This document summarizes Splint, a static analysis tool for C code. It detects various errors such as unused variables, type inconsistencies, memory management issues, and control flow anomalies. It works by type checking code, tracking variable usage and definitions, and modeling memory allocation. Splint supports custom annotations to specify variable properties. The document describes Splint's checks for unused variables, types, memory management including allocation/deallocation errors and stack references, control flow including execution paths and loops, and switch statements. It also provides examples of errors detected by Splint.
Computer Security Lecture 4: Block Ciphers and the Data Encryption StandardMohamed Loey
We will discuss the following: Stream Ciphers and Block Ciphers, Data Encryption Standard, DES Algorithm, DES Key Creation, DES Encryption, The Strength Of DES.
https://www.youtube.com/watch?v=1-lF4dePpts&list=PLKYmvyjH53q13_6aS4VwgXU0Nb_4sjwuf
Trends and future of C++: Evolving a systems language for performance - by Bj...devstonez
Bjarne Stroustrup presentation at Universidad Carlos III de Madrid, march 18 2011 on :
- The design of C++0x
- C++: Machine model and resource management
Computer Security Lecture 4: Block Ciphers and the Data Encryption StandardMohamed Loey
We will discuss the following: Stream Ciphers and Block Ciphers, Data Encryption Standard, DES Algorithm, DES Key Creation, DES Encryption, The Strength Of DES.
https://www.youtube.com/watch?v=1-lF4dePpts&list=PLKYmvyjH53q13_6aS4VwgXU0Nb_4sjwuf
Trends and future of C++: Evolving a systems language for performance - by Bj...devstonez
Bjarne Stroustrup presentation at Universidad Carlos III de Madrid, march 18 2011 on :
- The design of C++0x
- C++: Machine model and resource management
••• Learn how to safely manage memory with smart pointers! •••
In this presentation you will learn:
▸ the dangers of using raw pointers for dynamic memory
▸ the difference between unique_ptr, shared_ptr, weak_ptr
▸ how to use factories to increase safety and performance
▸ when raw pointers are still needed
••• Boost your code's performances using C++11 new features! •••
In this presentation you will learn:
▸ the difference between an Lvalue and Rvalue
▸ how to use std::move, std::forward, noexcept
▸ how to implement move semantics to avoid useless copies
▸ how to implement perfect forwarding for the factory pattern
Доклад рассказывает об устройстве и опыте применения инструментов динамического тестирования C/C++ программ — AddressSanitizer, ThreadSanitizer и MemorySanitizer. Инструменты находят такие ошибки, как использование памяти после освобождения, обращения за границы массивов и объектов, гонки в многопоточных программах и использования неинициализированной памяти.
••• Learn how to safely manage memory with smart pointers! •••
In this presentation you will learn:
▸ the dangers of using raw pointers for dynamic memory
▸ the difference between unique_ptr, shared_ptr, weak_ptr
▸ how to use factories to increase safety and performance
▸ when raw pointers are still needed
••• Boost your code's performances using C++11 new features! •••
In this presentation you will learn:
▸ the difference between an Lvalue and Rvalue
▸ how to use std::move, std::forward, noexcept
▸ how to implement move semantics to avoid useless copies
▸ how to implement perfect forwarding for the factory pattern
Доклад рассказывает об устройстве и опыте применения инструментов динамического тестирования C/C++ программ — AddressSanitizer, ThreadSanitizer и MemorySanitizer. Инструменты находят такие ошибки, как использование памяти после освобождения, обращения за границы массивов и объектов, гонки в многопоточных программах и использования неинициализированной памяти.
Beyond the RTOS: A Better Way to Design Real-Time Embedded SoftwareQuantum Leaps, LLC
Embedded software developers from different industries are independently re-discovering patterns for building concurrent software that is safer, more responsive and easier to understand than naked threads of a Real-Time Operating System (RTOS). These best practices universally favor event-driven, asynchronous, non-blocking, encapsulated state machines instead of naked, blocking RTOS threads. This presentation explains the concepts related to this increasingly popular "reactive approach", and specifically how they apply to real-time embedded systems.
(5) cpp dynamic memory_arrays_and_c-stringsNico Ludwig
Check out these exercises: http://de.slideshare.net/nicolayludwig/5-cpp-dynamic-memoryarraysandcstringsexercises
- The Heap: Dynamic Memory and dynamic Array Allocation
- Automatic versus Dynamic Arrays
- A Glimpse of the Topic "Stack versus Heap"
-- "Geometric" Properties of the Heap and the Stack
- Lost Pointers and Memory Leaks
- Advanced C-strings: Buffers, Concatenation and Formatting
Linux kernel tracing superpowers in the cloudAndrea Righi
The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.
Don't mention TLB (at all?!?), just confuses people. Was just put so people
were aware that it was being set up for deterministic behaviour (the side
channel is the cache exclusively, not the TLB missing).
Don't mention the privilege level arch stuff until *after* Variant 1 has been
discussed, rather prior to Variant 2, and especially 3/Meltdown.
To explain the victim vs. attacker domains better in Variant 1, the example of
two threads in a process should be given, where one thread is the
'parent'/'governor' of the other(s), and has privileged information, e.g., a
valid TLS session key for a bank account login in another thread/tab in a
browser. One thread should not be able to 'see' another's private data.
Items such as the AntiVirus report could easily be omitted...
Thanks,
Kim Phillips
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. Motivated by going through well known vulnerability patterns that have been used in exploits for decades, we will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blow your whole leg off”.
In this talk, Gil Yankovitch discusses the PaX patch for the Linux kernel, focusing on memory manager changes and security mechanisms for memory allocations, reads, writes from user/kernel space and ASLR.
Memory management is one of the most fundamental and important aspect for any computer programming language. In the dynamic memory allocation, the memory is allocated to a variable or program at the run time.
What has to be paid attention when reviewing code of the library you developAndrey Karpov
Developers of libraries have to be more diligent than «classic» application programmers. Why? You never know where and when the library will be used: Platforms; Compilers; Optimizations; Usage scenarios.
The European Space Agency (ESA) uses an engine to perform tests in the Ground Segment infrastructure, specially the Operational Simulator. This engine uses many different tools to ensure the development of regression testing infrastructure and these tests perform black-box testing to the C++ simulator implementation. VST (VisionSpace Technologies) is one of the companies that provides these services to ESA and they need a tool to infer automatically tests from the existing C++ code, instead of writing manually scripts to perform tests. With this motivation in mind, this paper explores automatic testing approaches and tools in order to propose a system that satisfies VST needs.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
Splint the C code static checker
1. Splint the C code static checker
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
May 28, 2009
Pedro Pereira, Ulisses Costa Splint the C code static checker
2. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
3. Lint for detecting anomalies in C programs
Statically checking C programs
Unused declarations
Type inconsistencies
Use before definition
Unreachable code
Ignored return values
Execution paths with no return
Infinite loops
Pedro Pereira, Ulisses Costa Splint the C code static checker
4. Splint
Specification Lint and Secure Programming Lint
Annotations
Functions
Variables
Parameters
Types
Pedro Pereira, Ulisses Costa Splint the C code static checker
5. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
6. Unused variables
Splint detects instances where the value of a location is used
before it is defined.
Annotations can be used to describe what storage must be
defined and what storage may be undefined at interface
points.
All storage reachable is defined before and after a function
call.
global variable
parameter to a function
function return value
Pedro Pereira, Ulisses Costa Splint the C code static checker
7. Undefined Parameters
Sometimes, function parameters or return values are expected to
reference undefined or partially defined storage.
out annotation denotes a pointer to storage that may be
undefined
in annotation can be used to denote a parameter that must
be completely defined
1 extern void setVal (/*@out@*/ int * x ) ;
2 extern int getVal (/*@in@*/ int * x ) ;
3 extern int mysteryVal ( int * x ) ;
> splint usedef . c
4
usedef . c :7: Value * x used before
5 int dumbfunc (/*@out@*/ int *x , int i ) { definition
6 if ( i > 3) usedef . c :9: Passed storage x not
7 return * x ; completely defined
8 else if ( i > 1) (* x is undefined ) : getVal ( x )
9 return getVal ( x ) ; usedef . c :11: Passed storage x not
10 else if ( i == 0) completely defined
11 return mysteryVal ( x ) ; (* x is undefined ) : mysteryVal
12 else { (x)
13 setVal ( x ) ; Finished checking --- 3 code warnings
14 return * x ;
15 }
16 }
Pedro Pereira, Ulisses Costa Splint the C code static checker
8. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
9. Types
Strong type checking often reveals programming
errors. Splint can check primitive C types more strictly
and flexibly than typical compilers.
Built in C Types
Splint supports stricter checking of built-in C types. The char and
enum types can be checked as distinct types, and the different
numeric types can be type-checked strictly.
Characters
The primitive char type can be type-checked as a distinct type. If
char is used as a distinct type, common errors involving assigning
ints to chars are detected.
If charint is on (+), char types are indistinguishable from ints.
Pedro Pereira, Ulisses Costa Splint the C code static checker
10. Types - Enums
An error is reported if:
a value that is not an enumerator member is assigned to the
enum type
if an enum type is used as an operand to an arithmetic
operator
If the enumint flag is on, enum and int types may be used
interchangeably.
Pedro Pereira, Ulisses Costa Splint the C code static checker
11. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
12. Memory management
About half the bugs in typical C programs can be
attributed to memory management problems.
Some only appear sporadically
And some may only be apparent when compiled on a different
platform
Splint detects many memory management errors at compile time
Using storage that may have been deallocated
Memory leaks
Returning a pointer to stack-allocated storage
Pedro Pereira, Ulisses Costa Splint the C code static checker
13. Memory management - Memory Model
An object is a typed region of storage;
Some objects use a fixed amount of storage (that is allocated
and deallocated by the compiler);
Other objects use dynamic memory storage that must be
managed by the program.
Storage is undefined if it has not been assigned a value
and defined after it has been assigned a value.
An object is completely defined if all storage that may be
reached from it is defined.
Pedro Pereira, Ulisses Costa Splint the C code static checker
14. Memory management - Memory Model (cont.)
What storage is reachable from an object depends on the type and
value of the object.
Example
If p is a pointer to a structure, p is completely defined if the value
of p is NULL, or if every field of the structure p points to is
completely defined.
Pedro Pereira, Ulisses Costa Splint the C code static checker
15. Memory management - Memory Model (cont.)
Left side of an assignment
When an expression is used as the left side of an assignment
we say it is an lvalue;
Its location in memory is used, but not its value;
Undefined storage may be used as an lvalue since only its
location is needed.
Right side of an assignment
When storage is used in any other way:
on the right side of an assignment;
as an operand to a primitive operator;
as a function parameter.
we say it is used as an rvalue;
It is an anomaly to use undefined storage as an rvalue.
Pedro Pereira, Ulisses Costa Splint the C code static checker
16. Memory management - Deallocation Errors
Deallocating storage when there are other live references to
the same storage
Failing to deallocate storage before the last reference to it is
lost
Solution
Obligation to release storage
This obligation is attached to the reference to which the
storage is assigned
The only annotation is used to indicate that a reference is the
only pointer to the object it points to:
1 /* @only@ */ /* @null@ */ void * malloc ( size_t size ) ;
Pedro Pereira, Ulisses Costa Splint the C code static checker
17. Memory management - Memory Leaks
> splint only . c
1 extern /* @only@ */ int * glob ; only . c :4: Only storage glob ( type int *)
2 not released
before assignment : glob = y
3 /* @only@ */ int * f ( /* @only@ */ only . c :1: Storage glob becomes only
int *x , int *y , int * z ) { only . c :4: Implicitly temp storage y
4 int * m = ( int *) malloc ( assigned to only :
glob = y
sizeof ( int ) ) ; only . c :6: Dereference of possibly null
5 glob = y ; // Memory leak pointer m : * m
only . c :8: Storage m may become null
6 free ( x ) ; only . c :6: Variable x used after being
7 *m = *x; // Use after released
free only . c :5: Storage x released
only . c :7: Implicitly temp storage z
8 return z ; // Memory leak returned as only : z
detected only . c :7: Fresh storage m not released
9 } before return
only . c :3: Fresh storage m allocated
Pedro Pereira, Ulisses Costa Splint the C code static checker
18. Memory management - Stack References
A memory error occurs if a pointer into stack is live after the
function returns
Splint detects errors involving stack references exported from
a function through return values or assignments to references
reachable from global variables or actual parameters
No annotations are needed to detect stack reference errors. It is
clear from declarations if storage is allocated on the function stack.
1 int * glob ; > splint stack . c
2 stack . c :9: Stack - allocated storage & loc
3 int * f ( int ** x ) { reachable
from return value : & loc
4 int sa [2] = { 0 , 1 }; stack . c :9: Stack - allocated storage * x
5 int loc = 3; reachable from
6 parameter x
stack . c :8: Storage * x becomes stack
7 glob = & loc ; stack . c :9: Stack - allocated storage glob
8 * x = & sa [0]; reachable
9 return & loc ; from global glob
stack . c :7: Storage glob becomes stack
10 }
Pedro Pereira, Ulisses Costa Splint the C code static checker
19. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
20. Control Flow - Execution
Many of these checks are possible because of the extra
information that is known in annotations
To avoid spurious errors it is important to know something
about the behaviour of called functions
Without additional information Splint assumes that all
functions return and execution continues normally
Pedro Pereira, Ulisses Costa Splint the C code static checker
21. Control Flow - Execution (cont.)
noreturn annotation is used to denote a function that never
returns.
1 extern /* @noreturn@ */ void fatalerror ( char * s ) ;
Problem!
We also have maynoreturn and alwaysreturns annotations, but
Splint must assume that a function returns normally when
checking the code and doesn’t verify if a function really returns.
Pedro Pereira, Ulisses Costa Splint the C code static checker
22. Control Flow - Execution (cont.)
To describe non-returning functions the noreturnwhentrue and
noreturnwhenfalse mean that a function never returns if the first
argument is true or false.
1 /* @ n o r e t u r n w h e n f a l s e @ */ void assert ( /* @sef@ */ bool /* @alt
int@ */ pred ) ;
The sef annotation denotes a parameter as side effect free
The alt int indicate that it may be either a Boolean or an
integer
Pedro Pereira, Ulisses Costa Splint the C code static checker
23. Control Flow - Undefined Behavior
The order which side effects take place in C is not
entirely defined by the code.
Sequence point
a function call (after the arguments have been evaluated)
at the end of a if, while, for or do statement
a &&, || and ?
Pedro Pereira, Ulisses Costa Splint the C code static checker
24. Control Flow - Undefined Behavior (cont.)
> splint order . c + evalorderuncon
order . c :5: Expression has undefined
1 extern int glob ; behavior ( value of
right operand modified by left operand ) :
2 extern int mystery ( void ) ; x ++ * x
3 extern int modglob ( void ) /* order . c :6: Expression has undefined
@globals glob@ */ /* behavior ( left operand
uses i , modified by right operand ) : y [ i ]
@modifies glob@ */ ; = i ++
4 int f ( int x , int y []) { order . c :7: Expression has undefined
5 int i = x ++ * x ; behavior ( value of
right operand modified by left operand ) :
6 y [ i ] = i ++; modglob () * glob
7 i += modglob () * glob ; order . c :8: Expression has undefined
8 i += mystery () * glob ; behavior
( unconstrained function mystery used in
9 return i ; left operand
10 } may set global variable glob used in
right operand ) :
mystery () * glob
Pedro Pereira, Ulisses Costa Splint the C code static checker
25. Control Flow - Likely Infinite Loops
Splint reports an error if it detects a loop that appears to be
inifinite. An error is reported for a loop that does not modify any
value used in its condition test inside the body of the loop or in the
condition test itself.
1 extern int glob1 , glob2 ;
2 extern int f ( void ) /* @globals
glob1@ */ /* @modifies > splint loop . c + infloopsuncon
loop . c :7: Suspected infinite loop . No
nothing@ */ ; value used in
3 extern void g ( void ) /* loop test (x , glob1 ) is modified by test
or loop
@modifies glob2@ */ ; body .
4 extern void h ( void ) ; loop . c :8: Suspected infinite loop . No
5 condition
values modified . Modification possible
6 void upto ( int x ) { through
7 while ( x > f () ) g () ; unconstrained calls : h
8 while ( f () < 3) h () ;
9 }
Pedro Pereira, Ulisses Costa Splint the C code static checker
26. Control Flow - Switches
Splint detects case statements with code that may fall through to
the next case. The casebreak flag controls reporting of fall
through cases. The keyword fallthrough explicitly indicates that
execution falls through to this case.
1 typedef enum {
2 YES , NO , DEFINITELY ,
3 PROBABLY , MAYBE } ynm ;
4
5 void decide ( ynm y ) {
6 switch ( y ) {
> splint switch . c
7 case PROBABLY : switch . c :9: Fall through case ( no
8 case NO : printf ( quot; No ! quot; ) ; preceding break )
switch . c :12: Missing case in switch :
9 case MAYBE : printf ( quot; DEFINITELY
Maybe quot; ) ;
10 /* @fallthrough@ */
11 case YES : printf ( quot; Yes ! quot;
);
12 }
13 }
Pedro Pereira, Ulisses Costa Splint the C code static checker
27. Control Flow - Conclusion
But Splint has more!
Deep Breaks
Complete Logic
Pedro Pereira, Ulisses Costa Splint the C code static checker
28. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
29. Buffer sizes
1 Buffer overflow errors are a particularly dangerous type of bug
in C
2 They are responsible for half of all security attacks
3 C does not perform runtime bound checking (for performance
reasons)
4 Attackers can exploit program bugs to gain full access to a
machine
Pedro Pereira, Ulisses Costa Splint the C code static checker
30. Buffer sizes - Checking access
Splint models blocks of memory using two properties:
maxSet
maxSet(b) denotes the highest address beyond b that can be
safely used as lvalue, for instance:
char buffer[MAXSIZE] we have maxSet(buffer ) = MAXSIZE − 1
maxRead
maxRead(b) denotes the highest index of a buffer that can be
safely used as rvalue.
When a buffer is accessed as an lvalue, Splint generates a
precondition constraint involving the maxSet property
When a buffer is accessed as an rvalue, Splint generates a
precondition constraint involving the maxRead property
Pedro Pereira, Ulisses Costa Splint the C code static checker
31. Buffer sizes - Annotating Buffer Sizes
1 Function declarations may include requires and ensures
clauses to specify assumptions about buffer sizes for function
preconditions
2 When a function with requires clause is called, the call site
must be checked to satisfy the constraints implied by requires
3 If the +checkpost is set, Splint warns if it cannot verify that
a function implementation satisfies its declared postconditions
Pedro Pereira, Ulisses Costa Splint the C code static checker
34. Buffer sizes - Warnings
Bound checking is more complex than other checks done by
Splint
So, memory bound warnings contain extensive information
about the unresolved constraint
setChar . c :5:4: Likely out - of - bounds
store :
buf [10]
1 int buf [10]; Unable to resolve constraint : requires 9
2 buf [10] = 3; >= 10
needed to satisfy precondition : requires
maxSet ( buf @ setChar . c :5:4) >= 10
Pedro Pereira, Ulisses Costa Splint the C code static checker
35. Buffer sizes - Warnings (cont.)
> splint bounds . c + bounds +
showconstraintlocation
bounds . c :5: Possible out - of - bounds store
:
1 void updateEnv ( char * str ) { strcpy ( str , tmp )
2 char * tmp ; Unable to resolve constraint :
requires maxSet ( str @ bounds . c :5) >=
3 tmp = getenv ( quot; MYENV quot; ) ; maxRead ( getenv (quot; MYENV quot;) @ bounds . c :3)
4 if ( tmp != NULL ) needed to satisfy precondition :
5 strcpy ( str , tmp ) ; requires maxSet ( str @ bounds . c :5) >=
maxRead ( tmp @ bounds . c :5)
6 } derived from strcpy precondition :
requires
maxSet ( < parameter 1 >) >=
maxRead ( < parameter 2 >)
Pedro Pereira, Ulisses Costa Splint the C code static checker
36. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
37. The Ultimate Test: wu-ftpd
wu-ftpd version 2.5.0
20.000 lines of code
Took less than four seconds to check all of wu-ftpd on a
1.2-GHz Athlon machine
Splint detected the known flaws as well as finding some
previously unknown flaws (!)
Pedro Pereira, Ulisses Costa Splint the C code static checker
38. The Ultimate Test: wu-ftpd (cont.)
Running Splint on wu-ftpd without adding annotations
produced 166 warnings for potential out-of-bounds writes
After adding 66 annotations, it produced 101 warnings: 25 of
these indicated real problems and 76 were false
Pedro Pereira, Ulisses Costa Splint the C code static checker
39. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
40. Pros and Cons
Pros
Lightweight static analysis detects software vulnerabilities
Splint definately improves code quality
Suitable for real programs...
Cons
. . . although it produces more warning messages that lead to
confusion
It won’t eliminate all security risks
Hasn’t been developed since 2007, they need new volunteers
Pedro Pereira, Ulisses Costa Splint the C code static checker
41. Sum´rio
a
1 Introduction
2 Unused variables
3 Types
4 Memory management
5 Control Flow
6 Buffer sizes
7 The Ultimate Test: wu-ftpd
8 Pros and Cons
9 Conclusions
Pedro Pereira, Ulisses Costa Splint the C code static checker
42. Conclusions
No tool will eliminate all security risks
Lightweight static analysis tools (Splint) play an important
role in identifying security vulnerabilities
Pedro Pereira, Ulisses Costa Splint the C code static checker
43. Questions
?
Pedro Pereira, Ulisses Costa Splint the C code static checker