SVF-doxygen/html/AEDetector_8h_source.html

//===- AEDetector.h -- Vulnerability Detectors---------------------------------//

//

//                     SVF: Static Value-Flow Analysis

//

// Copyright (C) <2013->  <Yulei Sui>

//


// This program is free software: you can redistribute it and/or modify

// it under the terms of the GNU Affero General Public License as published by

// the Free Software Foundation, either version 3 of the License, or

// (at your option) any later version.


// This program is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

// GNU Affero General Public License for more details.


// You should have received a copy of the GNU Affero General Public License

// along with this program.  If not, see <http://www.gnu.org/licenses/>.

//

//===----------------------------------------------------------------------===//


//

//  Created on: May 1, 2025

//      Author: Xiao Cheng, Jiawei Wang, Mingxiu Wang

//

#pragma once

#include <SVFIR/SVFIR.h>

#include <AE/Core/AbstractState.h>

#include "Util/SVFBugReport.h"


namespace SVF

{


class AEDetector

{

public:


    enum DetectorKind

    {

        BUF_OVERFLOW,

        NULL_DEREF,

        UNKNOWN,

    };


    AEDetector(): kind(UNKNOWN) {}


    virtual ~AEDetector() = default;


    static bool classof(const AEDetector* detector)

    {

        return detector->getKind() == AEDetector::UNKNOWN;

    }


    virtual void detect(AbstractState& as, const ICFGNode* node) = 0;


    virtual void handleStubFunctions(const CallICFGNode* call) = 0;


    virtual void reportBug() = 0;


    DetectorKind getKind() const

    {

        return kind;

    }


protected:

    DetectorKind kind;

};


class AEException : public std::exception

{

public:


    AEException(const std::string& message)

        : msg_(message) {}


    virtual const char* what() const throw()

    {

        return msg_.c_str();

    }


private:

    std::string msg_;

};


class BufOverflowDetector : public AEDetector

{

    friend class AbstractInterpretation;

public:


    BufOverflowDetector()

    {

        kind = BUF_OVERFLOW;

        initExtAPIBufOverflowCheckRules();

    }


    ~BufOverflowDetector() = default;


    static bool classof(const AEDetector* detector)

    {

        return detector->getKind() == AEDetector::BUF_OVERFLOW;

    }


    void updateGepObjOffsetFromBase(AbstractState& as,

                                    AddressValue gepAddrs,

                                    AddressValue objAddrs,

                                    IntervalValue offset);


    void detect(AbstractState& as, const ICFGNode*);


    void handleStubFunctions(const CallICFGNode*);


    void addToGepObjOffsetFromBase(const GepObjVar* obj, const IntervalValue& offset)

    {

        gepObjOffsetFromBase[obj] = offset;

    }


    bool hasGepObjOffsetFromBase(const GepObjVar* obj) const

    {

        return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();

    }


    IntervalValue getGepObjOffsetFromBase(const GepObjVar* obj) const

    {

        if (hasGepObjOffsetFromBase(obj))

            return gepObjOffsetFromBase.at(obj);

        else

        {

            assert(false && "GepObjVar not found in gepObjOffsetFromBase");

            abort();

        }

    }


    IntervalValue getAccessOffset(AbstractState& as, NodeID objId, const GepStmt* gep);


    void addBugToReporter(const AEException& e, const ICFGNode* node)

    {


        GenericBug::EventStack eventStack;

        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);

        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack


        if (eventStack.empty())

        {

            return; // If the event stack is empty, return early

        }


        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack


        // Check if the bug at this location has already been reported

        if (bugLoc.find(loc) != bugLoc.end())

        {

            return; // If the bug location is already reported, return early

        }

        else

        {

            bugLoc.insert(loc); // Otherwise, mark this location as reported

        }


        // Add the bug to the recorder with details from the event stack

        recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);

        nodeToBugInfo[node] = e.what(); // Record the exception information for the node

    }


    void reportBug()

    {

        if (!nodeToBugInfo.empty())

        {

            std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())

                      + " found)######################\n";

            std::cerr << "---------------------------------------------\n";

            for (const auto& it : nodeToBugInfo)

            {

                std::cerr << it.second << "\n---------------------------------------------\n";

            }

        }

    }


    void initExtAPIBufOverflowCheckRules();


    void detectExtAPI(AbstractState& as, const CallICFGNode *call);


    bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);


private:

    bool detectStrcat(AbstractState& as, const CallICFGNode *call);


    bool detectStrcpy(AbstractState& as, const CallICFGNode *call);


private:

    Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase;

    Map<std::string, std::vector<std::pair<u32_t, u32_t>>> extAPIBufOverflowCheckRules;

    Set<std::string> bugLoc;

    SVFBugReport recoder;

    Map<const ICFGNode*, std::string> nodeToBugInfo;

};


class NullptrDerefDetector : public AEDetector

{

    friend class AbstractInterpretation;

public:


    NullptrDerefDetector()

    {

        kind = NULL_DEREF;

    }


    ~NullptrDerefDetector() = default;


    static bool classof(const AEDetector* detector)

    {

        return detector->getKind() == AEDetector::NULL_DEREF;

    }


    void detect(AbstractState& as, const ICFGNode* node);


    void handleStubFunctions(const CallICFGNode* call);


    bool isUninit(AbstractValue v)

    {

        // uninitialized value has neither interval value nor address value

        bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();

        return is;

    }


    void addBugToReporter(const AEException& e, const ICFGNode* node)

    {

        GenericBug::EventStack eventStack;

        SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);

        eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack


        if (eventStack.empty())

        {

            return; // If the event stack is empty, return early

        }

        std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack


        // Check if the bug at this location has already been reported

        if (bugLoc.find(loc) != bugLoc.end())

        {

            return; // If the bug location is already reported, return early

        }

        else

        {

            bugLoc.insert(loc); // Otherwise, mark this location as reported

        }

        recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);

        nodeToBugInfo[node] = e.what(); // Record the exception information for the node

    }


    void reportBug()

    {

        if (!nodeToBugInfo.empty())

        {

            std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())

                      + " found)######################\n";

            std::cerr << "---------------------------------------------\n";

            for (const auto& it : nodeToBugInfo)

            {

                std::cerr << it.second << "\n---------------------------------------------\n";

            }

        }

    }


    void detectExtAPI(AbstractState& as, const CallICFGNode* call);


    bool isNull(AbstractValue v)

    {

        return !v.isAddr() && !v.isInterval();

    }


    bool canSafelyDerefPtr(AbstractState& as, const SVFVar* ptr);


private:

    Set<std::string> bugLoc;

    SVFBugReport recoder;

    Map<const ICFGNode*, std::string> nodeToBugInfo;

};


}

AbstractState.h

SVFBugReport.h

SVFIR.h

offset
buffer offset
Definition cJSON.cpp:1113

SVF::AEDetector
Base class for all detectors.
Definition AEDetector.h:40

SVF::AEDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the UNKNOWN kind.
Definition AEDetector.h:68

SVF::AEDetector::DetectorKind
DetectorKind
Enumerates the types of detectors available.
Definition AEDetector.h:47

SVF::AEDetector::NULL_DEREF
@ NULL_DEREF
Detector for nullptr dereference issues.
Definition AEDetector.h:49

SVF::AEDetector::UNKNOWN
@ UNKNOWN
Default type if the kind is not specified.
Definition AEDetector.h:50

SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:48

SVF::AEDetector::handleStubFunctions
virtual void handleStubFunctions(const CallICFGNode *call)=0
Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)

SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:101

SVF::AEDetector::reportBug
virtual void reportBug()=0
Pure virtual function to report detected bugs.

SVF::AEDetector::AEDetector
AEDetector()
Constructor initializes the detector kind to UNKNOWN.
Definition AEDetector.h:56

SVF::AEDetector::~AEDetector
virtual ~AEDetector()=default
Virtual destructor for safe polymorphic use.

SVF::AEDetector::getKind
DetectorKind getKind() const
Get the kind of the detector.
Definition AEDetector.h:95

SVF::AEDetector::detect
virtual void detect(AbstractState &as, const ICFGNode *node)=0
Pure virtual function for detecting issues within a node.

SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:109

SVF::AEException::what
virtual const char * what() const
Provides the error message.
Definition AEDetector.h:122

SVF::AEException::AEException
AEException(const std::string &message)
Constructor initializes the exception with a message.
Definition AEDetector.h:115

SVF::AEException::msg_
std::string msg_
The error message.
Definition AEDetector.h:128

SVF::AbstractInterpretation
AbstractInterpretation is same as Abstract Execution.
Definition AbstractInterpretation.h:105

SVF::AbstractState
Definition AbstractState.h:59

SVF::AbstractValue
Definition AbstractValue.h:35

SVF::AddressValue
Definition AddressValue.h:48

SVF::BufOverflowDetector
Detector for identifying buffer overflow issues.
Definition AEDetector.h:136

SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(AbstractState &as, NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:313

SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:194

SVF::BufOverflowDetector::~BufOverflowDetector
~BufOverflowDetector()=default
Destructor.

SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:324

SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:325

SVF::BufOverflowDetector::detect
void detect(AbstractState &as, const ICFGNode *)
Detect buffer overflow issues within a node.
Definition AEDetector.cpp:45

SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:418

SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:327

SVF::BufOverflowDetector::BufOverflowDetector
BufOverflowDetector()
Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow ru...
Definition AEDetector.h:142

SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:436

SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:326

SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:214

SVF::BufOverflowDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the BUF_OVERFLOW kind.
Definition AEDetector.h:158

SVF::BufOverflowDetector::reportBug
void reportBug()
Reports all detected buffer overflow bugs.
Definition AEDetector.h:271

SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:328

SVF::BufOverflowDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:115

SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:204

SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(AbstractState &as, const SVFVar *value, const IntervalValue &len)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:477

SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:185

SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:219

SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(AbstractState &as, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:347

SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:239

SVF::CallICFGNode
Definition ICFGNode.h:417

SVF::GenericBug::FULLNULLPTRDEREFERENCE
@ FULLNULLPTRDEREFERENCE
Definition SVFBugReport.h:86

SVF::GenericBug::FULLBUFOVERFLOW
@ FULLBUFOVERFLOW
Definition SVFBugReport.h:86

SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83

SVF::GepObjVar
Definition SVFVariables.h:727

SVF::GepStmt
Definition SVFStatements.h:524

SVF::ICFGNode
Definition ICFGNode.h:55

SVF::IntervalValue
Definition IntervalValue.h:46

SVF::NullptrDerefDetector
Definition AEDetector.h:331

SVF::NullptrDerefDetector::canSafelyDerefPtr
bool canSafelyDerefPtr(AbstractState &as, const SVFVar *ptr)
Definition AEDetector.cpp:679

SVF::NullptrDerefDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:439

SVF::NullptrDerefDetector::isNull
bool isNull(AbstractValue v)
Check if an Abstract Value is NULL (or uninitialized).
Definition AEDetector.h:431

SVF::NullptrDerefDetector::isUninit
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:364

SVF::NullptrDerefDetector::detect
void detect(AbstractState &as, const ICFGNode *node)
Detects nullptr dereferences issues within a node.
Definition AEDetector.cpp:526

SVF::NullptrDerefDetector::reportBug
void reportBug()
Reports all detected nullptr dereference bugs.
Definition AEDetector.h:404

SVF::NullptrDerefDetector::classof
static bool classof(const AEDetector *detector)
Definition AEDetector.h:341

SVF::NullptrDerefDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:376

SVF::NullptrDerefDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *call)
Handles external API calls related to nullptr dereferences.
Definition AEDetector.cpp:569

SVF::NullptrDerefDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:440

SVF::NullptrDerefDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:620

SVF::NullptrDerefDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:441

SVF::NullptrDerefDetector::~NullptrDerefDetector
~NullptrDerefDetector()=default

SVF::NullptrDerefDetector::NullptrDerefDetector
NullptrDerefDetector()
Definition AEDetector.h:334

SVF::SVFBugEvent
Definition SVFBugReport.h:52

SVF::SVFBugEvent::SourceInst
@ SourceInst
Definition SVFBugReport.h:60

SVF::SVFBugReport
Definition SVFBugReport.h:289

SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367

SVF::SVFVar
Definition SVFVariables.h:49

SVF
for isBitcode
Definition BasicTypes.h:68

SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56

SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74