerefDetector::classof
static bool classof(const AEDetector *detector)
Definition AEDetector.h:343
SVF::NullptrDerefDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:378
SVF::NullptrDerefDetector::reportBug
void reportBug() override
Reports all detected nullptr dereference bugs.
Definition AEDetector.h:406
SVF::NullptrDerefDetector::detectExtAPI
void detectExtAPI(const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:607
SVF::NullptrDerefDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:442
SVF::NullptrDerefDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:443
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF
for isBitcode
Definition BasicTypes.h:70
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76
Generated by doxygen 1.9.8