Sta$c Analysis Dataflow Analysis

Transcription

1 Sta$c Analysis Dataflow Analysis

2 Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis.

3 Overview Sta>c analysis is a program analysis technique performed without actually execu>ng programs. Data flow analysis is a process of deriving informa>on about the run >me behavior of a program. Usage: compiler, IDE and security.

4 SSA Requires that each variable is assigned exactly once. y := 1 y := 2 x := y y1 := 1 y2 := 2 x1 := y2 Def- use chain: Def- use chains are used to propagate data flow informa>on. The analysis algorithm takes >me propor>onal to the product of the total number of def- use edges Benefits: Data flow analysis could be easier and faster. Reduce the number of def- use chains. (m*n vs m+n)

5

6

7 Control Flow Graph (CFG) A control flow graph is a representa>on of a program that makes certain analyses (including dataflow analyses) easier. Usually built on Intermediate representa>on: Single sta>c assignment (SSA) form. Statements may be Assignments: x := y or x := y op z or x := op y Branches: goto L or if b then goto L A directed graph where Each node represents a statement Edges represent control flow

8 IN point OUT point

9 Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis.

10 Example Available expressions Reaching defini>ons Live variables Very busy expressions Data- flow- analysis- example.pdf

11 Blackboard

12 a, b, x a, b, x, y a, b, x, y a, b, y a, b, x, y a, b a, x, b a, x, b a, x, y a, x, y a, b, x, y x a, b, y X (prerequisite knowle 6. a, b, y a, b, y a, x, y

13 Forward Must Dataflow Algorithm Full set

14 Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis.

15 Use Framework to Implement Analysis Soot is a framework to analyze and op>mize Java or Android programs.

16 Four Steps to Use Soot Forward or backward? Decide what you are approxima>ng. What is the domain s confluence operator? (Union or Intersec>on) Write equa>on for each kind of IR statement. State the star>ng approxima>on. (Ini>al value of each set)

17 HOWTO: Implemen>ng Soot Flow Analysis Subclass ForwardFlowAnalysis or BackwardFlowAnalysis. Implement merge(), copy() Implement flow func>on: flowthrough() Implement ini>al values: newini>alflow() and entryini>alflow() Implement constructor (it must call doanalysis())

18 Soot Example: Live Variable

19 Step1. Forward or Backward

20 Step2. Abstrac>on Domain

21 Step 3. Implemen>ng an Abstrac>on

22 Step 3. Implemen>ng an Abstrac>on

23 Implemen>ng Copy

24 Implemen>ng Merge

25 Flow Equa>ons

26 Implemen>ng Flow Func>on: Cas>ng (1)

27 Implemen>ng Flow Func>on: Copying (2)

28 Implemen>ng Flow Func>on: Removing Kills (3)

29 Implemen>ng Flow Func>on: Adding Gens (4)

30 Step 4. Ini>al Value.

31 Step 5. Implement Constructor

32 Enjoy: Flow Analysis Results

33 Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore$cal Abstrac$on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis.

34 Theore>cal Abstrac>on of Dataflow Analysis Model dataflow analysis is important: Whether the algorithm will terminate. Which analysis converges faster. There is an order between the values a data flow variable takes in two consecu>ve itera>ons. A general way to express an order between objects is to embed them in a mathema>cal structure called a lafce.

35 Lafce A par$al order on a set S is a rela>on over S S that is Reflexive. For all elements x S : x x. Transi>ve. For all elements x,y,z S : x y and y z implies x z. An>- symmetric. For all elements x,y S : x y and y x implies x = y. A par$ally ordered set, denoted by (S, ), is a set S with a par>al order. LaLce: a par>ally ordered set with unique least upper bounds and greatest lower bounds.

36 Modeling Data Flow Values Using Lafces The rela>on can be interpreted as a conserva>ve (safe) approxima>on of. The lafce for data flow values in live variables analysis

37 Modeling Flow Func$ons

38 Two important proper>es of flow func>ons Determine if the analysis could terminate. Determine if the analysis could run faster.

39 Distribu>ve problems: Live variables Available expressions Reaching defini>ons Very busy expressions Non- distribu>ve problem: A: {x=2, y=1} B: {x=1, y=2} FlowFunc>on(A Π B) = {A,B,C unknown} FlowFunc>on(A) Π FlowFunc>on (B) = {A,B Unknow, Z=3}

40 Roadmap Overview. Example. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis. Analysis Framework Soot.

41 Inter- procedure Analysis

42 Top Value: UNDEF Bopom Value: NOT Constant a:=7 (7 Π 17) X:=7 r:=7 x:=7 a:=7, a:=not y:=0 Constant y:=not Constant z:=not Constant

43 A quick fix

44 Context- based Inter- procedure analysis Solu>on: make a finite number of copies Use context informa>on to determine when to share a copy Choice of what to use for context will produce different tradeoffs between precision and scalability Common choice: Call site Parameter value

45 Based on Call Stack Depth 1

46 Based on Call Stack Depth 2

47 Based on Parameter Value

48 Roadmap Overview. Example. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis. Analysis Framework Soot.

49 Taint Analysis Follow any applica>on inside a debugger and you will see that data informa>on is being copied and modified all the >me. In another words, informa>on is always moving. Taint analysis can be seen as a form of Informa>on Flow Analysis. Insert some kind of tag or label for data we are interested in. (taint the data) Track the influence of the tainted object along the execu>on of the program. Taint relevant data. Obverse if it flows to sensi>ve func>ons (sink).

50 Two usage in security: Taint Analysis Finding informa$on leakage. Finding program vulnerability. For informa>on leakage: If a data (variable) contains user secrets (e.g., loca>on, contacts), we will taint such data. Taint the variables whose data depend on tainted value. (e.g., a := b + x) Observe if the tainted data will flow to func>ons that might send data to other places.

51

52 Taint Analysis Two usage in security: Finding informa>on leakage. Finding program vulnerability (code injec$on). Applica>on vulnerability: A lot of vulnerabili>es are caused by unchecked input from user (apack) sent to sensi>ve func>ons.

53 <script> alert(1)</script> XSS vulnerability

54 SELECT * FROM `login` WHERE `user`= OR a = a AND `pass`= OR a = a

55 Buffer Overflow Vulnerability

56 Taint Analysis Two usage in security: Finding informa>on leakage. Finding program vulnerability (code injec$on). Applica>on vulnerability: A lot of vulnerabili>es are caused by unchecked input from user (apack) sent to sensi>ve func>ons. If the source of a object X s value is untrusted, we say X is tainted. Taint the variables whose data depend on tainted value. (e.g., a := b + x) Observe if the tainted data will flow to dangerous func>ons that might lead to execu>on its parameters.

57 Taint Analysis Works Android App Informa>on Leakage: FlowDroid. JavaScript: Firefox Extension Vulnerability: Bandhakavi, Sruthi, et al. "VEX: Vefng browser extensions for security vulnerabili>es." Usenix Security Php: Web Applica>on Vulnerability: Jovanovic, Nenad, Christopher Kruegel, and Engin Kirda. "Pixy: A sta>c analysis tool for detec>ng web applica>on vulnerabili>es. Oakland, 2006

58 References Soot Tutorial: hpps://github.com/sable/soot/wiki/tutorials Interprocedural Data Flow Analysis in Soot using Value Contexts: hpps://arxiv.org/pdf/ pdf Harvard Advanced Programming Language: hpp:// Textbool: Data Flow Analysis: Theory and Prac>ce: hpps:// Flow- Analysis- Theory- Prac>ce/dp/ Course: Professor Finddler s programming Languages seminar. Course: Professor Campanoni s code analysis and transforma>on.