Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cwe476 #11

Merged
merged 7 commits into from
Feb 22, 2019
Merged

Cwe476 #11

merged 7 commits into from
Feb 22, 2019

Conversation

Enkelmann
Copy link
Contributor

No description provided.

@Enkelmann Enkelmann requested a review from tbarabosch February 21, 2019 10:19
Copy link
Contributor

@tbarabosch tbarabosch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix a couple of smaller issues, otherwise it looks good!

CHANGES.md Outdated Show resolved Hide resolved
src/checkers/cwe_476.ml Show resolved Hide resolved
type t = (Var.t * Tid.t) list

(** adds var as a tainted register (with the taint source given by tid) *)
let add state var tid =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though you are using the power of scopes, it would be clearer to write "old_state" and "new_state" instead of using just "state".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how to introduce "old_state" and "new_state" without decreasing readability. I could rename State.add to something like State.add_elem, but you probably had something else in mind.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am referring to the name "state" that you use for several variables (e.g. as parameter for the fun, in the let clause)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could rename state to something like tainted_register_list so that its purpose gets more obvious. I just do not think that I should name something "new state", because it would always be the return value and naming return values in ocaml feels unnecessary verbose.

src/checkers/cwe_476.ml Outdated Show resolved Hide resolved
end
| _ -> state

type cwe_hits_type = Tid.t list ref
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am still not sure where to declare such global variables: locality vs. header of file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case I should simply delete the type definition. I just realized that I only use it once.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, the definition is not useless, I was just wondering about the right place to declare it. That is more a question of style, I suppose.

let print_hit tid ~sub ~function_names ~tid_map =
let block = Option.value_exn (Term.find blk_t sub tid) in
let jmps = Term.enum jmp_t block in
let _ = Seq.find_exn jmps ~f:(fun jmp ->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this let _ = something in () seems to be strange. Couldn't you use Seq.iter, which also returns union?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seq.find_exn seems the most logical choice for me, because it is supposed to find exactly one element and it throws an exception if it doesn't find anything. Usually I would use the return value for the Log_utils.warn call, but then I would have to unpack the jmp again.


(** Updates the state depending on the jump. On a jump to a function from the function list
taint all return registers as unchecked return values. *)
let update_state_jmp jmp state ~cwe_hits ~function_names ~program ~block ~strict_call_policy =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function is rather long, can't you refactor it and break it down into smaller units?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function is a little bit shorter now.

) in ()

let check_cwe prog proj tid_map symbol_pairs =
let strict_call_policy = true in
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make this configurable in JSON config since it might be a good way to tune false positives/false negatives. Document this parameter accordingly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a general way to add parameters to the checks configurable in config.json.

let block = Graphs.Ir.Node.label node in
update_block_analysis block state ~cwe_hits ~function_names ~program:prog ~strict_call_policy
) in
let _ = Graphlib.Std.Graphlib.fixpoint (module Graphs.Ir) cfg ~steps:100 ~rev:false ~init:init ~equal:equal ~merge:merge ~f:f in
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

100 is a magic number, should it be configurable? Should we set to some lower threshold?

Copy link
Contributor Author

@Enkelmann Enkelmann Feb 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made it configurable. But it is still a magic number. I suppose that 20 could also be enough, but higher numbers are safer to prevent false negatives.

Oh and it does not cost computing time in the absence of possible cwe-hits.

@tbarabosch tbarabosch merged commit 41b84a4 into master Feb 22, 2019
@tbarabosch tbarabosch deleted the cwe476 branch February 22, 2019 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants