Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Update CWE 476 #459

Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

WIP: Update CWE 476 #459

wants to merge 9 commits into from

Conversation

vobst
Copy link
Collaborator

@vobst vobst commented Apr 11, 2024

Warning: While in draft state, this PR will be force pushed without notice!

The recent introduction of the taint analysis abstractions (#450) as well as further enhancements made in the context of the CWE252 check (#451) mean that the other checkers that are based on a taint analysis are not as good as they could be.

This updates the code of CWE476 to make full use of the new taint analysis backend. The main improvement is that the analysis is now interprocedural.

It also includes other enhancements to this check:

  • use function summaries to emit more precise warnings on in-binary calls
  • greater Linux LKM API coverage
  • greater libc API coverage
  • new configuration option strict_call_policy
  • improvements to the tests
  • general code cleanups

Valentin Obst added 9 commits April 11, 2024 17:57
Extend the set of Linux LKM API functions that either return a pointer
to a valid object, or a value that indicates an error.

This list contains all functions that are exported to modules, i.e.,
`EXPORT_SYMBOL(|_GPL)`, and return a pointer to a non-pointer type.

Signed-off-by: Valentin Obst <[email protected]>
Add more Linux LKM API functions that allocate memory and return
a pointer to the new allocation.

Signed-off-by: Valentin Obst <[email protected]>
By removing the `update_return_callee` implementation we get the default
implementation, which implies that we now do an interprocedural
analysis. This means we no longer raise a waning when a function may
return a NULL pointer, but rather make the caller responsible for
checking it.

Introduce a new configuration parameter `strict_call_policy` that can be
used to enable the current default behavior, where any taint that may be
passed as an argument to a function call is causing a warning. This is
to prepare for the introduction of a new mode, where a more fine grained
policy is used.

Remove the `extern_symbol_map` and `current_sub` members from the
`Context` type. Those are no longer needed in this version of the check.

Include a 'reason' field in the generated CWE warnings s.t. it is easier to
check which heuristic triggered the warning.

Signed-off-by: Valentin Obst <[email protected]>
Add a convenience function to convert an integer into a one-element
interval.

Signed-off-by: Valentin Obst <[email protected]>
…ke ref

There is no need for this function to take ownership of the address
value. Change it to take a ref instead.

Signed-off-by: Valentin Obst <[email protected]>
Add a method to check if the memory or register location described by an
`AbstractLocation` holds a tainted value.

Signed-off-by: Valentin Obst <[email protected]>
Currently, we only emit warnings for function calls if `strict_call_policy`
is set. However, enabling this can cause many FPs since warnings are
emitted as soon as any parameter may contain taint, or point to a tainted,
value. For nested parameters it may also lead to FNs since only one level
of nesting is considered.

Use function summaries to make a more accurate decision whether or not a
callee may dereference a potential NULL pointer that is made available to
them.

Signed-off-by: Valentin Obst <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant