Static Value-Flow Analysis
Loading...
Searching...
No Matches
AEDetector.h
Go to the documentation of this file.
1//===- AEDetector.h -- Vulnerability Detectors---------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created by Jiawei Wang on 2024/8/20.
26//
27#pragma once
28#include <SVFIR/SVFIR.h>
29#include <AE/Core/AbstractState.h>
30#include "Util/SVFBugReport.h"
31
32namespace SVF
33{
38class AEDetector
39{
40public:
51
55 AEDetector(): kind(UNKNOWN) {}
56
60 virtual ~AEDetector() = default;
61
67 static bool classof(const AEDetector* detector)
68 {
69 return detector->getKind() == AEDetector::UNKNOWN;
70 }
71
77 virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
78
83 virtual void handleStubFunctions(const CallICFGNode* call) = 0;
84
88 virtual void reportBug() = 0;
89
94 DetectorKind getKind() const
95 {
96 return kind;
97 }
98
99protected:
100 DetectorKind kind;
101};
102
107class AEException : public std::exception
108{
109public:
114 AEException(const std::string& message)
115 : msg_(message) {}
116
121 virtual const char* what() const throw()
122 {
123 return msg_.c_str();
124 }
125
126private:
127 std::string msg_;
128};
129
134class BufOverflowDetector : public AEDetector
135{
136 friend class AbstractInterpretation;
137public:
146
150 ~BufOverflowDetector() = default;
151
157 static bool classof(const AEDetector* detector)
158 {
159 return detector->getKind() == AEDetector::BUF_OVERFLOW;
160 }
161
169 void updateGepObjOffsetFromBase(AbstractState& as,
170 AddressValue gepAddrs,
171 AddressValue objAddrs,
172 IntervalValue offset);
173
179 void detect(AbstractState& as, const ICFGNode*);
180
181
186 void handleStubFunctions(const CallICFGNode*);
187
197
203 bool hasGepObjOffsetFromBase(const GepObjVar* obj) const
204 {
205 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
206 }
207
213 IntervalValue getGepObjOffsetFromBase(const GepObjVar* obj) const
214 {
215 if (hasGepObjOffsetFromBase(obj))
216 return gepObjOffsetFromBase.at(obj);
217 else
218 {
219 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
220 abort();
221 }
222 }
223
231 IntervalValue getAccessOffset(AbstractState& as, NodeID objId, const GepStmt* gep);
232
238 void addBugToReporter(const AEException& e, const ICFGNode* node)
239 {
240
241 GenericBug::EventStack eventStack;
242 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
243 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
244
245 if (eventStack.empty())
246 {
247 return; // If the event stack is empty, return early
248 }
249
250 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
251
252 // Check if the bug at this location has already been reported
253 if (bugLoc.find(loc) != bugLoc.end())
254 {
255 return; // If the bug location is already reported, return early
256 }
257 else
258 {
259 bugLoc.insert(loc); // Otherwise, mark this location as reported
260 }
261
262 // Add the bug to the recorder with details from the event stack
263 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
264 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
265 }
266
270 void reportBug()
271 {
272 if (!nodeToBugInfo.empty())
273 {
274 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
275 + " found)######################\n";
276 std::cerr << "---------------------------------------------\n";
277 for (const auto& it : nodeToBugInfo)
278 {
279 std::cerr << it.second << "\n---------------------------------------------\n";
280 }
281 }
282 }
283
287 void initExtAPIBufOverflowCheckRules();
288
294 void detectExtAPI(AbstractState& as, const CallICFGNode *call);
295
303 bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);
304
305private:
312 bool detectStrcat(AbstractState& as, const CallICFGNode *call);
313
320 bool detectStrcpy(AbstractState& as, const CallICFGNode *call);
321
322private:
323 Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase;
324 Map<std::string, std::vector<std::pair<u32_t, u32_t>>> extAPIBufOverflowCheckRules;
325 Set<std::string> bugLoc;
326 SVFBugReport recoder;
327 Map<const ICFGNode*, std::string> nodeToBugInfo;
328};
329class NullptrDerefDetector : public AEDetector
330{
331 friend class AbstractInterpretation;
332public:
337
338 ~NullptrDerefDetector() = default;
339
340 static bool classof(const AEDetector* detector)
341 {
342 return detector->getKind() == AEDetector::NULL_DEREF;
343 }
344
350 void detect(AbstractState& as, const ICFGNode* node);
351
356 void handleStubFunctions(const CallICFGNode* call);
357
363 bool isUninit(AbstractValue v)
364 {
365 // uninitialized value has neither interval value nor address value
366 bool is = v.getAddrs().isBottom() && v.getInterval().isBottom();
367 return is;
368 }
369
375 void addBugToReporter(const AEException& e, const ICFGNode* node)
376 {
377 GenericBug::EventStack eventStack;
378 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
379 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
380
381 if (eventStack.empty())
382 {
383 return; // If the event stack is empty, return early
384 }
385 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
386
387 // Check if the bug at this location has already been reported
388 if (bugLoc.find(loc) != bugLoc.end())
389 {
390 return; // If the bug location is already reported, return early
391 }
392 else
393 {
394 bugLoc.insert(loc); // Otherwise, mark this location as reported
395 }
396 recoder.addAbsExecBug(GenericBug::FULLNULLPTRDEREFERENCE, eventStack, 0, 0, 0, 0);
397 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
398 }
399
403 void reportBug()
404 {
405 if (!nodeToBugInfo.empty())
406 {
407 std::cerr << "###################### Nullptr Dereference (" + std::to_string(nodeToBugInfo.size())
408 + " found)######################\n";
409 std::cerr << "---------------------------------------------\n";
410 for (const auto& it : nodeToBugInfo)
411 {
412 std::cerr << it.second << "\n---------------------------------------------\n";
413 }
414 }
415 }
416
422 void detectExtAPI(AbstractState& as, const CallICFGNode* call);
423
424
430 bool isNull(AbstractValue v)
431 {
432 return !v.isAddr() && !v.isInterval();
433 }
434
435 bool canSafelyDerefPtr(AbstractState& as, const SVFVar* ptr);
436
437private:
438 Set<std::string> bugLoc;
439 SVFBugReport recoder;
440 Map<const ICFGNode*, std::string> nodeToBugInfo;
441};
442}
offset
buffer offset
Definition cJSON.cpp:1113
SVF::AEDetector
Base class for all detectors.
Definition AEDetector.h:39
SVF::AEDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the UNKNOWN kind.
Definition AEDetector.h:67
SVF::AEDetector::DetectorKind
DetectorKind
Enumerates the types of detectors available.
Definition AEDetector.h:46
SVF::AEDetector::NULL_DEREF
@ NULL_DEREF
Detector for nullptr dereference issues.
Definition AEDetector.h:48
SVF::AEDetector::UNKNOWN
@ UNKNOWN
Default type if the kind is not specified.
Definition AEDetector.h:49
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:47
SVF::AEDetector::handleStubFunctions
virtual void handleStubFunctions(const CallICFGNode *call)=0
Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:100
SVF::AEDetector::reportBug
virtual void reportBug()=0
Pure virtual function to report detected bugs.
SVF::AEDetector::AEDetector
AEDetector()
Constructor initializes the detector kind to UNKNOWN.
Definition AEDetector.h:55
SVF::AEDetector::~AEDetector
virtual ~AEDetector()=default
Virtual destructor for safe polymorphic use.
SVF::AEDetector::getKind
DetectorKind getKind() const
Get the kind of the detector.
Definition AEDetector.h:94
SVF::AEDetector::detect
virtual void detect(AbstractState &as, const ICFGNode *node)=0
Pure virtual function for detecting issues within a node.
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:108
SVF::AEException::what
virtual const char * what() const
Provides the error message.
Definition AEDetector.h:121
SVF::AEException::AEException
AEException(const std::string &message)
Constructor initializes the exception with a message.
Definition AEDetector.h:114
SVF::AEException::msg_
std::string msg_
The error message.
Definition AEDetector.h:127
SVF::AbstractInterpretation
AbstractInterpretation is same as Abstract Execution.
Definition AbstractInterpretation.h:104
SVF::BufOverflowDetector
Detector for identifying buffer overflow issues.
Definition AEDetector.h:135
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(AbstractState &as, NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:312
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:193
SVF::BufOverflowDetector::~BufOverflowDetector
~BufOverflowDetector()=default
Destructor.
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:323
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:324
SVF::BufOverflowDetector::detect
void detect(AbstractState &as, const ICFGNode *)
Detect buffer overflow issues within a node.
Definition AEDetector.cpp:44
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:417
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:326
SVF::BufOverflowDetector::BufOverflowDetector
BufOverflowDetector()
Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow ru...
Definition AEDetector.h:141
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:435
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:325
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:213
SVF::BufOverflowDetector::classof
static bool classof(const AEDetector *detector)
Check if the detector is of the BUF_OVERFLOW kind.
Definition AEDetector.h:157
SVF::BufOverflowDetector::reportBug
void reportBug()
Reports all detected buffer overflow bugs.
Definition AEDetector.h:270
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:327
SVF::BufOverflowDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:114
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:203
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(AbstractState &as, const SVFVar *value, const IntervalValue &len)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:476
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:184
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:218
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(AbstractState &as, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:346
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:238
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::NullptrDerefDetector::canSafelyDerefPtr
bool canSafelyDerefPtr(AbstractState &as, const SVFVar *ptr)
Definition AEDetector.cpp:678
SVF::NullptrDerefDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:438
SVF::NullptrDerefDetector::isNull
bool isNull(AbstractValue v)
Check if an Abstract Value is NULL (or uninitialized).
Definition AEDetector.h:430
SVF::NullptrDerefDetector::isUninit
bool isUninit(AbstractValue v)
Checks if an Abstract Value is uninitialized.
Definition AEDetector.h:363
SVF::NullptrDerefDetector::detect
void detect(AbstractState &as, const ICFGNode *node)
Detects nullptr dereferences issues within a node.
Definition AEDetector.cpp:525
SVF::NullptrDerefDetector::reportBug
void reportBug()
Reports all detected nullptr dereference bugs.
Definition AEDetector.h:403
SVF::NullptrDerefDetector::classof
static bool classof(const AEDetector *detector)
Definition AEDetector.h:340
SVF::NullptrDerefDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:375
SVF::NullptrDerefDetector::handleStubFunctions
void handleStubFunctions(const CallICFGNode *call)
Handles external API calls related to nullptr dereferences.
Definition AEDetector.cpp:568
SVF::NullptrDerefDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:439
SVF::NullptrDerefDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handle external API calls related to nullptr dereferences.
Definition AEDetector.cpp:619
SVF::NullptrDerefDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:440
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
Generated by doxygen 1.9.8