Static Value-Flow Analysis
Loading...
Searching...
No Matches
AEDetector.h
Go to the documentation of this file.
1//===- AEDetector.h -- Vulnerability Detectors---------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created on: May 1, 2025
26// Author: Xiao Cheng, Jiawei Wang, Mingxiu Wang
27//
28#pragma once
29#include <SVFIR/SVFIR.h>
30#include <AE/Core/AbstractState.h>
31#include "Util/SVFBugReport.h"
32
33namespace SVF
34{
35
36class AbstractInterpretation;
37
42class AEDetector
43{
44public:
55
59 AEDetector(): kind(UNKNOWN) {}
60
64 virtual ~AEDetector() = default;
65
71 static bool classof(const AEDetector* detector)
72 {
73 return detector->getKind() == AEDetector::UNKNOWN;
74 }
75
81 virtual void detect(const ICFGNode* node) = 0;
82
87 virtual void handleStubFunctions(const CallICFGNode* call) = 0;
88
92 virtual void reportBug() = 0;
93
98 DetectorKind getKind() const
99 {
100 return kind;
101 }
102
103protected:
104 DetectorKind kind;
105};
106
111class AEException : public std::exception
112{
113public:
118 AEException(const std::string& message)
119 : msg_(message) {}
120
125 virtual const char* what() const throw()
126 {
127 return msg_.c_str();
128 }
129
130private:
131 std::string msg_;
132};
133
138class BufOverflowDetector : public AEDetector
139{
140 friend class AbstractInterpretation;
141public:
150
154 ~BufOverflowDetector() = default;
155
161 static bool classof(const AEDetector* detector)
162 {
163 return detector->getKind() == AEDetector::BUF_OVERFLOW;
164 }
165
173 void updateGepObjOffsetFromBase(const ICFGNode* node,
174 AddressValue gepAddrs,
175 AddressValue objAddrs,
176 IntervalValue offset);
177
183 void detect(const ICFGNode*) override;
184
185
190 void handleStubFunctions(const CallICFGNode*) override;
191
201
207 bool hasGepObjOffsetFromBase(const GepObjVar* obj) const
208 {
209 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
210 }
211
217 IntervalValue getGepObjOffsetFromBase(const GepObjVar* obj) const
218 {
219 if (hasGepObjOffsetFromBase(obj))
220 return gepObjOffsetFromBase.at(obj);
221 else
222 {
223 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
224 abort();
225 }
226 }
227
235 IntervalValue getAccessOffset(NodeID objId, const GepStmt* gep);
236
242 void addBugToReporter(const AEException& e, const ICFGNode* node)
243 {
244
245 GenericBug::EventStack eventStack;
246 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
247 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
248
249 if (eventStack.empty())
250 {
251 return; // If the event stack is empty, return early
252 }
253
254 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
255
256 // Check if the bug at this location has already been reported
257 if (bugLoc.find(loc) != bugLoc.end())
258 {
259 return; // If the bug location is already reported, return early
260 }
261 else
262 {
263 bugLoc.insert(loc); // Otherwise, mark this location as reported
264 }
265
266 // Add the bug to the recorder with details from the event stack
267 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
268 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
269 }
270
274 void reportBug() override
275 {
276 if (!nodeToBugInfo.empty())
277 {
278 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
279 + " found)######################\n";
280 std::cerr << "---------------------------------------------\n";
281 for (const auto& it : nodeToBugInfo)
282 {
283 std::cerr << it.second << "\n---------------------------------------------\n";
284 }
285 }
286 }
287
291 void initExtAPIBufOverflowCheckRules();
292
298 void detectExtAPI(const CallICFGNode *call);
299
307 bool canSafelyAccessMemory(const ValVar *value, const IntervalValue &len, const ICFGNode* node);
308
309private:
315 bool detectStrcat(const CallICFGNode *call);
316
322 bool detectStrcpy(const CallICFGNode *call);
323
324private:
325 Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase;
326 Map<std::string, std::vector<std::pair<u32_t, u32_t>>> extAPIBufOverflowCheckRules;
327 Set<std::string> bugLoc;
328 SVFBugReport recoder;
329 Map<const ICFGNode*, std::string> nodeToBugInfo;
330};
331class NullptrDerefDetector : public AEDetector
332{
333 friend class AbstractInterpretation;
334public:
339
340 ~NullptrDerefDetector() = default;
341
342 static bool classof(const AEDetector* detector)
343 {
344 return detector->getKind() == AEDetector::NULL_DEREF;
345 }
346
352 void detect(const ICFGNode* node) override;
353
358 void handleStubFunctions(const CallICFGNode* call) override;
359
365 bool isUninit(AbstractValue v)
366 {
367 // uninitialized value has neither interval value nor address value
368 bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
369 return is;
370 }
371
377 void addBugToReporter(const AEException& e, const ICFGNode* node)
378 {
379 GenericBug::EventStack eventStack;
380 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
381 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
382
383 if (eventStack.empty())
384 {
385 return; // If the event stack is empty, return early
386 }
387 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
388
389 // Check if the bug at this location has already been reported
390 if (bugLoc.find(loc) != bugLoc.end())
391 {
392 return; // If the bug location is already reported, return early
393 }
394 else
395 {
396 bugLoc.insert(loc); // Otherwise, mark this location as reported
397 }
398 recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
399 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
400 }
401
405 void reportBug() override
406 {
407 if (!nodeToBugInfo.empty())
408 {
409 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
410 + " found)######################\n";
411 std::cerr << "---------------------------------------------\n";
412 for (const auto& it : nodeToBugInfo)
413 {
414 std::cerr << it.second << "\n---------------------------------------------\n";
415 }
416 }
417 }
418
424 void detectExtAPI(const CallICFGNode* call);
425
426
432 bool isNull(AbstractValue v)
433 {
434 return !v.isAddr() && !v.isInterval();
435 }
436
437 bool canSafelyDerefPtr(const ValVar* ptr, const ICFGNode* node);
438
439private:
440 Set<std::string> bugLoc;
441 SVFBugReport recoder;
442 Map<const ICFGNode*, std::string> nodeToBugInfo;
443};
444}
offset
buffer offset
Definition cJSON.cpp:1113
SVF::AEDetector
Base class for all detectors.
Definition AEDetector.h:43
SVF::AEDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the UNKNOWN kind.
Definition AEDetector.h:71
SVF::AEDetector::DetectorKind
DetectorKind
Enumerates the types of detectors available.
Definition AEDetector.h:50
SVF::AEDetector::NULL_DEREF
@ NULL_DEREF
Detector for nullptr dereference issues.
Definition AEDetector.h:52
SVF::AEDetector::UNKNOWN
@ UNKNOWN
Default type if the kind is not specified.
Definition AEDetector.h:53
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:51
SVF::AEDetector::handleStubFunctions
virtual void handleStubFunctions(const CallICFGNode *call)=0
Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:104
SVF::AEDetector::reportBug
virtual void reportBug()=0
Pure virtual function to report detected bugs.
SVF::AEDetector::AEDetector
AEDetector()
Constructor initializes the detector kind to UNKNOWN.
Definition AEDetector.h:59
SVF::AEDetector::~AEDetector
virtual ~AEDetector()=default
Virtual destructor for safe polymorphic use.
SVF::AEDetector::detect
virtual void detect(const ICFGNode *node)=0
Pure virtual function for detecting issues within a node.
SVF::AEDetector::getKind
DetectorKind getKind() const
Get the kind of the detector.
Definition AEDetector.h:98
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:112
SVF::AEException::what
virtual const char * what() const
Provides the error message.
Definition AEDetector.h:125
SVF::AEException::AEException
AEException(const std::string &message)
Constructor initializes the exception with a message.
Definition AEDetector.h:118
SVF::AEException::msg_
std::string msg_
The error message.
Definition AEDetector.h:131
SVF::BufOverflowDetector
Detector for identifying buffer overflow issues.
Definition AEDetector.h:139
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:197
SVF::BufOverflowDetector::detect
void detect(const ICFGNode *) override
Detect buffer overflow issues within a node.
Definition AEDetector.cpp:45
SVF::BufOverflowDetector::reportBug
void reportBug() override
Reports all detected buffer overflow bugs.
Definition AEDetector.h:274
SVF::BufOverflowDetector::~BufOverflowDetector
~BufOverflowDetector()=default
Destructor.
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:325
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:326
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:328
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:305
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(const ICFGNode *node, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:336
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:212
SVF::BufOverflowDetector::BufOverflowDetector
BufOverflowDetector()
Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow ru...
Definition AEDetector.h:145
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:327
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(const ValVar *value, const IntervalValue &len, const ICFGNode *node)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:460
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:217
SVF::BufOverflowDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the BUF_OVERFLOW kind.
Definition AEDetector.h:161
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:409
SVF::BufOverflowDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *) override
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:116
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:329
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:207
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:179
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:418
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:242
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::NullptrDerefDetector::canSafelyDerefPtr
bool canSafelyDerefPtr(const ValVar *ptr, const ICFGNode *node)
Definition AEDetector.cpp:666
SVF::NullptrDerefDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:440
SVF::NullptrDerefDetector::isNull
bool isNull(AbstractValue v)
Check if an Abstract Value is NULL (or uninitialized).
Definition AEDetector.h:432
SVF::NullptrDerefDetector::isUninit
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:365
SVF::NullptrDerefDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *call) override
Handles external API calls related to nullptr dereferences.
Definition AEDetector.cpp:557
SVF::NullptrDerefDetector::detect
void detect(const ICFGNode *node) override
Detects nullptr dereferences issues within a node.
Definition AEDetector.cpp:514
SVF::NullptrDerefDetector::classof
static bool classof(const AEDetector *detector)
Definition AEDetector.h:342
SVF::NullptrDerefDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:377
SVF::NullptrDerefDetector::reportBug
void reportBug() override
Reports all detected nullptr dereference bugs.
Definition AEDetector.h:405
SVF::NullptrDerefDetector::detectExtAPI
void detectExtAPI(const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:607
SVF::NullptrDerefDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:441
SVF::NullptrDerefDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:442
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF
for isBitcode
Definition BasicTypes.h:70
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76
Generated by doxygen 1.9.8