AEDetector.h

Go to the documentation of this file.

//===- AEDetector.h -- Vulnerability Detectors---------------------------------//
//
//                     SVF: Static Value-Flow Analysis
//
// Copyright (C) <2013->  <Yulei Sui>
//
 
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
 
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
 
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.
//
//===----------------------------------------------------------------------===//
 
 
//
// Created by Jiawei Wang on 2024/8/20.
//
#pragma once
#include <SVFIR/SVFIR.h>
#include <AE/Core/AbstractState.h>
#include "Util/SVFBugReport.h"
 
namespace SVF
{
class AEDetector
{
public:
    enum DetectorKind
    {
        BUF_OVERFLOW,   
        UNKNOWN,    
    };
 
    AEDetector(): kind(UNKNOWN) {}
 
    virtual ~AEDetector() = default;
 
    static bool classof(const AEDetector* detector)
    {
        return detector->getKind() == AEDetector::UNKNOWN;
    }
 
    virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
 
    virtual void handleStubFunctions(const CallICFGNode* call) = 0;
 
    virtual void reportBug() = 0;
 
    DetectorKind getKind() const
    {
        return kind;
    }
 
protected:
    DetectorKind kind; 
};
 
class AEException : public std::exception
{
public:
    AEException(const std::string& message)
        : msg_(message) {}
 
    virtual const char* what() const throw()
    {
        return msg_.c_str();
    }
 
private:
    std::string msg_; 
};
 
class BufOverflowDetector : public AEDetector
{
    friend class AbstractInterpretation;
public:
    BufOverflowDetector()
    {
        kind = BUF_OVERFLOW;
        initExtAPIBufOverflowCheckRules();
    }
 
    ~BufOverflowDetector() = default;
 
    static bool classof(const AEDetector* detector)
    {
        return detector->getKind() == AEDetector::BUF_OVERFLOW;
    }
 
    void updateGepObjOffsetFromBase(AddressValue gepAddrs,
                                    AddressValue objAddrs,
                                    IntervalValue offset);
 
    void detect(AbstractState& as, const ICFGNode*);
 
 
    void handleStubFunctions(const CallICFGNode*);
 
    void addToGepObjOffsetFromBase(const GepObjVar* obj, const IntervalValue& offset)
    {
        gepObjOffsetFromBase[obj] = offset;
    }
 
    bool hasGepObjOffsetFromBase(const GepObjVar* obj) const
    {
        return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
    }
 
    IntervalValue getGepObjOffsetFromBase(const GepObjVar* obj) const
    {
        if (hasGepObjOffsetFromBase(obj))
            return gepObjOffsetFromBase.at(obj);
        else
            assert(false && "GepObjVar not found in gepObjOffsetFromBase");
    }
 
    IntervalValue getAccessOffset(AbstractState& as, NodeID objId, const GepStmt* gep);
 
    void addBugToReporter(const AEException& e, const ICFGNode* node)
    {
 
        GenericBug::EventStack eventStack;
        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
 
        if (eventStack.empty())
        {
            return; // If the event stack is empty, return early
        }
 
        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
 
        // Check if the bug at this location has already been reported
        if (bugLoc.find(loc) != bugLoc.end())
        {
            return; // If the bug location is already reported, return early
        }
        else
        {
            bugLoc.insert(loc); // Otherwise, mark this location as reported
        }
 
        // Add the bug to the recorder with details from the event stack
        recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
        nodeToBugInfo[node] = e.what(); // Record the exception information for the node
    }
 
    void reportBug()
    {
        if (!nodeToBugInfo.empty())
        {
            std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
                      + " found)######################\n";
            std::cerr << "---------------------------------------------\n";
            for (const auto& it : nodeToBugInfo)
            {
                std::cerr << it.second << "\n---------------------------------------------\n";
            }
        }
    }
 
    void initExtAPIBufOverflowCheckRules();
 
    void detectExtAPI(AbstractState& as, const CallICFGNode *call);
 
    bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);
 
private:
    bool detectStrcat(AbstractState& as, const CallICFGNode *call);
 
    bool detectStrcpy(AbstractState& as, const CallICFGNode *call);
 
private:
    Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase; 
    Map<std::string, std::vector<std::pair<u32_t, u32_t>>> extAPIBufOverflowCheckRules; 
    Set<std::string> bugLoc; 
    SVFBugReport recoder; 
    Map<const ICFGNode*, std::string> nodeToBugInfo; 
};
}