Static Value-Flow Analysis
Loading...
Searching...
No Matches
AEDetector.h
Go to the documentation of this file.
1//===- AEDetector.h -- Vulnerability Detectors---------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created by Jiawei Wang on 2024/8/20.
26//
27#pragma once
28#include <SVFIR/SVFIR.h>
30#include "Util/SVFBugReport.h"
31
32namespace SVF
33{
39{
40public:
51
56
60 virtual ~AEDetector() = default;
61
67 static bool classof(const AEDetector* detector)
68 {
69 return detector->getKind() == AEDetector::UNKNOWN;
70 }
71
77 virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
78
83 virtual void handleStubFunctions(const CallICFGNode* call) = 0;
84
88 virtual void reportBug() = 0;
89
95 {
96 return kind;
97 }
98
99protected:
101};
102
107class AEException : public std::exception
108{
109public:
114 AEException(const std::string& message)
115 : msg_(message) {}
116
121 virtual const char* what() const throw()
122 {
123 return msg_.c_str();
124 }
125
126private:
127 std::string msg_;
128};
129
135{
137public:
146
151
157 static bool classof(const AEDetector* detector)
158 {
159 return detector->getKind() == AEDetector::BUF_OVERFLOW;
160 }
161
173
179 void detect(AbstractState& as, const ICFGNode*);
180
181
187
197
204 {
205 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
206 }
207
214 {
216 return gepObjOffsetFromBase.at(obj);
217 else
218 {
219 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
220 abort();
221 }
222 }
223
232
238 void addBugToReporter(const AEException& e, const ICFGNode* node)
239 {
240
243 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
244
245 if (eventStack.empty())
246 {
247 return; // If the event stack is empty, return early
248 }
249
250 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
251
252 // Check if the bug at this location has already been reported
253 if (bugLoc.find(loc) != bugLoc.end())
254 {
255 return; // If the bug location is already reported, return early
256 }
257 else
258 {
259 bugLoc.insert(loc); // Otherwise, mark this location as reported
260 }
261
262 // Add the bug to the recorder with details from the event stack
264 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
265 }
266
271 {
272 if (!nodeToBugInfo.empty())
273 {
274 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
275 + " found)######################\n";
276 std::cerr << "---------------------------------------------\n";
277 for (const auto& it : nodeToBugInfo)
278 {
279 std::cerr << it.second << "\n---------------------------------------------\n";
280 }
281 }
282 }
283
288
294 void detectExtAPI(AbstractState& as, const CallICFGNode *call);
295
303 bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);
304
305private:
312 bool detectStrcat(AbstractState& as, const CallICFGNode *call);
313
320 bool detectStrcpy(AbstractState& as, const CallICFGNode *call);
321
322private:
328};
330{
332public:
337
339
340 static bool classof(const AEDetector* detector)
341 {
342 return detector->getKind() == AEDetector::NULL_DEREF;
343 }
344
350 void detect(AbstractState& as, const ICFGNode* node);
351
356 void handleStubFunctions(const CallICFGNode* call);
357
364 {
365 // uninitialized value has neither interval value nor address value
366 bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
367 return is;
368 }
369
375 void addBugToReporter(const AEException& e, const ICFGNode* node)
376 {
379 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
380
381 if (eventStack.empty())
382 {
383 return; // If the event stack is empty, return early
384 }
385 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
386
387 // Check if the bug at this location has already been reported
388 if (bugLoc.find(loc) != bugLoc.end())
389 {
390 return; // If the bug location is already reported, return early
391 }
392 else
393 {
394 bugLoc.insert(loc); // Otherwise, mark this location as reported
395 }
397 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
398 }
399
404 {
405 if (!nodeToBugInfo.empty())
406 {
407 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
408 + " found)######################\n";
409 std::cerr << "---------------------------------------------\n";
410 for (const auto& it : nodeToBugInfo)
411 {
412 std::cerr << it.second << "\n---------------------------------------------\n";
413 }
414 }
415 }
416
422 void detectExtAPI(AbstractState& as, const CallICFGNode* call);
423
424
431 {
432 return !v.isAddr() && !v.isInterval();
433 }
434
436
437private:
441};
442}
buffer offset
Definition cJSON.cpp:1113
Base class for all detectors.
Definition AEDetector.h:39
static bool classof(const AEDetector *detector)
Check if the detector is of the UNKNOWN kind.
Definition AEDetector.h:67
DetectorKind
Enumerates the types of detectors available.
Definition AEDetector.h:46
@ NULL_DEREF
Detector for nullptr dereference issues.
Definition AEDetector.h:48
@ UNKNOWN
Default type if the kind is not specified.
Definition AEDetector.h:49
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:47
virtual void handleStubFunctions(const CallICFGNode *call)=0
Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:100
virtual void reportBug()=0
Pure virtual function to report detected bugs.
AEDetector()
Constructor initializes the detector kind to UNKNOWN.
Definition AEDetector.h:55
virtual ~AEDetector()=default
Virtual destructor for safe polymorphic use.
DetectorKind getKind() const
Get the kind of the detector.
Definition AEDetector.h:94
virtual void detect(AbstractState &as, const ICFGNode *node)=0
Pure virtual function for detecting issues within a node.
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:108
virtual const char * what() const
Provides the error message.
Definition AEDetector.h:121
AEException(const std::string &message)
Constructor initializes the exception with a message.
Definition AEDetector.h:114
std::string msg_
The error message.
Definition AEDetector.h:127
AbstractInterpretation is same as Abstract Execution.
Detector for identifying buffer overflow issues.
Definition AEDetector.h:135
IntervalValue getAccessOffset(AbstractState &as, NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:193
~BufOverflowDetector()=default
Destructor.
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:323
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:324
void detect(AbstractState &as, const ICFGNode *)
Detect buffer overflow issues within a node.
bool detectStrcpy(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:326
BufOverflowDetector()
Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow ru...
Definition AEDetector.h:141
bool detectStrcat(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:325
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:213
static bool classof(const AEDetector *detector)
Check if the detector is of the BUF_OVERFLOW kind.
Definition AEDetector.h:157
void reportBug()
Reports all detected buffer overflow bugs.
Definition AEDetector.h:270
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:327
void handleStubFunctions(const CallICFGNode *)
Handles external API calls related to buffer overflow detection.
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:203
bool canSafelyAccessMemory(AbstractState &as, const SVFVar *value, const IntervalValue &len)
Checks if memory can be safely accessed.
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
void updateGepObjOffsetFromBase(AbstractState &as, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:238
std::vector< SVFBugEvent > EventStack
bool canSafelyDerefPtr(AbstractState &as, const SVFVar *ptr)
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:438
bool isNull(AbstractValue v)
Check if an Abstract Value is NULL (or uninitialized).
Definition AEDetector.h:430
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:363
void detect(AbstractState &as, const ICFGNode *node)
Detects nullptr dereferences issues within a node.
void reportBug()
Reports all detected nullptr dereference bugs.
Definition AEDetector.h:403
static bool classof(const AEDetector *detector)
Definition AEDetector.h:340
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:375
void handleStubFunctions(const CallICFGNode *call)
Handles external API calls related to nullptr dereferences.
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:439
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:440
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
for isBitcode
Definition BasicTypes.h:68
u32_t NodeID
Definition GeneralType.h:56
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74