CSCE 548 Building Secure Software Data Flow Analysis

Size: px

Start display at page:

Download "CSCE 548 Building Secure Software Data Flow Analysis"

Coral Garrett
5 years ago
Views:

1 CSCE 548 Building Secure Software Data Flow Analysis Professor Lisa Luo Spring 2018

2 Previous Class Why we need reverse engineering? Tools for reverse engineering Debugger Disassembler System monitoring tools Reverse engineering tool examples Java disassembler Java decompiler Debugger Tracing Reverse engineering Malware Static analysis Dynamic analysis 2

3 What is Dataflow Analysis? Static analysis reasoning about flow of data in program Different kinds of data: constants, variables, expressions Used by bug-finding tools and compilers

4 Control-Flow Graphs entry y=x*y x = 5 y = 1 (x!= 1)? exit x = 5; y = 1; while (x!= 1) { y = x * y; x = x - 1 } x=x-1

5 QUIZ: Control-Flow Graphs entry x = 5 x!= 0 exit y = x x = x - 1 y!= 0? y = y -1

6 QUIZ: Control-Flow Graphs entry x = 5 exit x!= 0 y = x x = x - 1 x = 5; while (x!= 0) { y = x; x = x - 1; while (y!= 0) { y = y - 1 } } y!= 0? y = y -1

7 Applications of Dataflow Analysis Reaching Definitions Analysis Find usage of uninitialized variables Live Variables Analysis Allocate registers efficiently Very Busy Expressions Analysis Reduce code size

8 Reaching Definitions Analysis 8

9 Abstracting Control-Flow Conditions Abstracts away control-flow conditions with nondeterministic choice (*) Non-deterministic choice => assumes condition can evaluate to or Considers all paths possible in actual runs, and maybe paths that are never possible (unsound). y=x*y x=x-1 entry x = 5 y = 1 (x!= 1)? exit

10 Reaching Definitions Analysis Goal: Determine, for each program point, which assignments have been made and not overwritten, when execution reaches that point along some path entry x = y y = 1 (x!= 1)? P1 Ø Assignment == Definition y=x*y exit x=x-1 P2

11 Reaching Definitions Analysis A definition of a variable x is a statement that may modify the value of variable x. A definition of a variable x at node k reaches node n if there is a definition-free path from k to n. 11

12 QUIZ: Reaching Definitions Analysis entry 1. The assignment y = 1 reaches P1 2. The assignment y = 1 reaches P2 x = y y = 1 (x!= 1)? P1 3. The assignment y = x * y reaches P1 y=x*y x=x-1 P2 exit

13 Result of Dataflow Analysis Set of facts at each program point For reaching definitions analysis, fact is a pair of the form: <defined variable name, defining node label> Examples: <x,2>, <y,5> 5: 6: 4: 1: 2: 3: y=x*y x=x-1 entry x = y y = 1 (x!= 1)? 7: exit

14 Dataflow Analysis Process Give distinct label n to each node 1: entry IN[n] = set of facts at entry of node n 2: x = y OUT[n] = set of facts at exit of node n Dataflow analysis computes IN[n] and OUT[n] for each node Repeat two operations until IN[n] and OUT[n] stop changing Called fixed point 5: 6: 4: 3: y=x*y x=x-1 y = 1 (x!= 1)? 7: exit

15 RD Analysis: Operation #1 n1 n2 n3 IN[n] = OUT[n ] n predecessors(n) n IN[n] = OUT[n1] OUT[n2] OUT[n3]

16 RD Analysis: Operation #2 IN[n] OUT[n] = (IN[n] - KILL[n]) GEN[n] n: OUT[n] n: b? GEN[n] = KILL[n] = n: x = a GEN[n] = { <x, n> } KILL[n] = { <x, m> : m!= n }

17 RD Analysis Example n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} : 4: 2: 3: x = y y = 1 (x!= 1)? y=x*y 7: exit : x=x-1

18 RD Analysis Example n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 5 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit : x=x-1

19 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>, OUT[6] } {<x,2>,<y,3>, OUT[6] } 5 {<x,2>,<y,3>, OUT[6] } {<x,2>, <y,5>, OUT[6] } 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit : x=x-1

20 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>, OUT[6] } {<x,2>,<y,3>, OUT[6] } 5 {<x,2>,<y,3>, OUT[6] } {<x,2>, <y,5>, OUT[6] } 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit 6 {<x,2>, <y,5>, OUT[6] } {<y,5>,<x,6>} : x=x-1

21 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,3>,<y,5>,<x,6>} 5 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,5>,<x,6>} 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit 6 {<x,2>,<y,5>,<x,6>} {<y,5>,<x,6>} : x=x-1

22 QUIZ: Reaching Definitions Analysis n IN[n] OUT[n] 1: entry 1 -- {<x,?>,<y,?>} 2: x = y 2 {<x,?>,<y,?>} {<x,2>,<y,?>} 3 {<x,2>,<y,?>} {<x,2>,<y,3>} 4 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,3>,<y,5>,<x,6>} 5 {<x,2>,<y,3>,<y,5>,<x,6>} {<x,2>,<y,5>,<x,6>} 5: 4: 3: y = 1 (x!= 1)? y=x*y 7: exit 6 {<x,2>,<y,5>,<x,6>} {<y,5>,<x,6>} 7 {<x,2>,<y,3>,<y,5>,<x,6>} -- 6: x=x-1

23 Bug Finding: Null Pointer Exception public String badcode(int x) { String y = null; if (x > 0) { y = "more"; } else if (x < 0) { y = "less"; } return y.touppercase(); } Goal: Whether there are any possible null-pointer exceptions. 23

24 Bug Finding: Null Pointer Exception Solution: Determine whether the definition at node 1 may reach node 6. If it can, we have a possible null-pointer exception. 24

25 Bug Finding: Null Pointer Exception n IN[n] OUT[n] entry -- {<y,?>} 1 {<y,?>} {<y,1>} 2 {<y,1>} {<y,1>} 3 {<y,1>} {<y,3>} 4 {<y,1>} {<y,1>} 5 {<y,1>} {<y,5>} 6 {<y,1>, <y,3>}, <y,5>} -- 25

26 Live Variables Analysis 26

27 Live Variables Analysis Goal: Determine for each program point which variables could be live at the point s exit A variable is live if there is a path to a use of the variable that doesn t redefine the variable z=y entry y = 4 x = 2 (y!=x)? z = y*y x=z exit P

28 Live Variables Analysis A variable x is live at node k if x is NOT redefined from n to k. k x = n = x 28

29 Live Variables Analysis: Operation #1 OUT[n] = IN[n ] n n successors(n) n1 n2 n3 OUT[n] = IN[n1] IN[n2] IN[n3]

30 Live Variables Analysis: Operation #2 IN[n] IN[n] = (OUT[n] - KILL[n]) GEN[n] n: OUT[n] n: x? GEN[n] = { <x, n> } KILL[n] = n: y = x GEN[n] = { <x, n> } KILL[n] = { <y, m> : m!= n }

31 Live Variables Analysis Example n IN[n] OUT[n] 1: entry : y = 4 3: x = 2 4: (y!=x)? 5: z=y 6: 7: x=z 8: exit z = y*y

32 Live Variables Analysis Example n IN[n] OUT[n] 1: entry { y } 3 { y } { x, y } 4 { x, y } { y } 5 { y } { z } 6 { y } { z } 7 { z } : y = 4 3: x = 2 4: (y!=x)? 5: z=y 6: 7: x=z 8: exit z = y*y

33 Result Analysis Even this program has 3 variables x, y, and z, at no point are more than two of these three variables simultaneously live. This information can be used by compilers to generate assembly code that uses only two registers instead of three registers for storing the contents of these variables. Using fewer registers can generate more efficient assembly code, by avoiding the need to store the contents of these variables in memory. 33

34 Classifying Dataflow Analyses Match each analysis with its characteristics. Forward analysis Backward analysis Reaching Definitions Live Variables

35 What Have We Learned? What is dataflow analysis Reasoning about flow of data using control-flow graphs Classification: forward vs. backward Two classical dataflow analyses Reaching definition analysis Live variables analysis

MIT Introduction to Dataflow Analysis. Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology

MIT Introduction to Dataflow Analysis. Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology MIT 6.035 Introduction to Dataflow Analysis Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Dataflow Analysis Used to determine properties of program that involve multiple