Compass User Manual - ROSE compiler infrastructure
Contents
1. x emacs centipede linl gov Mon Jul 9 1 53AM 0 08 JEJE y Compass Rule Selection E cker Name Checker Description E HE Const cast checker Const cast checker Tests for const casts in the source code a HE Default Case Checker Default Case checker Checks switch statments for default case Parameters None HEI Duff s Device detector Duff s Device detector Detects occurrences of Duff s Device a case or default option statement within a loop within the corresponding switch statement Parameters LE Ellipsis Detector Ellipsis Detector Reports the lines of source code files which have function declarations or definitions that use ellipsis the that makes a function accept a variable number of arguments LE Explicit Copy Explicit Copy Force to define copy constructors and operators unless the user explicitly declare wanting to use the default ones LE Function declaration prototype checker Function declaration prototype checker Tests that function definitions have prototypes for non builtin non template functions Parameters LE Induction Variable Update checker Induction Variable Update checker Tests whether any of induction variables is updated in its loop Parameters No parameters is needed LB Line length checker Line length checker Tests approximately for source file lines which are longer than a specified length limit Parameters LineLengthChecker maximumLineLength integer Maximum2. e ee eee eee 96 ee 98 7 30 Do Not Call Putenv With Auto Var 100 7 31 Do Not Delete This 2 0 0 00000 2 eee eee 103 foi hh dh Bb Bw we Bee tween es 105 6 33 Ditis Device 44 4 4 eee YY ee Re ee A we es 107 7 34 Dynamic Cast aaa ee 109 TERNERA 111 hk Ba dee tata 83 113 Lon eee he Pe es 115 6 38 Explicit C pyji s acia pean bw awe eS a as 117 CONTENTS 5 ad 118 dde aia od 120 AN 122 be eee ah ed ala 124 eee Ce OE oe ee EEE 126 7 44 For Loop Construction Control Stmt 128 one cee 130 ee eee Pe eee ee ee 132 Owe eh ete a ge io aha aoa ee 135 o 137 OPTEI 139 fi ory E aaa 141 Loe a wee RD ee A a 142 7 52 Internal Data Sharing 144 7 53 No Reference Loc Per Function 146 A bh amp a e aS ss as pace eerie 148 7 62 No Exceptions 00 022 ee eee ee ee 163 7 63 No Exit In Mpi Code 0 0 2 00 0002 eee 164 TOA NO Goto iaa ra a Ee IR a 166 7 65 No Overload Ampersadd o e 168 7 66 CERT MSC30 C No Rand 170 7 67 No Second Term Side Effects o 172 ecure Coding EXP0O6 A Operands to the sizeof operator should not contain side effects 20 174 7 69 No Template Usage o 2 00020 00 4 176 7 70 No Variadic Functions a a aa a a 0 00000 004 178 7 11 CERT POS33
3. write your non compliant code example include lt signal h gt include lt stdlib h gt include lt string h gt volatile sig_atomic_t sigi 0 i o volatile sig_atomic_t sig2 void handler int signum if sigi sig2 1 J if signum SIGUSR1 sigl 1 J int main void 60 CHAPTER 7 LIST OF COMPASS CHECKERS signal SIGUSR1 handler signal SIGUSR2 handler while 1 Y if sig2 break sleep SLEEP_TIME 1 return 0 The problem with this code is that there is a race condition in the implementation of handler If handler is called to handle SI GUSR1 and is interrupted to handle SIGUSR2 it is possible that sig2 will not be set This non compliant code example also violates SIG31 C Do not access or modify shared objects in signal handlers 7 5 4 Compliant Solution This compliant solution registers two separate signal handlers to pro cess SIGUSR1 and SIGUSR2 The sigl_handler handler waits for SIGUSER1 After this signal occurs the sig2 handler is registered to handle SIGUSER2 This solution is fully compliant and accom plishes the goal of detecting whether one or more SIGUSR1 signals are followed by SIGUSR2 write your compliant code example include lt signal h gt include lt stdlib h gt include lt string h gt volatile sig_atomic_t sigi 0 volatile sig_atomic_t sig2 0 void sigi_handler int signum sigl 1 F void sig2_handler int
4. 222 CHAPTER 7 LIST OF COMPASS CHECKERS 7 89 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Find the bitwise and 2 climb parent tree 3 alert if parent null or basicblock found 7 89 6 References ISO IEC 9899 1999 TC2 Dowd 06 Chapter 6 C Language Is sues ISO IEC 9899 1999 Section 6 5 7 Bitwise shift operators ISO IEC 03 Section 6 5 7 Bitwise shift operators 7 90 SET POINTERS TO NULL 7 90 Set Pointers To Null Dangling pointers can lead to exploitable double free and access freed memory vulnerabilities A simple yet effective way to eliminate dangling pointers and avoid many memory related vulnerabilities is to set pointers to NULL after they have been freed Calling free on a NULL pointer results in no action being taken by free 7 90 1 Parameter Requirements No Parameter specifications 7 90 2 Implementation 7 90 3 Non Compliant Code Example In this example the type of a message is used to determine how to process the message itself It is assumed that message_type is an integer and message is a pointer to an array of characters that were allocated dynamically If message type equals value_1 the mes sage is processed accordingly A similar operation occurs when mes sage_type equals value_2 However if message_type value_1 eval uates to true and message_type v
5. 7 16 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Traversee the AST 2 If a cast expression casts away constness report an error 78 CHAPTER 7 LIST OF COMPASS CHECKERS 7 16 6 References ALE3D Style Guide section 14 4 7 17 SECURE CODING STRO5 A PREFER MAKING STRING LITERALS CONST QUALIFIED79 7 17 Secure Coding STRO5 A Prefer making string literals const qualified String literals are constant and should consequently be protected by the const qualification This recommendation supports rule STR30 C Do not attempt to modify string literals 7 17 1 Non Compliant Code Example In the following non compliant code the const keyword has been omitted 1 char c Hello 2 If a statement such as c 0 C were placed following the above declaration the code would likely still compile cleanly but the re sult of the assignment is undefined as string literals are considered constant 7 17 2 Compliant Solution 1 In this compliant solution the characters referred to by the pointer c are const qualified meaning that any attempts to assign them to different values is an error 1 char const c Hello 7 17 3 Compliant Solution 2 In cases where the string is meant to be modified use initialization instead of assignment In this compliant solution c is a modifi able char array whic
6. 84 CHAPTER 7 LIST OF COMPASS CHECKERS 7 19 Control Variable Test Against Function This checker detects if there exists a for loop that tests its control induction variable against a function One can get better perfor mance by pulling out the function call before the loop and use a constant value for the test That is for int i 0 i lt constSize i do something The code above can be improved as the following const int size constSize for int i 0 i lt size i do something 7 19 1 Parameter Requirements None 7 19 2 Implementation This checker uses a simple traversal For every for statement the checker examines whether or not there is a function call inside the test expression 7 19 3 Non Compliant Code Example int bar void foo int j 2 for int i 0 i lt bar Q j lt 10 i j t 2 7 19 4 Compliant Solution int bar void foo 7 19 CONTROL VARIABLE TEST AGAINST FUNCTION int j 2 for int i 0 i lt 10 i AO 7 19 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Check if a node is a for statement 2 Check if the test expression for the for statement contains a function call 7 19 6 References The Programming Research Group High Integrity C Coding Standard Manual Item 5 7 The control var
7. Summit 95 comp lang c FAQ list Question 2 8 72 CHAPTER 7 LIST OF COMPASS CHECKERS 7 13 Char Star For String This checker will report when STL strings are used 7 13 1 Parameter Requirements The checker does not take any parameters 7 13 2 Implementation The checker finds variables declarations function arguments and typedefs of string type The string type may be of pointer type ref erence type array type or it can be modified without any problems 7 13 3 Non Compliant Code Example tinclude lt string gt typedef std string string2 void bar std string arg1 3 int main std string fool std string foo2 std string foo4 4 a 7 13 4 Compliant Solution typedef char string2 void bar char arg1 3 int main char fool char foo2 char f004 4 Es 7 13 CHAR STAR FOR STRING 73 7 13 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Traverse the AST 2 If a variable declaration functions argument or typedef has a string base type report an error 7 13 6 References The ALE3D style guide section 16 2 states that C strings must be used instead of STL strings due to portability problems 74 CHAPTER 7 LIST OF COMPASS CHECKERS 7 14 Comma Operator The comma operator is commonly considered confusing without any redeeming value This checker makes sure
8. 2 Flag all function references named setjmp or longjmp as violations 3 Report all violations 7 21 6 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 89 90 CHAPTER 7 LIST OF COMPASS CHECKERS 7 22 Cycle Detection This checker is a graph based checker It determines if cycles are present in the crontrol flow graph 7 22 1 Parameter Requirements Parameters for the run must be provided e g is the analysis inter procedural This is work in progress 7 22 2 Implementation Within the traversal of the graph the run function of this checker is called This function takes the current and previous node as input Within the run function the algorithm checks the successors of the current node and determines if a node has been seen before during the graph traversal If so a possible cycle has been found To verify that a cycle exists we verify that a path from the successor to the current node exists 7 22 3 Non Compliant Code Example write your non compliant code example 7 22 4 Compliant Solution write your compliant code example 7 22 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Write your checker algorithm 7 22 6 References 7 23 PAPER CYCLOMATIC COMPLEXITY 91 7 23 Paper Cyclomatic Complexity This is a checker to dete
9. 7 82 Place Constant On The Lhs This checker detects a test clause whether or not it contains a con stant on the left hand side when comparing a varialbe and the con stant for equality By putting the constant on the left hand side the compiler can prevent programmers from making mistake to write I for gt 7 82 1 Parameter Requirements None 7 82 2 Implementation This checker is implemented with a simple traversal It traverses AST and finds a test clause If the test clause has a variable on its left hand side then then the checker report this clause to the standard output 7 82 3 Non Compliant Code Example void foo int a 0 if a 10 a is on the LHS while a 10 a is on the LHS while a 12 a is on the LHS for int i 0 i 0 i i is on the LHS 12 Pop 207 208 CHAPTER 7 LIST OF COMPASS CHECKERS 7 82 4 Compliant Solution void foo int a 0 if 1 a fine 7 82 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Check if the node visiting is an if statement 2 If yes find its test clause to see if it contains a constant on the left hand side 3 Check also if the if statement compares a variable and the con stant for equality 7 82 6 References The Programming Research Group High Integrity C Coding Standard Manual Item
10. This checker does not do alias analyzing In the case you use a reference of a variable in an inner scope and re use in the scope of declaration the checker will not see the use and propose to move the variable in the inner scope The effort for supporting the problem is very big and the result is to handle programs with weird behavior that should have been written differently 153 154 CHAPTER 7 LIST OF COMPASS CHECKERS 7 55 Lower Range Limit By always using inclusive lower limits and exclusive upper limits a whole class of off by one errors is eliminated Furthermore the following assumptions always apply 1 the size of the interval equals the difference of the two 2 the limits are equal if the interval is empty 3 the upper limit is never less than the lower limit Examples instead of saying x 23 and x 42 use x 23 and xj43 7 55 1 Parameter Requirements No parameters required 7 55 2 Implementation In a fairly straight forward implementation we search the strictly lower than operator 7 55 3 Non Compliant Code Example int x 5 if x lt 5 X write your non compliant code example 7 55 4 Compliant Solution int x 5 if x lt 4 X write your compliant code example 7 55 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 7 55 LOWER RANGE LIMIT 1 fin
11. d n c1 i c2 c1 i c3 return 0 7 37 4 Compliant Solution The compliant solution explicitly declares the char variables as unsigned 120 CHAPTER 7 LIST OF COMPASS CHECKERS include lt stdio h gt int main int n 200 char cl i unsigned char c2 n unsigned char c3 200 int i 1000 printf c c2 d nic c3 din c1 i c2 c1 i c3 return 0 7 37 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting all SgAssignInitializer nodes 2 For each SgAssignInitializer node of type char if the rhs operand is either a cast expression with operand of type int or a negative character value then flag an error 3 Report any violations 7 37 6 References ning character types 7 38 EXPLICIT COPY 7 38 Explicit Copy This test detects missing copy constructors and operators In case the user wants to use the default ones then the class has to be anno tated with a special comment These comments should contain use default copy constructor or use default copy operator This checker enforces the rule 53 from H Sutter A Alexandrescu C Coding Standards Explicitly enable or disable copying 7 38 1 Parameter Requirements No parameter is required 7 38 2 Non Compliant Code Example class A ES 7 38 3 Compliant
12. 0 02 ee ee 43 6 11 Better choices 2 2 2 2 ee 43 6 12 Dangerous choices 2 o o ee 43 6 13 Performance EffectivenessS o e 44 6 14 Misc or Undocumentedl oo 44 7 List of Compass Checkers 7 3 Assignment Operator Check Self o 51 Se ne a ee ce aa a 53 errr 55 7 6 Bin Print Asm Functions aaa a 58 EEEE EEEE a 59 Ra esa de hs Hee A a ea N 60 baba gogo BL ee EE EE 61 Sie Meas eh A oat Se Bm aa een 62 7 11 No Reference Buffer Overflow Functions 7 12 Secure Coding EXP04 A Do not perform byte by byte com parisons between structures 7 13 Char Star For String 2 ee ee 68 7 14 Comma Operator 2 00002 eee ee eee 70 7 15 No Reference Computational Functions 71 7 16 Const Cast epai 4 te be PG a ee RA ee ee ee ae 73 7 17 Secure Coding STRO5 A Prefer making string literals const Sen oe ee RARA ee 75 ae eeu teen es 78 eee eee eb wae es 80 7 20 Copy Constructor Const Arg o 82 7 21 Cpp Calls Setjmp Longjmp 84 ee Ree dr e LD A ee Benen aca a 86 7 23 Paper Cyclomatic Complexity 87 7 24 Data Member Access 6 88 Zo Deep Nesting sie 2 4 4444 4 ee eee Se Se Ee ws 90 7 26 Default Case aaau ee 92 7 27 Default Constructor ee ee 94 7 28 Discard Assignment
13. 7 8 if fseek fptr OL SEEK SET 0 9 handle repositioning error 10 11 12 continue 13 7 85 3 Risk Assessment Using rewind makes it impossible to know whether the file posi tion indicator was actually set back to the beginning of the file If the call does fail the result may be incorrect program flow Rule Severity Likelihood Remediation Cost Priority Level FIOO7 A 1 low 1 unlikely 2 medium P2 L3 7 85 SECURE CODING FIO07 A PREFER FSEEK TO REWIND 213 Related Vulnerabilities Search for vulnerabilities resulting from the violation of this rule on the CERT website 7 85 4 References ISO IEC 9899 1999 TC2 Section 7 19 9 2 The fseek function 7 19 9 5 The rewind function 214 CHAPTER 7 LIST OF COMPASS CHECKERS 7 86 Prefer Setvbuf To Setbuf The functions setvbuf and setbuf are defined as follows void setbuf FILE restrict stream char restrict buf int setvbuf FILE restrict stream char restrict buf int mode size_t size setvbuf is equivalent to setbuf with IOFBF for mode and BUF SIZE for size if buf is not NULL or IONBF for mode if buf is NULL except that it returns a nonzero value if the request could not be honored For added error checking prefer using setvbuf over setbuf 7 86 1 Parameter Requirements No Parameter specifications 7 86 2 Implementation No implementation y
14. 7 3 6 References Abbreviated Code Inspection Checklist Section 12 1 3 Assignment Operator 7 4 ASSIGNMENT RETURN CONST THIS 57 7 4 Assignment Return Const This Here we check to make sure that all assignment operators opera tor return const classType amp By making the return a reference we can use a b c which is legal C By making the reference const we prevent a b c which is illegal C 7 4 1 Parameter Requirements No parameters necessary 7 4 2 Implementation Every member function is checked to see if the name matches oper ator If so we check to make sure the return type is const nameof class z All three const ref classname must be present We then make sure there is at least one explicit return of this and no ex plicit returns of anything else Note At this time we do not make sure that all paths must reach an explicit return This is however already a warning in ROSE when there is not an explicit return for a non void returning function There is also another checker to ensure explicit returns 7 4 3 Non Compliant Code Example class smallCat smallCat amp operator smallCat amp other smallCat amp smallCat operator smallCat other 7 4 4 Compliant Solution class smallCat const smallCat amp operator smallCat amp other const smallCat amp smallCat operator smallCat amp other 58 CHAPTER 7 LIST OF COMPASS CHECKERS 7 4 5 Mitigat
15. Duff s Device in its almost original form void send int to int from int count int n count 7 8 switch count 8 case 0 do tot x from case 7 tot from case 6 tot from case 5 tot fromtt case 4 tot from case 3 tott from case 2 tot from case 1 tot from while n gt 0 7 33 3 Compliant Solution An equivalent function without optimization void send2 int to int from int count for int i 0 i lt count i tot from 7 33 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 112 CHAPTER 7 LIST OF COMPASS CHECKERS 1 For each case or default statement examine the enclosing scopes smallest first i e go upward in the AST 2 If there is a loop statement that is closer than a switch state ment Duff s Device has been found emit a diagnostic 7 33 5 References Duff s Device ist mostly folklore but one reference in the litera ture is B Stroustrup The C Programming Language Third Edition Exercise 6 6 15 7 34 DYNAMIC CAST 113 7 34 Dynamic Cast The rule is that dynamic_cast should always be used when a down cast is needed ALE3D 14 5 Downcasting is a term for casting a pointer to a base class to a derived class and should only be done with extreme care Using dynamic_c
16. and the checker name 3 5 Including Excluding Checkers Dur ing Compass Execution This section describes how to execute a subset of the checkers pro vided in the build process see section 3 4p This process is sig nificantly more interactive than defining what checkers to include in the Compass build process Since it is not unheard of that rules implemented by different checkers can be mutually exclusive or even contradicting this mechanism is essential for selecting the subset of checkers that are interesting for a specific program that is checked Separate projects of developers could easily have their own RULE_SELECTION file to permit high levels of customization in the use of a Compass tool containing a large number of checkers e g for different languages 3 5 INCLUDING EXCLUDING CHECKERS DURING COMPASS EXECUTION29 one C svnrepos mycode compass GVIM e File Edit Tools Syntax Buffers Window Help PORS e RB FBO BP Be 20 89 W Documentation for prototype of foo int foo int y Documentation for foo int foo int y int x 0 x return x y xxx void foobar int x class X int Variable y does not seem to be used widely in that scope Try to move it to an inner scope 1 1 All Figure 3 9 Compass error messages integrated into Vim 7 30 CHAPTER 3 USING COMPASS When used with the Emacs interface this provides a simple way to turn on and off specific checkers by editi
17. atol and atoll functions and Section 7 19 6 7 The sscanf function 7 47 FRIEND DECLARATION MODIFIER 139 7 47 Friend Declaration Modifier The Elements of C Style item 96 states that Friend declarations are often indicative of poor design be cause they bypass access restrictions and hide dependen cies between classes and functions 7 47 1 Parameter Requirements This checker takes no parameters and inputs source file 7 47 2 Implementation This pattern is checked with a simple AST traversal that seeks dec laration statements and determines if any use the friend modifier keyword Any declaration statements found with the friend mod ifier are flagged as violations 7 47 3 Non Compliant Code Example This non compliant example uses friend to access private data class Class int privateData friend int foo Class amp c public Class privateData 0 class Class int foo Class amp c return c privateData 1 foo Class amp c 7 47 4 Compliant Solution The compliant solution simply uses an accessor function instead class Class int privateData public Class privateData 0 140 CHAPTER 7 LIST OF COMPASS CHECKERS int getPrivateData return privateData class Class int foo Class c return c getPrivateData 1 foo Class amp c 7 47 5 Mitigation Strategies Static Analysis Compliance with this ru
18. lock Even if you can guarantee that every processor will call exit collectively this can leave some parallel envi ronments in a hung state because MPI resources are not properly cleaned up 7 63 1 Parameter Requirements This checker takes no parameters and inputs source file 7 63 2 Implementation This pattern is checked using a simple AST traversal seeking function reference expressions These function reference expressions match ing a call to the exit function between blocks of MPI code as de limited between MPI Init and MPI Finalize are flagged as checker violations 7 63 3 Non Compliant Code Example This trivial non compliant code calls exit from an MPI block include lt stdlib h gt include mpi h int main int argc char argv MPI_Init amp arge kargv exit 1 MPI_Finalize return 0 mainO 7 63 4 Compliant Solution The compliant solution uses MPI_Abort instead include lt stdlib h gt include mpi h int main int argc char argv 7 63 NO EXIT IN MPI CODE 169 MPI_Init amp arge amp argv MPI_Abort MPI_COMM_WORLD 1 MPI_Finalize return 0 mainO 7 63 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal of nodes that occur between MPI_Init and MPI_Finalize blocks 2 For each node between MPI bloc
19. C No Vfork oaoa a 180 7 76 Nonmember Function Interface Namespace 190 AE 192 a A A AA A 196 dr dr E 198 7 80 Operator Overloading 200 7 81 Other Argument o 202 7 82 Place Constant On The DOS o 203 pdas pu AD ee eee as a 205 7 84 Prefer Algorithms o o 7 85 Secure Coding FIOO7 A Prefer fseek to rewind 7 86 Prefer Setvbuf To Setbull 6 CONTENTS 7 87 Protect Virtual Methods 0 0 000004 212 T88 Push Backs 44 44 4080 2 66 be Bode eR EERE OH 214 7 89 Right Shift Mask 2020202004 217 7 90 Set Pointers To Nulll 219 PS 221 7 92 Size Of Pointer 2 a 223 7 93 Secure Coding INTO06 A Use strtol to convert a string token Mer eee ee eae ee ee ee ee 225 ee ee ee 228 Pan Med Ge oh Gabon ae eos ee a ene 230 Poe bdo ee ee eG od aK 232 gs ode ta oh IK oS Be OE BC dee te eyeing ee eZ 234 aida a oe ies ats 235 7 99 Upper Range Limit o 237 EE 239 CIOL Void Stan o seee a a a AA ad 241 243 8 1 Design And Extensibility of Compass Detectors 243 CONTENTS 7 Acknowledgments This tool is the product of the entire ROSE team Compass depends upon the ROSE open compiler infrastructure and is a simple application of mechanisms in ROSE whi
20. High Integrity C Coding Standard Manual Item 5 6 Do not alter a control variable more than once in a for do or while statement 148 CHAPTER 7 LIST OF COMPASS CHECKERS 7 52 Internal Data Sharing Classes should usually not return handles to internal data from methods A handle in this sense is a non const reference to a mem ber or copy of a pointer member as the caller could change internal state through such an object This checker reports such cases One possible exception to this rule are overloaded operators which often return such handles so they can be combined with other opera tors to bigger expressions and this checker provides a parameter to define whether operators should be allowed to return internals 7 52 1 Parameter Requirements The bool flag InternalDataSharing operatorsExcepted states whether overloaded operators are excepted from this checker s rules i e whether they are allowed to return internal data 7 52 2 Non Compliant Code Example class A public not OK returning non const pointer member int retptr return p not OK returning non const reference to data pointed to by member int amp retref return p not OK returning non const reference to member int kretptrref return p private int p 3 7 52 3 Compliant Solution class B public OK returning copy of pointed to data int retint return p OK const ptr const int
21. Solution class A 4 public A const A amp other 4 Ag operator const Ag other return this 7 38 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For all class definitions try to find a copy constructor and a copy operator or user comments describing that the class should use the default ones 7 38 5 References Alexandrescu A and Sutter H C Coding Standards 101 Rules Guidelines and Best Practices Addison Wesley 2005 121 122 CHAPTER 7 LIST OF COMPASS CHECKERS 7 39 Explicit Test For Non Boolean Value This test examines all the test statements whether there is a state ment that calls a function call returning a non boolean value and that does not compare the return value to an explicit value For example if a function foo returns an integer value and the func tion is used in a conditional statement such as if while do while for or the first operand of operator the boolean expressions in the conditional statement should always use an explicit test of equality or non equality Therefore the following code can pass this checker if foo 0 do something whereas if foo do something will be caught by this checker because foo returns an integer non boolean value 7 39 1 Parameter Requirements None 7 39 2 Implementation This pat
22. allowed line length in charac HE LOC perFunction checker LOC_perFunction checker Tests approximately for functions which lines are larger than a specified length limit Parameters LOC_perFunction maximumLOCLength integer Maximum allowed lines per function LE mPiBuffertypechecker MPI buffer type checker Tests approximately for cases in which the caller specified buffer element type in an MPI call does not match the element type of the buffer Parameters MPIBufferTypeChecker apiDes HE Multiple Cases on the Same Line checker Switch Case Checker Tests Switch Case Statements that have multiple cases on the same line HE No Goto No Goto Detect use of goto LE static constructor initialization detector_Static constructor initialization detector Tests for where static preinitialization error can effect portability of code g Compass Results View x Action1 Action 2 ral Wee i target add clear broadcast cache cache go to lookup zoom zoom 1 faint x 2 Checker Results Name _ H a oe x const cast checker s If p Default Case Checker 6 LO home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe d 8 class Duff s Device detector 9 class Lellipsis Detector 10 class Explicit Copy 11 class LO mome dquinlan ROSE ROSE_CVS ROSE projects compassitests exampleTes 12 class Function declaration prototype checker 13 class mome dquinlanROSE ROSE_CVS ROSE projects compass tests exampleTes 14 class X O home dquinl
23. analysis checkers using the following algorithm 1 For each assignment geneate a diagnostic if its parent is not an expression statement 2 For each assignment that has an expression statement as its parent generate a diagnostic if that expression statement is the controlling expression statement of a loop if or switch 7 28 DISCARD ASSIGNMENT 101 7 28 5 References A reference to this pattern is The Programming Research Group High Integrity C Coding Standard Manual Item 10 5 Al ways discard the result of an assignment operator 102 CHAPTER 7 LIST OF COMPASS CHECKERS 7 29 Do Not Assign Pointer To Fixed Address This checker attempts to detect violations of MITRE s Common Weakness Enumeration CWE 587 Assignment of a Fixed Ad dress to a Pointer Pointer initializations of and assignments to constant values are detected The goals of preventing this weakness are to avoid insecure and or non portable code that makes unsafe assumptions about memory layout such as locations of functions 7 29 1 Parameter Requirements There are no parameter requirements 7 29 2 Implementation The checker traverses the AST in prefix order checking assignments and initializations in which the left hand side is a pointer or array of pointers and the right hand side is a non zero constant or an array containing at least one such constant Not all cases are caught for example the following violation wou
24. analysis checkers using the following algorithm 1 Travese the AST 2 For each call to the member function we are interested in make sure field name is equal to the string provided as an argument 7 100 6 References 7 101 VOID STAR 245 7 101 Void Star This checker enforces the guideline of section 87 of the Elements of C Style Misfeldt and al 2004 No public method should be using void type for arguments or return type If needed it can be wrapped 7 101 1 Parameter Requirements There is not parameter requirement 7 101 2 Non Compliant Code Example class A public const void getData 7 101 3 Compliant Solution class A public const Data getData 7 101 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each public member function declaration check all argu ment types and the return type are not voids 7 101 5 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 246 CHAPTER 7 LIST OF COMPASS CHECKERS Chapter 8 Appendix 8 1 Design And Extensibility of Com pass Detectors The design of the detectors is intended to be simple and with little required to be specified to build individual detectors Of course some detectors may be non trivial e g null pointer analysis buffer overflow detectors etc not yet provi
25. are not treated as if they were non associative 7 72 1 Parameter Requirements This checker takes no parameters and inputs source file 7 72 2 Implementation This pattern is checked using a nested AST traversal on the parent nodes of the operand of a binary operator expression Any such par ent node that treats relational binary operators as non associative will use more than one binary relational operator Flag these ex pressions as violations 7 72 3 Non Compliant Code Example include lt stdio h gt int main int a 2 int b 2 int c 2 if a lt b lt c condition 1 misleading likely bug printf a lt b lt c n if a b c condition 2 misleading likely bug printf a b c n return 0 7 72 NON ASSOCIATIVE RELATIONAL OPERATORS 187 7 72 4 Compliant Solution include lt stdio h gt int main af int a 2 int b 2 int c 2 if a lt b amp amp b lt c clearer and probably what was intended printf a lt b amp amp b lt c n if a b amp amp a c ditto printf a b amp amp a c n return 0 7 72 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal and locate SgBinaryOp nodes 2 At each SgBinaryOp node perform a nested traversal of the operands parent node and count the number
26. can be checked using structural static analysis checkers using the following algorithm 1 Identifies switch statement 2 Reads all statements in it s basic block searching for default 3 if none found notify message 7 26 6 References Abbreviated Code Inspection Checklist Section 11 2 2 Branching 98 CHAPTER 7 LIST OF COMPASS CHECKERS 7 27 Default Constructor The Elements of C Style item 97 states that Declare a default constructor for every class you create Although some compilers may be able to automatically generate a more efficient implementation in some situ ations choose an explicit default constructor for added clarity 7 27 1 Parameter Requirements This checker takes no parameters and inputs source file 7 27 2 Implementation This pattern is checked using a simple AST traversal that seeks out instances of SgClassDefinition The children of these instances are stored in a successor container and looped over to find a default constructor If no such default constructor exists then a violation is flagged 7 27 3 Non Compliant Code Example The following trivial example does not declare a default constructor class Class public Class O class Class 7 27 4 Compliant Solution The compliant solution simply adds a default constructor to the class definition class Class public Class O 17 Class O class bad 7 27 DEFAULT CONSTRUCTOR 7 27 5 Mitigation Strat
27. features of Vim 7 as documented at http vimdoc sourceforge net htmldoc quickfix html Some frequently used commands are Specifying the compass plugin to use by typing a command compiler compass Open your source code using gvim and set the compiler to Compass by Compile you code using compassMain type make Display current message type cc Display all messages type clist Jump to next message type cnext Figure 3 9 shows an example of Compass error messages integrated into Vim 7 3 4 Including Excluding Checkers in the Compass Build Process This section describes how to select which of the checkers to integrate into Compass out of all the checkers available in source form in the Compass source directory For security reasons Compass uses this static build process since it is a central goal of Compass that it should run as a trusted part of a project s build process If the integration of checkers had been automatic through a dynamic plugin mechanism it would be hard to ensure that the dynamic list of checkers was secure but for a static list of trusted checkers this is possible The file ROSE SOURCE_DIR projects compass tools compass CHECKER_LIST is used to control which checkers are selected to be compiled into compassMain It can use the comment delimiter at the begin ning of any checker name to remove that checker from compilation 28 CHAPTER 3 USING COMPASS Vim compiler file Com
28. int u return u 7 97 3 Compliant Solution int f_compliant int n return n 7 97 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Check the type of the operand of any unary minus expression emit a diagnostic if it is an unsigned integer type 7 97 5 References A reference for this rule is The Programming Research Group High Integrity C Coding Standard Manual Item 10 21 Ap ply unary minus to operands of signed type only 7 98 UNINITIALIZED DEFINITION 7 98 Uninitialized Definition This test ensures that all variables are initialized at their point of definition The detector will report all variable declarations without initializer expressions except for some special cases e Variables declared extern Such declarations refer to variables defined elsewhere initializers are therefore not required at this point e Variables declared static These variables are automatically ini tialized to 0 of the appropriate type if no explicit initializer is present e Class member variables The class constructor is responsible for initializing such variables e Variables of class type Class objects are default initialized if no explicit initializer expression is present e Variables declared at file global scope File scope declara tions are implicitly static they can be chan
29. is a threat that any secure software will have modification of filesystem A checker should be side effect free or have only well de fined side effects but a malicious checker could modify or erase parts of the accessible file system e g deleting whole directory structures e Malicious Compass Since Compass is built from ROSE it is possible to modify compass or any checker to generate source code that could be compiled to replace the existing executable there are some constraints here or regenerate the source code to replace the existing source code or perhaps just provide an alternative copy of the source code This indirect transformation of the input code is a threat e Source Code Replacement It should not be possible for users to exchange the source code of checkers within a running system i e Compass cannot im plement dynamic loading of checkers Such a feature would compromise its safety e Binary Replacement Another threat is the replacement of a valid Compass checker with a modified malicious version within a binary release of Compass Therefore Compass should be aware if parts of itself were modified and should not execute 2 5 2 Mitigation of Threats Compass is designed to be safe The Compass Verifier is a stable separate copy of Compass that contains only a few checkers to check external and internal user delivered checkers for safety We have hopefully designed Compass in a way that it addresses the
30. listed in TOOLBUILD CHECKER_LIST_WITHOUT_COMMENTS The individual rule labels for verify are generated in verify makefile identically to those lower case names found in TOOLBUILD CHECKER_LIST_WITHOUT_COMMENTS Each rule logs the standard output and error to files suffixed _out txt and err txt respectively and the measure of a 41 42 CHAPTER 5 USING COMPASS VERIFIER passing checker is an empty standard error log file Concur rency may be used with j option to GNU Make to reduce the time to complete verify e new_allow_list regenerates the parameter file projects compass extensions checkers allowedFunctions compass_parameters in the source tree used as the allowed functions list in Compass Verifier The present list assumes that all sources found in the present source tree of Compass are trusted in their use of function calls and whatever functions are referenced are allowed Sources processed by Compass Verifier to build the list of allowed functions consist of compass C compassTest Main C buildCheckers C and the concatenation of checker sources identical to that of oneBigVerify Please see the documentation for allowedFunctions 7 2 for the details of how the new list of allowed functions is created and maintained Not implemented we plan to limit the recursion of function references to exclude those functions called by calls to library functions This should greatly reduce the number of allowed functions such that
31. number of seconds from the second parameter until the first parameter and returns the result as a double include lt time h gt int do_work int seconds_to_work time_t start time_t current start time NULL current start if start time_t 1 Handle error while difftime current start lt seconds_to_work 4 current time NULL if current time_t 1 Handle error do_some_work return 0 7 96 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal on all binary operation nodes 2 For each binary operation node if node is arithmetic expression then determine the type of its left and right hand side operands 3 If either the left or right hand side is type time_t then flag violation 4 Report any violations 7 96 6 References Secure Coding MSCO5 A Do not manipulate time_t typed values 238 CHAPTER 7 LIST OF COMPASS CHECKERS 7 97 Unary Minus The unary minus operator should only be used with signed types as its use with unsigned types will never result in a negative value This checker reports any uses of the built in unary minus operator on an unsigned type 7 97 1 Parameter Requirements This checker does not require any parameters 7 97 2 Non Compliant Code Example unsigned int f_noncompliant unsigned
32. of interest and display the source location of each violation As a user convenience the interface will either display the violating source region in a text editor or a non editable display window The Compass GUI is located in the projects compass tools com pass gui directory of the ROSE distribution The Compass GUI is build as part of the standard Compass build when ROSE is con figured with qt4 In order to enable simple compilation of whole projects using one button clicks in the Compass GUI ROSE must be configured with sqlite3 as well 4 1 Running Compass GUI on a Single File Before running the Compass GUI on a single file the files listed in must be available and the environment variable COM PASS_PARAMETERS must specify which compass_paramaters file to use CompassGUI can then be invoked as a normal compiler like e g compassMainGui o ex1 ex1 C If it is not desirable to export the COMPASS PARAMETERS variable a shorthand is env COMPASS_PARAMETERS location of compass_pramateres 37 compassMainGui o ex1 ex1 C 38 CHAPTER 4 USING COMPASS GUI 4 2 Running Compass GUI on an Auto tools Project A goal of this section is to show how to run the compass checkers on a whole project like e g ROSE using a one button click in the Compass GUI and present an easy interface for exploring the viola tions as found during the build This interface is currently limited to sequentially building the project and it
33. of relational binary operators used 3 If said count is greater than one then flag error 4 Report all errors 7 72 6 References EXPO9 A Treat relational and equality operators as if they were 188 CHAPTER 7 LIST OF COMPASS CHECKERS 7 73 Non Standard Type Ref Args Per the Abbreviated C Code Inspection Checklist While it is cheaper to pass ints longs and such by value passing objects this way incurs significant expense due to the construction of tempo rary objects The problem becomes more severe when inheritance is involved Simulate pass by value by passing const references 7 73 1 Parameter Requirements No parameters necessary 7 73 2 Implementation The arguments to all functions are checked for base type in the declaration If the base type is found to be a struct or a class it is then checked to ensure it is a reference If it is not a notification is raised 7 73 3 Non Compliant Code Example class incrediblyComplex private loads of members bool justLooking incrediblyComplex fullCopy return amp fullCopy 7 73 4 Compliant Solution class incrediblyComplex private loads of members bool justLooking incrediblyComplex amp fullCopy return amp fullCopy 7 73 NON STANDARD TYPE REF ARGS 189 7 73 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following a
34. public SomeClass void doSomething void destroy dele sete void SomeClass destroy delete this Dangerous SomeClass sc new SomeClass haere sc gt destroy ll sc gt soSomething Undefined behavior 7 31 4 Compliant Solution class SomeClass public SomeClass void doSomething i ee SomeClass 108 CHAPTER 7 LIST OF COMPASS CHECKERS SomeClass sc new SomeClass Fh eas delete sc 7 31 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting all delete expression nodes 2 For each delete expression node check its argument node to be this expression if so flag violation 3 Report any violations 7 31 6 References DAN32 C Do not delete this 7 32 DO NOT USE C STYLE CASTS 109 7 32 Do Not Use C style Casts C allows C style casts although it has introduced its own casts static_cast lt type gt expression e const_cast lt type gt expression e dynamic_cast lt type gt expression e reinterpret_cast lt type gt expression C casts allow for more compiler checking and are easier to find in source code either by tools or by human readers 7 32 1 Parameter Requirements No Parameter specifications 7 32 2 Implementation 7 32 3 Non Compliant Code Example In this example a C style cast is us
35. simple cleanup flymake get real defun flymake master make header init flymake master make init flymake get include dirs NCAA AVA t t include t E word 0 9 _ s add hook find file hook flymake find file hook setq flymake log level 3 setq flymake no changes timeout 0 5 defcustom rose source tree home dquinlan ROSE NEW_ROSE Location of top of ROSE source tree defcustom rose build tree home dquinlan ROSE ROSE_CompileTree LINUX 64bit 3 4 6 Location of top of ROSE build tree defun add buildfile dir for rose let source dir name file name directory buffer file name message S source dir source dir name if string equal rose source tree substring source dir name O length rose source tree string equal rose source tree substring source dir name 0 min length source dir name length rose source tree let buildfile dir concat ode dedo dodo dodo dodo dodo dede do rose build tree subs message 4S buildfile dir buildfile dir set variable flymake buildfile dirs cons buildfile dir flymake buildfile dirs local set variable flymake buildfile dirs append mapcar lambda dir concat buildfile dir dir flymake buil progn message 4S bad prefix source dir name defun set rose source dir dir Set the top of the ROSE source tree to use with Flymake interactive DThe top of the R setq ros
36. threats mentioned above e Malicious User Initially we permit only trusted individuals to add new checkers to Compass Once the verification process is matured we will extend this policy to allow less trusted users to contribute to 2 5 COMPASS VERIFIER 17 Compass A goal will be to allow arbitrary users to contribute checkers however a review of the whole Compass design and the Compass Verifier especially will be required to define re quired trust levels for user developers who implement checkers FIXME We might define bam trusted and untrusted checkers as e Malicious Checker a way to have checkers from To prevent Compass from executing malicious code the Com arbitrary users but mark them pass Verifier executes its own checkers on any user defined as untrusted checker that is being considered to be added to Compass Cur rently the Compass Verifier contains three checkers fileReadOnlyAccess ensures that a user defined checker per forms no write or execute operations on files allowedFunctions is a white list of function calls permitted in a checker This list contains functions that are trusted and hence considered safe when integrated to Compass FIXME This is not yet 7 impl ted hite list and noAsmStmtsOps searches for assembly instructions in a ee eee is instead currently a black list checker and flags and reports all cases as unsafe called forbiddenFunctions To avoid modifications o
37. type vector lt T gt where L variable of type list lt T gt where Lp variable of type list lt T gt x where S variable of type slist lt T gt where Sp variable of type slist lt T gt x where D variable of type deque lt T gt where Dp variable of type deque lt T gt where Value expression of type T the check will look for these patterns in the source code V resize V size 1 Value Vp gt resize Vp gt size 1 Value D resize D size 1 Value Dp gt resize Dp gt size 1 Value L resize L size 1 Value Lp gt resize Lp gt size 1 Value V resize 1 V size Value Vp gt resize 1 Vp gt size Value D resize 1 D size Value Dp gt resize 1 Dp gt size Value L resize 1 L size Value Lp gt resize 1 Lp gt size Value V insert V end Value Vp gt insert Vp gt end Value D insert D end Value Dp gt insert Dp gt end Value L insert L end Value Lp gt insert Lp gt end Value S insert S begin Value Sp gt insert Sp gt begin Value D insert D begin Value Dp gt insert Dp gt begin Value L insert L begin Value D L 220 CHAPTER 7 LIST OF COMPASS CHECKERS Lp gt insert Lp gt begin Value For all resize and back insert patterns push_back could be used For front insert patterns push_front could be used instead 7 88 6 References Alexandrescu A and Sutter H C Coding Standards 101 Rules Guid
38. undefined behavior the operator amp should not be overloaded 7 65 1 Parameter Requirements No Parameters Required 7 65 2 Implementation We check any member function then compare the name to opera tor amp If this combination is found an alert is raised 7 65 3 Non Compliant Code Example class peanutButter string name void operator amp name amp jelly 7 65 4 Compliant Solution class peanutButter string name void addJelly name amp jelly 7 65 NO OVERLOAD AMPERSAND 173 7 65 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Find member function 2 Check name 3 raise alert 7 65 6 References ISO IEC 9899 1999 TC2 ISO IEC 14882 2003 Section 5 3 1 Unary operators Lockheed Martin 05 AV Rule 159 Operators amp amp and unary amp shall not be overloaded 174 CHAPTER 7 LIST OF COMPASS CHECKERS 7 66 CERT MSC30 C No Rand CERT Secure Coding MSC30 C states The C Standard function rand available in stdlib h does not have good random number properties The num bers generated by rand have a comparatively short cy cle and the numbers may be predictable To achieve the best random numbers possible an implementation specific function needs to be used 7 66 1 Parameter Requirements This checker takes no parameter
39. 10 6 When comparing variables and con stants for equality always place place the constnat on the left hand side 7 83 POINTER COMPARISON 209 7 83 Pointer Comparison This checker tries to find comparison operations involving pointers These comparison results are determined by the memory locations of the objects pointed to in the program s address space Using is usually safe But using lt lt gt and gt is error prone given the uncertainty of memory locations of objects across executions and platforms 7 83 1 Parameter Requirements There is not parameter requirement 7 83 2 Implementation The checker finds relational operators such as lt lt gt and gt and sends out warnings if at least one of their operands is of pointer types 7 83 3 Non Compliant Code Example Here is the original code piece which inspired this checker It assumes in the ROSE AST a parent scope node resides in a memory location of smaller address compared to the address of its descendent scope node This assumption is wrong given the difference of memory management across platforms or even executions A right solution is to walk the AST tree to find out their relationship SgScopeStatement scopel scope2 TE esis if scopel lt scope2 else 7 83 4 References No reference 210 CHAPTER 7 LIST OF COMPASS CHECKERS 7 84 Prefer Algorithms Many people consider hand written loops over STL containers infe ri
40. 2 void pass int x x x 5 5 7 53 3 Parameter Requirements LocPerFunction Size defines the max value for a permissive LOC 7 53 4 Implementation The simple implementation of this checker is defined below if isSgFunctionDeclaration sgNode SgFunctionDeclaration funcDecl isSgFunctionDeclaration sgNode SgFunctionDefinition funcDef funcDecl gt get_definition if funcDef Sg_File_Info start funcDef gt get_body gt get_start0fConstruct Sg_File_Info end funcDef gt get_body gt get_end0fConstruct ROSE_ASSERT start ROSE_ASSERT end int lineS start gt get_line int lineE end gt get_line loc_actual lineE lineS if loc_actual gt loc output gt addO0utput new CheckerOutput funcDef 7 53 NO REFERENCE LOC PER FUNCTION 7 53 5 References 151 152 CHAPTER 7 LIST OF COMPASS CHECKERS 7 54 Localized Variables This checker looks for variable declarations and try to determine if the first use is far from the declaration There can be two ways where the use is far Either it is used only in an inner scope Then the declaration can be moved in that scope Or the it is used not directly after the block of declaration the variables is from Then the declaration should be moved down This checker try to check for item 18 of C Coding Standards Sutter and al 2005 7 54 1 Parameter Requirements No parameter is needed 7 54 2 Non Comp
41. Base lt lt realize gt gt getNodeQ void getCheckerNamed void l l 1 l l QRoseQutputObject Global lt lt interface gt gt ddOutputQ void A a tung void acdUurpud wo buildCheckers script O void visi void maint void Figure 2 3 Compass Design For simplicity it runs in two modes fast for checking specific named checker source files and slow for testing all checker source files 2 5 1 Threats In order to define a complete design for security we outline the threats that understand to be relevant The main threats to the validity of Compass checkers are e Malicious User A malicious user is an external user of Compass contributing a checker that performs malicious behavior e Malicious Checker Compass is extensible and new checkers can be added externally users outside the main development group A checker can be 16 CHAPTER 2 DESIGN AND VERIFICATION programmed arbitrarily using the C C and assembly pro gramming languages It is therefore possible for a skilled pro grammer to hide malicious operations within a checker Com pass must prevent checkers with malicious behavior to be part of the Compass system Threats are exfiltration A checker should act in a secure way with the input files it is given Securing the inputs to Compass e g the inputs to each checker from exfiltation is a first priority Allowing a checker to scan the host machine to exfiltrate arbitrary data this
42. Compass Detector admin submit checker user Figure 2 1 Compass Use Case 2 2 Trust Model By design we make a few assumptions about the use of Compass in order to define a secure tool We assume 1 For now there is an assumption of trust in the person writing the checker We use the Compass Verifier as a way to double check the checkers so that we can eventually weaken the level of trust assumed for people writing checkers However the design of the Compass Verifier is not likely to ever be robust enough to guarantee an automated proof of security for each checker Thus we also assume that someone trusted will also review the checker not implemented We expect that a digital signature using a key mechanism is possible to associate a trusted re viewer with a review of the checker together with a strong hash function that digitally signs the checker source code 2 Since running Compass Verifier is an optional part of build ing the Compass executable the person running these test is trusted There are two ways to run the Compass Verifier see section 3 7 for details e Slow once on each checker make verify This mecha nism tests all the files one checker at a time and thus can not miss a file Note that even the counter examples are tests which can be a problem when the counter example for the checker is detected as a violation for Compass Verifier 2 3 ARCHITECTURE 13 Counter examples for checkers ha
43. Compass User Manual A Tool for Source Code Checking A ROSE Tool Draft User Manual Associated with ROSE Version 0 9 5a ROSE Team Lawrence Livermore National Laboratory Livermore CA 94550 925 423 2668 office 925 422 6278 fax dquinlan llnl gov Project Web Page http www rosecompiler org UCRL Number for ROSE User Manual UCRL SM 210137 DRAFT UCRL Number for ROSE Tutorial UCRL SM 210032 DRAFT UCRL Number for ROSE Source Code UCRL CODE 155962 ROSE User Manual pdf ROSE Tutorial pdf ROSE HTML Reference html only July 8 2013 Contents 1 Introduction LI Overview c ia eee Gl a Ee eB we eee A 2 Design and Verification 2 1 Usage Model cos s a ma 244 ROR oe Ee OE HE BS 22 Trast Modele acacia ane ata a BOR amp oo DSS dd en 2 3 Architecturel 2 5 Compass Verifier 2 6 Future Work 3 Using Compass 31 Installation gt ae aces bees eb beeen ddetead ceeaa 3 2 Running Compass O da a a e 3 9 How To Write A New Checker 3 10 Extending the Compass Infrastructure 4 Using Compass GUI 4 1 Running Compass GUI on a Single File 4 2 Running Compass GUI on an Autotools Project 5 Using Compass Verifier 6 Categories of Compass Checkers 6 1 Common Styles 6 6 Security 6 7 Portability 6 8 Clarity 4 CONTENTS 6 9 Complexity lt lt sia a oo we ob SS a ae aa 42 6 10 Consistency
44. DEREFERENCE 199 7 77 6 Implementation We use a dataflow analysis to determine null dereference The dataflow analysis is based on an breadth first search bfs algorithm implemented in BOOST The implementation does a bfs backwards traversal for each a SgArrowExp b SgPointerDerefExp c SgAssignInitializer d SgFunctionCallExp free The above are the points that need to be validated by the algo rithm At each such point the program might be invalid due to NULL pointer dereferences Therefore the variable at that point must be determined and the programmed is tracked back dataflow If at any point an assertion is found the analysis is aborted for that run i e no null pointer dereference is present 7 77 7 References EXP33C Do not reference uninitialized variables EXP34C Ensure a pointer is valid before dereferencing it 200 CHAPTER 7 LIST OF COMPASS CHECKERS 7 78 Omp Private Lock This is a simple checker to detect a common OpenMP programming mistake of using a private lock within a parallel region It was mo tivated by an example mentioned by a seminar about Intel s Thread Checker which uses a more expensive runtime approach to catch the same error 7 78 1 Parameter Requirements There is no parameter specifications 7 78 2 Implementation The AST must use dedicated OpenMP nodes such as SgOmp ParallelStatement etc to represent an input OpenMP program via rose openmp rose openmp a
45. Error Condition free list return 1 return 0 void process_list size_t number char list malloc number if list NULL Handle Allocation Error if verify_size list number 1 Handle Error Continue Processing list free list 7 1 4 Compliant Solution To correct this problem the logic in the error handling code in ver ify_list should be changed so that it no longer frees list This change ensures that list is freed only once in process_list write your compliant code example int verify_size char list size_t list_size if size lt MIN_SIZE_ALLOWED Handle Error Condition return 1 return 0 void process_list size_t number char list malloc number if list NULL 52 CHAPTER 7 LIST OF COMPASS CHECKERS Handle Allocation Error if verify_size list number 1 Handle Error Continue Processing list free list 7 1 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Write your checker algorithm 7 1 6 References ISO IEC9899 1999 MEMO00 A Allocate and free memory in the same module at the same level of abstraction 7 2 ALLOWED FUNCTIONS 7 2 Allowed Functions The validation of code properties often requires the detection of cer tain functions used In so
46. F COMPASS CHECKERS 2 For each enum declaration node visit its parents checking them to be either namespace declarations or class declarations If no class or namespace declaration parent node is found then flag violation 3 Report any violations 7 36 6 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 7 37 CERT DCL04 A EXPLICIT CHAR SIGN 119 7 37 CERT DCLO4 A Explicit Char Sign CERT Secure Coding INT07 A states The three types char signed char and unsigned char are collectively called the character types Compilers have the latitude to define char to have the same range representation and behavior as either signed char or unsigned char Irrespective of the choice made char is a separate type from the other two and is not compatible with either 7 37 1 Parameter Requirements This checker takes no parameters and inputs source file 7 37 2 Implementation This pattern is checked using a simple AST traversal visiting all SgAssignInitializer nodes If the SgAssignInitializer node is of type char and the operand of the node is a SgCastExp of type int or is a SgCharVal whose value is negative then flag an error 7 37 3 Non Compliant Code Example This non compliant example declares a simple char type variable include lt stdio h gt int main int n 200 char c1 i char c2 n char c3 200 int i 1000 printf c c2 d nhc c3
47. HECKERS 7 42 Floating Point Exact Comparison This checker detects a test clause that compares a variable to a floating point value The rationale for this checker is floating point representations are platform dependent so it is necessary to avoid exact comparisons 7 42 1 Parameter Requirements None 7 42 2 Implementation This checker is implemented with a simple AST traversal It tra verses AST and finds a test clause If the test clause has a double value on either left hand side or right hand side and if the opera tor used for the test is or then the checker reports this clause 7 42 3 Non Compliant Code Example void foo double f if f float 3 f 1 234 while f 1 23456 f 0 00001 do f 0 000001 while f 1 234567 for f 1 234567 f 1 2345678 f 0 0000001 int i f 1 7 42 4 Compliant Solution bool double_equal const double a const double b 7 42 FLOATING POINT EXACT COMPARISON 129 const bool equal fabs a b lt numeric_limits lt double gt epsilon return equal void foo double f if double_equal f 3 142 do something 7 42 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Check if a node is a test clause 2 Check further if the clause has a double value
48. KERS 6 2 C styles e allocateAndFreeMemoryInTheSameModule malloc free in a same piece of code to avoid mismatch e discardAssignment assignment operator should be used as a stand alone expression statement e setPointersToNull Always set pointers to NULL after they have been freed by free 6 3 C styles e assignmentOperatorCheckSelf check self assignment in assign ment operator e assignmentReturnConstThis operator return type e booleanIsHas functions returning boolean should have names like isXXX or hasXXX e constCast should never cast the constness away e constructorDestructorCallsVirtualFunction Don t direct ly indirectly call virtual functions from constructors or destruc tors pure virtual function become undefined behaviors e copyConstructorConstArg copy constructors should use const reference as an argument e cppCallsSetjmpLongjmp should not use C style setjmp and long jmp in C code e dataMemberAccess Good classes should not have both public and non public data members e defaultConstructor Each class should have a user defined de fault constructor e doNotUseCstyleCasts Do not use C style casts in C code e dynamicCast Downcast should be done using a dynamic cast e enumDeclarationNamespaceClassScope enum types should be declared within a class or namespace e explicitCopy A class should have a user defined copy construc tor and a copy operator unless annotated to use def
49. OF COMPASS CHECKERS 7 45 For Loop Cpp Index Variable Dec laration ALE3D Coding Standards amp Style Guide Item 6 2 states that C loop index variables should be declared in the loop statement Declaration of a loop index variable in the first clause of the for statement ensures that its scope is limited to the loop body 7 45 1 Parameter Requirements This checker takes no parameters and inputs source file 7 45 2 Implementation This pattern is checked using a simple AST traversal that seeks SgForInitStatements that have NULL declaration statements These nodes are flagged as violations 7 45 3 Non Compliant Code Example This non compliant code declares the loop control variable outside the loop statement int main int i 0 for i 0 i lt 100 i return 0 mainO 7 45 4 Compliant Solution The compliant solution declares the index variable inside the loop statement int main for int i 0 i lt 100 i return 0 mainO 7 45 FOR LOOP CPP INDEX VARIABLE DECLARATION 135 7 45 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting all declaration statement nodes 2 For each declaration statement node if parent node is for loop initialization statement then flag violation 3 Report any violations 7 45 6 Referenc
50. OMPASS CHECKERS 7 21 Cpp Calls Setjmp Longjmp The Elements of C Style state that The setjmp and longjmp functions provide exception handling for C programs You cannot safely use these functions in C code because the exception handling mechanism they implement does not respect normal object lifecycle semantics a jump will not result in destruction of scoped automatically allocated objects 7 21 1 Parameter Requirements This checker takes no parameters and inputs source file 7 21 2 Implementation This pattern is checked using a simple AST traversal that seeks out calls to setjmp and longjmp in source files without the c extension These nodes are flagged as violations 7 21 3 Non Compliant Code Example This contrived trivial example calls setjmp and longjmp in C code include lt setjmp h gt int main jmp_buf env my_container c1 int i setjmp env if i 0 exit 1 int err ci clear if err 0 longjmp env 1 return 0 7 21 4 Compliant Solution The compliant solution uses C exception handling 7 21 CPP CALLS SETJMP LONGJMP int main my_container cl try ci clear catch exit 1 return 0 7 21 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting function reference codes
51. Parameter Requirements This checker takes no parameters and inputs source file 7 18 2 Implementation This pattern is checked using a nested AST traversal in which the top level traversal seeks out definitions of constructors and destruc tors and two nested traversals seek out calls to virtual functions of member functions and non member functions respectively 7 18 3 Non Compliant Code Example The following code calls a virtual function from a public constructor This is a contrived trivial example class Class int n public Class n Classy constructor Class Destructor virtual int Classy return 1 gt class Class int main Class c return 0 main 7 18 CONSTRUCTOR DESTRUCTOR CALLS VIRTUAL FUNCTION 83 7 18 4 Compliant Solution class Class int n public Class n 1 constructor ClassO Destructor 3 class Class int main Class c return 0 mainO 7 18 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a AST traversal visiting class constructors and destruc tors 2 Flag any calls to virtual functions in class constructor or de structor nodes 3 Report any violations 7 18 6 References Alexandrescu A and Sutter H C Coding Standards 101 Rules Guidelines and Best Practices Addison Wesley 2005
52. ST OF COMPASS CHECKERS 7 80 Operator Overloading This test detects function declaration that overloads operators that can cause subtle bugs such as gg or That is one can not ensure that the overloaded operators will be evaluated in left to right order This is based on the following rules e Function calls always evaluate all arguments before execution e The order of evaluation of function arguments is unspecified For example auto_ptr lt Employee gt e GetEmployee if e amp amp e gt Manager The usual evaluation order left to right prevents the test from executing e gt Manager and the code above looks fine However the code above can invoke an overloaded operator amp amp and it will potentially call e gt Manager before checking if e is NULL 7 80 1 Parameter Requirements None 7 80 2 Implementation This pattern is detected using a simple traversal It traverses AST to find function declarations and check whether or not the name of the functions is operator amp amp operator or operator 7 80 3 Non Compliant Code Example class Test public Test Test Test operator amp amp const Test amp Test operator const Test amp Test operator const Test amp 7 80 4 Compliant Solution N A 7 80 OPERATOR OVERLOADING 205 7 80 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using s
53. Solution namespace M void f OK used as friend in M B same namespace class B public friend void f F 7 76 NONMEMBER FUNCTION INTERFACE NAMESPACE 7 76 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each friend function or operator for a class look up the namespace it is declared in and compare to the namespace of the class 7 76 5 References The reference for this checker is H Sutter A Alexandrescu C Coding Standards Item 57 Keep a type and its nonmenber func tion interface in the same namespace 195 196 CHAPTER 7 LIST OF COMPASS CHECKERS 7 77 CERT EXP33 C and EXP34 C Null Dereference NULL Dereference checker If any variable that could be NULL is dereferenced a warning is issued This is an implementation of US CERT rules EXP33 C Do not reference uninitialized variables and EXP34 C Ensure a pointer is valid before dereferencing it EXP33 C Do not reference uninitialized variables Local automatic variables can assume unexpected values if they are used before they are initialized C99 specifies If an object that has automatic storage duration is not initialized explicitly its value is indeterminate ISO IEC 9899 1999 In practice this value defaults to whichever values are currently stored in stack memory While uninitialized memory often
54. Verifier is a tool extended from Compass to analyze the source code of Compass and its checkers to detect certain properties The motivation and design of this tool are discussed in Chapter 2 Design and Verification This chapter will detail the Make rules written to run Compass Verifier and to setup the parameters to the AllowedFunctions checker The rules to setup and run Compass Verifier are found in projects compass tools compassVerifier Makefile am Fol lows is an overview of their usage labels make oneBigVerify verify Verifier is designed to examine the compass tool referenced in the environment variable TOOLBUILD which by de fault is projects compass tools compass This variable may be changed in the Makefile am of the source directory or on the com mand line to make in the build tree e oneBigVerify a fast but rough static analysis over the Compass checker sources This rule exe cutes compassVerifier over the concatenation of all sources with names matching those checkers listed in TOOLBUILD CHECKER_LIST_WITHOUT_COMMENTS with exten sion C These should be the only sources from the checker subdirectories that are built with Compass The consistency of this concatenation depends on no global function variable etc declaration conflicts usually this is perserved by default as all checkers employ their own namespace e verify a slow and more complete analysis over all files found in the checker directories
55. alue_2 also evaluates to true then message will be freed twice resulting in an error if message _type value _1 Process message type 1 free message if message _type value _2 Process message type 2 free message 7 90 4 Compliant Solution As stated above calling free on a NULL pointer results in no action being taken by free By setting message equal to NULL after it has been freed the double free vulnerability has been eliminated if message_type value_1 4 Process message type 1 free message 223 224 CHAPTER 7 LIST OF COMPASS CHECKERS message NULL if message_type value_2 Y Process message type 2 free message message NULL 7 90 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Write your checker algorithm 7 90 6 References ISO IEC 9899 1999 MEMO1 A Eliminate dangling pointers 7 91 SINGLE PARAMETER CONSTRUCTOR EXPLICIT MODIFIER 225 7 91 Single Parameter Constructor Ex plicit Modifier The Elements of C Style item 104 states that A compiler can use a single parameter constructor for type conversions While this is natural in some situations it might be unexpected in others you can avoid this be havior by declaring a constructor with the explicit key word 7 91 1 Parameter Requirem
56. amp end_ptr 10 10 11 if ERANGE errno 12 puts number out of range n 13 14 else if sl gt INTMAX 15 printf ld too large n s1 16 17 else if sl lt INTMIN 18 printf ld too small n sl 19 20 else if end ptr argv 1 21 puts invalid numeric input n 22 23 else if 0 end_ptr 24 puts extra characters on input line n 25 26 else 27 si int sl 23 29 30 If you are attempting to convert a string token to a smaller integer type int short or signed char then you only need test the result against the limits for that type The tests do nothing if the smaller type happens to have the same size and representation on a particular compiler 7 93 4 Risk Assessment While it is relatively rare for a violation of this rule to result in a security vulnerability it could more easily result in loss or misinter preted data Rule Severity Likelihood Remediation Cost Priority Level INTO6 A 2 medium 2 probable 2 medium L2 Related Vulnerabilities Search for vulnerabilities resulting from the violation of this rule on the CERT website 7 93 5 References Klein 02 ISO IEC 9899 1999 Section 7 20 1 4 The strtol strtoll strtoul 7 93 SECURE CODING INT06 A USE STRTOL TO CONVERT A STRING TOKEN TO AN INTEGER231 and strtoull functions Section 7 20 1 2 The atoi atol and atoll
57. an ROSE ROSE_CVS ROSE projects compass tests exampleTe te qaran yore Dool O home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe 17 _ void foo O home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe 18 Blc O home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe 19 home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe 20 O mome dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTes gt dio O mome dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTes 2 Alt O home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe 24 I O mome dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTes 25 O mome dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTes 26 O mome dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTes 27 a void foobar_1 O home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe E 1 A O home dquinlan ROSE ROSE_CVS ROSE projects compass tests exampleTe So L Induction Variable Update checker 31 LLine length checker 32 _ void foobar_2 LLoc_perFunction checker 33 Bl LmpiBufferTypeChecker Ip Multiple Cases on the Same Line checker MES 4 I El Run Exit El Terminal 83 System QRose L D emase D Compass _ Compass Mon Jul 9 1 53 AM A Figure 3 2 Compass GUI for interpretation of rule violations 24 CHAPTER 3 USING COMPASS y 1 Compass Analysis Static View F
58. an individual may inspect the generated file These three Make rules describe the basic user interface for Compass Verifier Other parameters such as those for ForbiddenFunctions should be changed manually And an individual should examine the results of Compass Verifier to ensure a checker meets the validation standards sought after Chapter 6 Categories of Compass Checkers All available Compass checkers can be roughly categorized as follows 6 1 Common Styles e forLoopConstructionControlStmt for loop must only include statements that control the loop or related to the loop control e inductionVariableUpdate Do not alter a control variable more than once in a loop e uninitializedDefinition Always initial variables at their initial declaration e unaryMinus Do not use unary minus on unsigned types e noGoto Do not use goto e nonAssociativeRelationalOperators Do not associate rela tional operators e g a b c e magicNumber Avoid using integer or floating point literals outside of initializer expressions e nameAllParameters Every function parameters should has a name in a function declaration e oneLinePerDeclaration Do not declare more than one variable in a single declaration statement e placeConstantOnTheLhs Always put constant on the left side for comparison expressions e functionDefinitionPrototype Every function should have a function prototype 43 CHAPTER 6 CATEGORIES OF COMPASS CHEC
59. and if the test is for inequality 7 42 6 References The Programming Research Group High Integrity C Coding Standard Manual Item 10 15 Do not write code that expects float ing point calculations to yield exact results 130 CHAPTER 7 LIST OF COMPASS CHECKERS 7 43 Fopen Format Parameter CERT Secure Coding FIO11 A states en N Po E HR BO The C standard specifies specific strings to use for the mode for the function fopen An implementation may define extra strings that define additional modes but only the modes in the following table adapted from the C99 standard are fully portable and C99 compliant r a rb wb ab r w a r b or rb w b or wb a b or ab 7 43 1 Parameter Requirements This checker takes no parameters and inputs source file 7 43 2 Implementation This pattern is checked using a simple AST traversal that visits all function call expressions For each function call expression the function name is confirmed to be fopen then the format parameter is checked against the list of specified strings If the given parameter is not a standard format string then a violation is flagged 7 43 3 Non Compliant Code Example include lt stdio h gt int main FILE f fopen tmp tmp txt wr fclose f return 0 7 43 FOPEN FORMAT PARAMETER 131 7 43 4 Compliant Solution The compliant solution uses the r specified parameter string
60. ass provides a way to enforce predefined or arbitrary user specified properties on software This chapter covers the design of Compass and the design of the verification in the Compass Verifier used to verify properties of the checkers implemented and submitted to Compass 2 1 Usage Model Figure 2 1 shows the usage model use cases of Compass The anal ysis is triggered by the user running Compass over an input file source code or binary The user implicitly selects which checkers to execute defining what rules are to be enforced by default all checkers are run The user also specifies the input file to be checked for source code the specification is similar to the command line re quired for the compilation in the case of a source file Results of the analysis are presented to the user a number of mechanisms can be used to display the results Either the same user or a different user developer can also implement and submit checkers to be built into Compass Since external users may contribute checker automatically via scripts a verification of the validity and safety of these checkers is necessary We provide a Compass Verifier that helps to check that all checkers are safe Currently the verifier is run by an administrative person but may run automatically in the future 11 12 CHAPTER 2 DESIGN AND VERIFICATION Detector Detector Compass Verifier verify checker Detector Detector
61. astjj will ensure that the object pointed to by the base class pointer is really of the derived class It will return a nill pointer if it is not Any other type of cast is unsafe 7 34 1 Parameter Requirements This checker does not take any paramaters 7 34 2 Implementation This pattern is detected using a simple traversal without inherited or synthesized attributes 7 34 3 Non Compliant Code Example class A not polymorphic public AQ virtual void foo class B public A int main A p new B B p2 Bx p 7 34 4 Compliant Solution class A not polymorphic public AQ 114 CHAPTER 7 LIST OF COMPASS CHECKERS virtual void foo class B public A int main A p new B B p2 dynamic_cast lt B gt p 7 34 5 Mitigation Strategies Static Analysis 1 traverse AST 2 for each cast expression that is a downcast if dynamic cast is not used report an error 7 34 6 References 7 35 EMPTY INSTEAD OF SIZE 7 35 Empty Instead Of Size While comparing the result of the size member function on STL containers against 0 is functionally equivalent to calling the empty member function empty is to be preferred as it is always a constant time operation while size on std list may take linear time This checker detects cases where the result of size is com pared against the constant 0 7 35 1 Parameter Requirements This checke
62. ation The implementation is dependent on the availability of symbols Functions must have names The algorithm looks then for the malloc function and determines the memory allocation made Using the def use algorithm uses of the allocated variable are looked for and any access beyond the allocation size are flagged as a buffer overflow This analysis operates on a graph not an AST 7 8 3 Non Compliant Code Example This is an example of a code that will trigger a buffer overflow tinclude lt stdio h gt include lt stdlib h gt int main int argc char argv int arr malloc sizeof int 10 int i 0 for i 0 i lt 10 i arr i 5 int x arr 12 7 9 BINARY INTERRUPT ANALYSIS 65 7 9 Binary Interrupt Analysis This analysis looks for intx80 instruction calls If such a call is de tected a dataflow analysis traces back the eax register to determine what Linux system call will being executed E g if eax 1 its a sys_exit eax 3 its a sys_read or eax 4 is a sys_write 7 9 1 Parameter Requirements None 7 9 2 Implementation This analysis operates on a graph not an AST See binaryInterrupt Analysis C 66 CHAPTER 7 LIST OF COMPASS CHECKERS 7 10 Boolean Is Has This checker makes sure that all boolean variables and functions that return a boolean are all named following the convention is_ or has per the ALE3D manual 7 10 1 Parameter Requirements No parameters re
63. ault ones e forLoopCppIndexVariableDeclaration C loop index vari able should be declared in for e friendDeclarationModifier Avoid using friend declarations e internalDataSharing Class member functions should not ex pose data member handles e voidStar Public methods should not use void for arguments or return types e noExceptions Avoid using C exceptions 6 4 CORRECTNESS e nonmemberFunctionInterfaceNamespace Keep classes and their non member interfaces friend functions within the same namespace e multiplePublicInheritance Avoid multiple public inheritance e noTemplateUsage Do not use C templates e protectVirtualMethods Do not expose virtual methods as pub lic interface e singleParameterConstructorExplicitModifier Single parameter constructor used as converting constructor should have the ex plicit modifier 6 4 Correctness e cycleDetection control flow graph of code should not contain cycles e defaultCase Each switch statement should have a default case e doNotCallPutenvWithAutoVar Do not use an auto local vari able as the parameter of putenv e noExitInMpiCode No exit from within a parallel code por tion MPI e sizeOfPointer Do not computing sizeof pointer when you want to get the size of object pointed to e newDelete Detect several common mistakes when using new delete deleting array using delete not delete deleting NULL pointers deleting uninitialized poin
64. bridge University Press 2004 218 CHAPTER 7 LIST OF COMPASS CHECKERS 7 88 Push Back Tests if the source uses front or back insertion in sequences us ing insert or resize where a push_front or push_back could be used The patterns are very simple and matches simple calls like vector insert vector end In these case push back and push front only are insured to be efficient All other calls may be quadratic This test is inspired by the rule 80 of C Coding Standards Use the accepted idioms to really shrink capacity and really erase ele ments 7 88 1 Parameter Requirements There is no parameter required 7 88 2 Implementation No implementation yet 7 88 3 Non Compliant Code Example include lt vector gt include lt list gt void g std vector lt int gt v v insert v end 1 v resize v size 1 1 std list lt int gt vv new std list lt int gt vv gt insert vv gt begin 1 7 88 4 Compliant Solution include lt vector gt include lt list gt void g std vector lt int gt v v push_back 1 7 88 PUSH BACK 219 v push_back 1 std list lt int gt vv new std list lt int gt vv gt push_front 1 7 88 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers looking for these patterns For all types T where V variable of type vector lt T gt where Vp variable of
65. ch have been developed over several years and contributed to by a large number of people This currently includes Staff Dan Quinlan Post docs Thomas Panas Chunhua Liao and Jeremiah Willcock Ex Post doc Richard Vuduc Students Gergo Barany Michael Byrd Valentin David Han Kim Robert Preissl Andreas Saebjornsen Jacob Sorensen Ramakrishna Upadrasta Jeremiah Willcock Gary Yuan Internal LLNL Contributors Greg White External Collaborators We want to thank CERT who has been particularly helpful and supportive both with the development of checkers for their Secure Coding Rules and with numerous suggestions CONTENTS Chapter 1 Introduction A software analysis story about four people named Everybody Somebody Anybody and Nobody There was an important job to be done and Everybody was sure that Somebody would do it Any body could have done it but Nobody did it Somebody got angry about that because it was Everybody s job Everybody thought that Anybody could do it but Nobody realized that Everybody wouldn t do it It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done 1 1 Overview Compass is a tool for the checking of source code It is based on the ROSE compiler infrastructure and demonstrates to use of ROSE to build lots of simple pattern detectors for analysis of C C and Fortran source code The purpose of this work is several fold e Provide a concrete tool to s
66. checks that all standard C C file I O is read only This checker is normally used only internally for compass verify 7 40 1 Parameter Requirements This checker takes no parameters and inputs source file 7 40 2 Implementation This pattern is checked using a simple AST traversal visiting all function call expressions calling the function fopen The mode pa rameter to fopen is checked to be either r or rb only Any parameter that violates this restriction is flagged as an error Addi tionally all variable declarations of type fstream and ofstream are forbidden by this checker 7 40 3 Non Compliant Code Example tinclude lt fstream gt include lt stdio h gt int main FILE f1 fopen f1 txt w std fstream f2 f2 txt std ios app std ios out FILE fir fopen f1 txt r std ifstream f2r f2 txt std ios in return 0 7 40 4 Compliant Solution Do not write to file 7 40 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 7 40 FILE READ ONLY ACCESS 125 1 Perform simple AST traversal on all function call expressions calling the fopen function 665 99 2 Check the mode parameter of fopen to be either r or rb if not then flag violation 3 Perform simple AST traversal on all variable declarations of the type fstream or ofstream Forbid th
67. cit values of the same type localizedVariables Variable declaration should be close to its first use functionDocumentation Every function should have documen tation comments variableNameEqualsDatabaseName Member functions access ing local variables that get assigned The result of the function call should have a name equal to the first argument ternaryOperator Prefer explicit conditional statements to ternary operator a x y 6 9 Complexity computationalFunctions check functions exceeding max al lowed computation operations 6 10 CONSISTENCY e cyclomaticComplexity a function should not exceed a com plexity threshold e deepNesting functions should not exceed a threshold for scopes inside its body too complex e locPerFunction A function should not contain code exceeding a line count threshold 6 10 Consistency e lowerRangeLimit Always use inclusive lower limits and exclu sive upper limits e upperRangeLimit same as lower range limit always using in clusive lower limits and exclusive upper limit e otherArgument Always name the parameter as other that or lower case of the class name for copy constructors 6 11 Better choices e stringTokenToIntegerConverter Prefer strtol strtoll to atoi atol atoll for better error handling e preferFseekToRewind Prefer fseek to rewind since fseek has return code e preferSetvbufToSetbuf Prefer setvbuf to setbuf for better er
68. cker into de tection mode where all function references not read from the list in compass_parameters are flagged as violations e AllowedFunctions Library adds to a list of paths treated as safe libraries Any sources found in these paths will be ignored by allowedFunctions 7 2 2 Implementation This checker functions in two modes depending on the boolean sign of the AllowedFunctions FunctionNum parameter Positive signed FunctionNum puts this checker into testing mode where new function references are added to the list of allowed func tions This mode begins by reading the compass_parameters file for found allowed functions and other options given to allowed Functions The existing list of allowed functions is output in order to the output 53 CHAPTER 7 LIST OF COMPASS CHECKERS file specified by OutFile The allowedFunctions traversal then begins by visiting all function and member function references and detect ing their membership in the set of allowed functions Functions not found in this set are added and written to the OutFile while those already found do nothing The function reference is detected and output using a special man gled string generated by allowedFunctions that serves as its unique identifier This format is recursively generated by looking at the types of a functions return and argument parameters as well as its qualified name joined in a comma separated string The string se quence is return type qualifie
69. contains zero this is not guaranteed Consequently uninitialized memory can cause a program to behave in an unpredictable or unplanned manner and may provide an avenue for attack 7 77 1 EXP34 C Ensure a pointer is valid before dereferencing it Attempting to dereference an invalid pointer results in undefined be havior typically abnormal program termination Given this point ers should be checked to make sure they are valid before they are dereferenced 7 77 2 Non Compliant Code Examples EXP33 C Do not reference uninitialized variables In this example the set_flag function is supposed to set a the vari able sign to 1 if number is positive and 1 if number is negative However the programmer forgot to account for number being 0 If number is 0 then sign will remain uninitialized Because sign is uninitialized it assumes whatever value is at that location in the program stack This may lead to unexpected incorrect program behavior void set_flag int number int sign_flag if number gt 0 sign_flag 1 else if number lt 0 4 sign_flag 1 7 77 CERT EXP33 C AND EXP34 C NULL DEREFERENCE 197 int x sign_flag int main int argc char argv int sign set_flag 0 amp sign return 0 EXP34 C Ensure a pointer is valid before dereferencing it In this example input str is copied into dynamically allocated mem ory referenced by str If malloc fails it returns a NULL poin
70. ct functions with high complexity High complexity is defined by Mc Cabe s cyclomatic complexity metric This metric measures the amount of branches in a function i e through if and switch conditions 7 23 1 Non Compliant Code Examples void fail int x x 5 if x gt 3 if x gt 3 if x gt 3 7 23 2 Compliant Solution void pass int x x 5 if x gt 3 7 23 3 Parameter Requirements CyclomaticComplexity maxComplexity defines the max value for the complexity analysis 7 23 4 Implementation The algorithm searches for each function the number of occurances of if isSgIfStmt node isSgCaseOptionStmt node isSgForStatement node isSgDoWhiles complexity 7 23 5 References Thomas McCabe A Complexity Measure IEEE Trans actions on Software Engineering Vol SE 2 No 4 December 1976 92 CHAPTER 7 LIST OF COMPASS CHECKERS 7 24 Data Member Access Following the spirit of data hiding in object oriented programming classes should in general not have public data members as these might give away details of the underlying implementation making a change of implementation more difficult and possibly giving users a way to mess up the internal state of objects of the class It is however sometimes useful to have behaviorless aggregates i e C style structs where all data members are public and no member functions are present This checker warns abo
71. ctionDeclaration that have the public ac cess modifier and the virtual function modifier boolean values set to true Member functions that match this pattern are flagged as violations 7 87 3 Non Compliant Code Example This non compliant code contains a virtual function in the public interface of a class class Class int n public Class n publicVirtualFunction constructor Class Destructor virtual int publicVirtualFunction return 1 Y class Class 7 87 4 Compliant Solution The compliant solution protects the virtual function and adds a pub lic accessor to the virtual function class Class int n protected virtual int protectedVirtualFunction return 1 7 87 PROTECT VIRTUAL METHODS 217 public Class n publicVirtualFunction constructor Class Destructor int publicVirtualFunction return protectedVirtualFunction class Class 7 87 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal visiting all function declaration nodes 2 For each function declaration check the public and virtual modifiers If both public and virtual modifiers are set then flag violation 3 Report any violations 7 87 6 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cam
72. ctive STL Item 3 Call empty instead of checking size against zero 7 36 ENUM DECLARATION NAMESPACE CLASS SCOPE 117 7 36 Enum Declaration Namespace Class Scope The Elements of C Style item 79 states that To avoid symbolic name conflicts between enumerators and other global names nest enum declarations within the most closely related class or common namespace 7 36 1 Parameter Requirements This checker takes no parameters and inputs source file 7 36 2 Implementation This pattern is checked using a simple AST traversal that locates nodes that are enumeration declarations If a enumeration decla ration is found then its parent nodes are traversed until a class or namespace declaration is found If no namespace or class declara tion s are found then a violation is flagged by this checker 7 36 3 Non Compliant Code Example This non compliant code contains an enum declaration at the global scope enum violation E1 0 E2 E3 This is a violation 7 36 4 Compliant Solution The compliant solution simply nests the violation enum declaration in a unique namespace namespace Namespace enum violation E1 0 E2 E3 This is OK namespace Namespace 7 36 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform an AST traversal visiting enum declaration nodes 118 CHAPTER 7 LIST O
73. d less than operator 2 raise alert 7 55 6 References Abbreviated Code Inspection Checklist Section 11 1 1 Control Vari ables 155 156 CHAPTER 7 LIST OF COMPASS CHECKERS 7 56 Magic Number This test checks for the presence of magic numbers in the source code Magic numbers are all constants of integer or floating point type that occur outside of initializer expressions The user may configure the checker to ignore certain common constants such as 0 or 1 This detector reports not only hand written constants but also those that were created by macro expansion Note that C does not have negative constants 1 is not an in teger constant but rather the unary minus operator applied to the constant 1 To ignore occurrences of 1 you must therefore instruct the checker to ignore the constant 1 but this will also ignore all positive occurrences 7 56 1 Parameter Requirements The magic number detector requires two entries in the parameter file one of which is the list of integer constants to ignore the other the list of floating point constants to ignore Constants in both lists are separated by whitespace as explained above it does not make sense to specify negative values An example of parameter entries is MagicNumberDetector allowedIntegers MagicNumber Detector allowedFloats 42 0 3 14159 This specification has an empty list of integers so every integer constant of any type will be flagged a
74. d name with scope and arguments or void etc One simple example is for the memchr function AllowedFunctions Function39 void memchr void int size_t After all existing and new allowed functions are written the Func tionNum parameter is updated with the current number of allowed functions in the list given in OutFile Essentially the testing mode is designed for multiple executions of compass with different sources such that a list of allowed functions grows and is maintained in a format usable for compass_parameters The other operation mode detection reads from com pass_parameters the set of allowed functions Similarly the traversal visits all function and member function references and constructs the unique manged string identifier for the function This mangled string is looked up in the set of all allowed functions If the function is found then execution continues but a function that is not found in the set of allowed functions is reported as a violation In general this will be the mode most users will run AllowedFunctions under Several exclusion mechanism are implemented by allowedFunctions for ignoring local function definitions and function calls occuring from source designated as a safe library Their implementation re lies on the file classification mechanism in ROSE string support to distinguish between user system and library sources 7 3 ASSIGNMENT OPERATOR CHECK SELF 7 3 Assignment Operator Check Self Th
75. d of a variadic function 7 70 NO VARIADIC FUNCTIONS 183 include lt string gt string separator some reasonable value string s hello separator world 7 70 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal on all function and member func tion references 2 For each function reference check the function declaration and existence of function definition 3 If function definition does not exist then stop check 4 Else check function declaration arguments for variadic types 5 Report any violations 7 70 6 References DCL33 C Do not define variadic functions 184 CHAPTER 7 LIST OF COMPASS CHECKERS 7 71 CERT POS33 C No Vfork CERT Secure Coding POS33 C states Using the vfork function introduces many portability and security issues There are many cases in which undefined and implementation specific behavior can occur leading to a denial of service vulnerability 7 71 1 Parameter Requirements This checker takes no parameters and inputs source file 7 71 2 Implementation This pattern is checked using a simple AST traversal that visits all function reference expressions If a functino reference expres sion node corresponds to the vfork function then a violation is flagged 7 71 3 Non Compliant Code Example This non compliant example call
76. d using structural static analysis checkers using the following algorithm 1 Identify function declaration 2 Check return for base type 3 if non intrinsic type and not a reference notify 7 74 6 References Abbreviated Code Inspection Checklist Section 14 5 Return Values 192 CHAPTER 7 LIST OF COMPASS CHECKERS 7 75 Non Virtual Redefinition Calls of nonvirtual member functions are resolved at compile time not run time Redefinition of an inherited nonvirtual function in a derived class has different semantics that can result in surprising behavior and should therefore be avoided This checker reports cases where a class redefines a function that was declared nonvirtual in one of its superclasses 7 75 1 Parameter Requirements This checker does not require any parameters 7 75 2 Non Compliant Code Example namespace NonCompliant class Base public virtual void overridelfYouWish int void doNotOverride int Fs class Inherited public Base public void doNotOverride int trying to override nonvirtual function des 7 75 3 Compliant Solution namespace Compliant class Base public virtual void overrideIfYouWish int void doNotOverride int ES class Inherited public Base public void overridelfYouWish int overriding virtual function ys 7 75 NON VIRTUAL REDEFINITION 7 75 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using struc
77. ded in Compass the majority are simple All detectors are meant to be side effect free and are the subject of separate research to independently provide automated combining evaluation of multiple patterns in a single AST traversal and parallelization of the pattern evaluations on the AST 8 1 1 Input Parameter Specification Parameters to all detectors are specified in an input parameter file if required This permits numerous knobs associated with different pattern detectors and separate input files be specified for different software projects 8 1 2 Pattern Detection Currently it is assumed that patterns will be detected as part of a traversal of the AST See the ROSE Tutorial for example and general documentation on the different sorts of traversals possible within ROSE 8 1 3 Output Specification Output of source position information specific to detected pat terns are output in GNU standard source position formats See 247 248 CHAPTER 8 APPENDIX http www gnu org prep standards html_node Errors html for more details on this format specification and now it is used by external tools e g emacs etc
78. e source tree dir local add buildfile dir for rose defun set rose build dir dir Set the top of the ROSE build tree to use with Flymake interactive DThe top of the ROS setq rose build tree dir local add buildfile dir for rose add hook find file hook add buildfile dir for rose list make list s C home dquinlan ROSE NEW_ROSE developersScratchSpace Dan EmacsCompass_tests list s list s C pwd sed s home dquinlan ROSE NEW_ROSE home dquinlan ROSE ROSE_CompileTree LINUX 64bit 3 4 6 Q s concat CHK_SOURCES source SYNTAX_CHECK_MODE 1 check syntax global set key f3 flymake display err menu for current line global set key f4 flymake goto next error Figure 3 5 Addition to emacs when integrating Compass into emacs one inc h one C gt c one C Figure 3 6 Example makefile before the Compass addition 3 4 INCLUDING EXCLUDING CHECKERS IN THE COMPASS BUILD PROCESS27 one inc h one C gt c one C check syntax inc h one C path to compass executable compassMain c one C Figure 3 7 Example makefile after addition to support integration of compass e Download errormarker vim from http www vim org scripts script php script_id 1861 and save it into vim plugin Again create the target directory first when it does not exist e Change your Makefile to use an installed compassMain as the compiler to compile your code e Use quickfix
79. e use of these declarations and mark them as violations 4 Report all violations 7 40 6 References 126 CHAPTER 7 LIST OF COMPASS CHECKERS 7 41 Float For Loop Counter CERT Secure Coding states Floating point arithmetic is inexact and is subject to rounding errors Hence floating point variables should not be used as loop counters 7 41 1 Parameter Requirements This checker takes no parameters and inputs source file 7 41 2 Implementation This pattern is checked using a simple AST traversal that visits all for loop init statement nodes and checks the type of its counter variable declaration If that type is float or double then flag a violation 7 41 3 Non Compliant Code Example for float count 0 1f count lt 1 count 0 1f 7 41 4 Compliant Solution The compliant solution uses an int type loop counter for int count 1 count lt 10 count 1 7 41 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting all for loop initialization statement nodes 2 For each node check the type of its variable declaration If type is float or double then flag violation 3 Report any violations 7 41 FLOAT FOR LOOP COUNTER 127 7 41 6 References FLP31 C Do not use floating point variables as loop counters 128 CHAPTER 7 LIST OF COMPASS C
80. eCompassSubset Makefile am is provided as an example This example can be a template and may be used in general for any Compass like tool Any tool that is an extension of the Compass infrastructure will reuse much of the Compass infrastructure such as compassSupport Furthermore much of the Compass build process requires the automatic gen eration of files in the build tree such as compass_makefile inc compass_parameters etc Thus an include file has been provided in Compass to define these common rules compass inc and is included in this Makefile am A more advanced implementation of this automake file template is located in Compass Verifier which is 3 10 EXTENDING THE COMPASS INFRASTRUCTURE itself another tool extended off Compass and designed to check the rules implemented in Compass So far a blank Compass like tool has been created and config ured to build with ROSE Still missing are a few Compass files that produce a successful compile and linked executable The next step is to populate the empty Compass like tool with check ers from Compass Note that all checkers reside as subdirectories in projects compass extensions checkers but that subsets of these are selected for use thus all checkers are always optionally available to all compass infrastructure based tools Create a new file called CHECKER_LIST under the sampleCompassSubset directory an example has been provided and insert the names of the desired checkers into thi
81. e_init 391 typedef struct J 392 _io read fn read Read bytes _io write _fn write Write bytes _io _seek_fn seek Seek tell file position __io_close_fn close Close file _I0_cookie_io_functions_t typedef _I0_ cookie io functions_t cookie _io_functions_t struct _10_cookie file Initialize one of those void ile int _read_write void cookie _10_cookie io functions_t _ fns ifdef _ cplusplus 409 extern C 2 410 Hendif 411 412 extern int _ underflow _10_FILE __THROW 413 extern int __uflow _10_FILE __THROW 414 extern int __overflow _IO_FILE int __ THROW 415 extern IO wint_t __wunderflow _10_FILE __THROW Figure 3 3 Processing of XML Compass output using ToolGear LocalizedVariables home ROSE projects compass tests Cxx_tests test2006_117 C 30 5 Variable pmNull does not seem to be u FunctionDefinitionPrototype home ROSE projects compass tests Cxx_tests test2006_123 C 27 1 10 matching function prototy LocPerFunction home ROSE projects compass tests Cxx_tests test2006_117 C 23 1 20 This function has too many lines of co MagicNumber home ROSE projects compass tests Cxx_tests test2006_117 C 33 14 Occurrence of integer or floating constant MagicNumber home ROSE projects compass tests Cxx_tests test2006_117 C 36 14 Occurrence of integer or floating constant MagicNumber home ROSE projects compass tests Cxx_tests te
82. ecure Coding MSCO5 A states time_t is specified as an arithmetic type capable of rep resenting times However how time is encoded within this arithmetic type is unspecified Because the encoding is unspecified there is no safe way to manually perform arithmetic on the type and as a result the values should not be modified directly 7 96 1 Parameter Requirements This checker takes no parameters and inputs source file 7 96 2 Implementation This pattern is checked using a simple AST traversal that visits all binary operation nodes For each binary operation node if the node is a arithmetic expression then check the type of its left and right hand side operands If either operand type is time_t then flag violation 7 96 3 Non Compliant Code Example This code attempts to execute do_some_work multiple times until at least seconds_to_work has passed However because the en coding is not defined there is no guarantee that adding start to seconds_to_work will result adding seconds_to_work seconds include lt time h gt int do_work int seconds_to_work time_t start start time NULL if start time_t 1 Handle error while time NULL lt start seconds_to_work do_some_work return 0 7 96 TIME_T DIRECT MANIPULATION 237 7 96 4 Compliant Solution This compliant solution uses difftime to determine the differ ence between two time_t values difftime returns the
83. ed as well see figure 3 1 Much thanks for David Svoboda at CERT at CMU for first config uring Flymake to work with Compass and demonstrating the idea It has provided a great way to check code using compass and its use in Emacs has stimulate a number of ideas that have made their way back into Compass Emacs emacs Code Requirement Figure 3 5 shows the code that is required to be added to the emacs file A copy of this code is available in the compass source directory 21 22 CHAPTER 3 USING COMPASS emacs jitter cs ucdavis edu compass_forbidden function _vfork is a function meant to simulate a system routine This makes no difference as an example of how forbiddenFunctions fchecks errors as it works only on function names The reason we have used this example is to prevent compass from treating this test file as an error during make verify void DEI int char double function double good_function namespace A double function struct B void memberFunction j int main int argc char argv Line 23 1 error s O warning s SgFunctionRefexp Forbidden function compass_forbidden_function_vfork used This is our sample forbidden function Bb b memberFunction return Q Figure 3 1 Compass error messages integrated into Emacs 3 3 OUTPUT FROM COMPASS 23
84. ed to convert an int to a double write your non compliant code example int dividend divisor LIE double result double dividend divisor 7 32 4 Compliant Solution Using the new cast the division should be written as write your compliant code example double result static_cast lt double gt dividend divisor 7 32 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Check to see if the SgCastExp node is of type SgCast Exp e_C_style_cast and if it is add ouput 110 CHAPTER 7 LIST OF COMPASS CHECKERS 7 32 6 References Dewhurst 03 Gotcha 40 Old Style Casts ISO IEC 14882 2003 Sections 5 2 9 5 2 11 5 2 7 5 2 10 Meyers 96 Item 2 Prefer C style casts Lockheed Martin 05 AV Rule 185 C style casts const_cast rein terpret_cast and static_cast shall be used instead of the traditional C style casts 7 33 DUFFS DEVICE 111 7 33 Duffs Device This test checks for the presence of Duff s Device in the source code Duff s Device is a switch statement containing a loop for while or do while we do not check for goto loops that contains one of the switch s case or default labels If such a construct is found the position of the switch statement is reported 7 33 1 Parameter Requirements This checker does not require any parameters 7 33 2 Non Compliant Code Example
85. egies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform AST traversal visiting the member functions of class definitions 2 If no constructor is found for a single class definition then flag violation 3 Report any violations 7 27 6 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 99 100 CHAPTER 7 LIST OF COMPASS CHECKERS 7 28 Discard Assignment According to some coding standards the assignment operator should not be used within larger constructs but only as a stand alone ex pression statement in particular it should not be used as the con trolling expression in a branch because it might be confused with the equality operator This checker reports any use of the assignment operator built in or overloaded that is not the sole expression in an expression statement 7 28 1 Parameter Requirements This checker does not require any parameters 7 28 2 Non Compliant Code Example void strcpy_noncompliant char dest const char source while dest source 7 28 3 Compliant Solution void strcpy_compliant char dest const char source char last source do last source xdest source while last 0 7 28 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static
86. elines and Best Practices Addison Wesley 2005 7 89 RIGHT SHIFT MASK 7 89 Right Shift Mask Do not assume that a right shift operation is implemented as either an arithmetic signed shift or a logical unsigned shift If El in the expression El E2 has a signed type and a negative value the resulting value is implementation defined and may be either an arithmetic shift or a logical shift Also be careful to avoid undefined behavior while performing a bitwise shift 7 89 1 Parameter Requirements No Parameter Required 7 89 2 Implementation Upon finding a right shift we trace parent pointers up until we find a bit and operator If we find this bitwise and then we return If we make it to the basic block node of the statement we raise an alert 7 89 3 Non Compliant Code Example For implementations in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted int stringify char buf sizeof 256 sprintf buf Zu stringify gt gt 24 write your non compliant code example If stringify has the value 0x80000000 stringify 24 evaluates to OxFFFFFF80 and the subsequent call to sprintf results in a buffer overflow 7 89 4 Compliant Solution For bit extraction make sure to mask off the bits you are not inter ested in int stringify char buf sizeof 256 sprintf buf Zu number gt gt 24 amp Oxff write your compliant code example 221
87. ences The Programming Research Group High Integrity C Coding Standard Manual Item 10 3 Do not assume the order of evalu ation of operands in an expression 233 234 CHAPTER 7 LIST OF COMPASS CHECKERS 7 95 Ternary Operator This checker detects a expression that uses the ternary operator The rationale for this checker is according to High Integrity C Coding Standard Manual because evaluation of a complex condi tion is best achieved through explicit conditional statements 7 95 1 Parameter Requirements None 7 95 2 Implementation This checker is implemented with a simple traversal It traverses AST checks if a statement uses a ternary operator and reports it if yes 7 95 3 Non Compliant Code Example void foo int i 0 int j i 3 j 1 j 2 7 95 4 Compliant Solution void foo int i 0 int j if i 4 j 1 else j 2 7 95 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 7 95 TERNARY OPERATOR 235 1 For each node check if a node represents a ternary operator 2 If yes report it 7 95 6 References The Programming Research Group High Integrity C Coding Standard Manual Item 10 20 Do not use the thernary operator in expressions 236 CHAPTER 7 LIST OF COMPASS CHECKERS 7 96 Time_t Direct Manipulation CERT S
88. ents This checker takes no parameters and inputs source file 7 91 2 Implementation This pattern is checked using a simple AST traversal that finds in stances of SgFunctionDeclaration that are constructors with a single parameter If these SgFunctionDeclaration are not modified with the explicit keyword then a violation is flagged 7 91 3 Non Compliant Code Example This non compliant code has a single parameter constructor that is not declared with the explicit keyword class Class int num public Class int n num n gt int getNum const return num class Class 7 91 4 Compliant Solution The compliant solution declares the single parameter constructor with the explicit keyword modifier class Class int nun public explicit Class int n num n int getNum const return num 3 class Class 226 CHAPTER 7 LIST OF COMPASS CHECKERS 7 91 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal visiting all function declaration nodes 2 For each function declaration if node is constructor then check the size of its parameter list 3 If the parameter list size of constructor is 1 and is not declared with the explicit modifier then flag violation 4 Report any violations 7 91 6 References Bumgardner G Gray A and Misfeldt T The Elemen
89. es Arrighi B Neely R Reus J ALE3D Coding Standards amp Style Guide 2005 136 CHAPTER 7 LIST OF COMPASS CHECKERS 7 46 Forbidden Functions Many checks common to Compass center around the forbidden use of certain dangerous functions This checker provides a way to forbid the use of those functions through the simple use of their name 7 46 1 Parameter Requirements The forbidden function checker can simultaneously look for any num ber of functions either member or non member A set of parame ters is used named using a counter Thus the parameters of this checker have names of the form ForbiddenFunctions Functionn for n from zero to some limit The forbidden function anal ysis checks each name in turn until one is missing Thus if you have parameters named ForbiddenFunctions Function0 and ForbiddenFunctions Functioni but no parameter named ForbiddenFunctions Function2 the analysis will search for two functions As a caution if you skip a number including zero no larger numbers will be scanned any functions specified after a skipped number will be ignored The format of a parameter is white space function name white space comma reason Leading and trailing white space is allowed next to the function name but any white space after the first comma will become part of the reason string The function name is a fully qualified name but the leading to indicate the global scope may be omitted Member funct
90. es Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm Traverse all SgFunctionCallExp nodes For each node get the list of argument expressions Count the number of new keyword argument expressions Ae WwW N he If the number of new keyword argument expressions exceeds one then flag an error 5 Report all violations 7 48 6 References RES30 C Never allocate more than one resource in a single state ment 7 49 CERT DCL31 C FUNCTION DEFINITION PROTOTYPE 143 7 49 CERT DCL31 C Function Defini tion Prototype CERT Secure Coding DCL31 C states Functions should always be declared with the appropriate function prototype If a function prototype is not avail able the compiler cannot perform checks on the number and type of arguments being passed to functions Argu ment type checking in C is only performed during com pilation and does not occur during linking or dynamic loading 7 49 1 Parameter Requirements This checker takes no parameters and inputs source file 7 49 2 Implementation This pattern is checked using a simple AST traversal of function declaration nodes For each function declaration node find the first non defining function declaration if none is found then flag viola tion 7 49 3 Non Compliant Code Example This example foo has no prototype int foo int i return i int main retu
91. esult is used this could lead to unintended program behavior Rule Severity Likelihood Remediation Cost Priority Level EXP06 A 1 low 1 unlikely 3 low P3 L3 Related Vulnerabilities Search for vulnerabilities resulting from the violation of this rule on the CERT website 7 68 4 References ISO IEC 9899 1999 Section 6 5 3 4 The sizeof operator 180 CHAPTER 7 LIST OF COMPASS CHECKERS 7 69 No Template Usage Finds all usages of C templates It will not detect C template declarations that are not instantiated 7 69 1 Parameter Requirements No parameters are required 7 69 2 Implementation The checker finds all template instatiation declaration template in statiation definitions template instantiation member function dec larations and template instatiation function declarations 7 69 3 Non Compliant Code Example template lt typename t gt class Foo public Foo Foo O 17 F void main Foo lt int gt fi Foo lt float gt ff 7 69 4 Compliant Solution class Foo public Foo Foo void main Foo fi Foo ff 7 69 NO TEMPLATE USAGE 181 7 69 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Traverse the AST 2 For each template instantiations and template declaration re port an er
92. et 7 86 3 Non Compliant Code Example The following non compliant code makes a call to setbuf with an argument of NULL to ensure an optimal buffer size write your non compliant code example FILE file char buf NULL Setup file setbuf file buf ko However there is no way of knowing whether the operation suc ceeded or not 7 86 4 Compliant Solution This compliant solution instead calls setvbuf which returns nonzero if the operation failed write your compliant code example FILE file 7 86 PREFER SETVBUF TO SETBUF 215 char buf NULL Setup file if setvbuf file buf buf _IOFBF _IONBF BUFSIZ 0 Handle error 7 86 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Write your checker algorithm 7 86 6 References ISO TEC9899 1999 TC2 FIO12 A Prefer setvbuf to setbuf 216 CHAPTER 7 LIST OF COMPASS CHECKERS 7 87 Protect Virtual Methods The Elements of C Style item 107 states Do not expose virtual methods in the public interface of a class Use a public methods with a similar name to call the protected virtual method 7 87 1 Parameter Requirements This checker takes no parameters and inputs source file 7 87 2 Implementation This pattern is checked using a simple AST traversal that seeks instances of SgMemberFun
93. eters You can save a copy to your home directory for customization RULE_SELECTION This file lists which checkers to be used A sample file is provided in the ROSE source tree source pro jects compass tools compass RULE_SELECTION in You can save it as RULE_SELECTION in your home directory and flip the or sign before each checker to turn on or off them when running compassMain This file is specified as Com pass RuleSelection home youraccount RULE SELECTION inside of the compass_ parameters file 19 20 CHAPTER 3 USING COMPASS After preparing compassMain s configuration files you can set envi ronment variables as follows assuming using bash and you config ured ROSE using prefix home youraccount opt roseLatest PATH home youraccount opt roseLatest bin PATH export PATH LD_LIBRARY_PATH home youraccount opt roseLatest lib LD_LIBRARY_PATH export LD_LIBRARY_PATH export COMPASS_PARAMETERS home youraccount compass_parameters 3 2 Running Compass Once properly installed and configured running compass is a matter of typing compassMain and handing in a number of options The compassMain program acts just like a compiler so it is appropriate to hand it the same options required to compile your source file e g I directory paths and a source file Compass will figure out the language from the source file suffix Using the help option will provide a more complete list of options available to ROSE based too
94. f the AST for the purpose of al lowing other checkers to pass the AST should not be mod ified this should extend to all the program analysis graphs generated and used by other checkers This is not imple mented yet e Malicious Compass Since Compass does not generate code it can not be used to modify the input software source code or binary or generate a new copy that could be confused with the input However future versions of Compass make make transformation to in troduce greater levels of security fix flaws mitigate specific forms of threats etc It will be important to make sure that such transformation can not change the behavior of an input code to make the modified input code malicious Current pro posed approaches would build a patch which would have to be inspected by a trusted developer before it would be applied to modify the input code e Source Code Replacement Checkers can only be added at compile time to Compass not at run time This means that checkers meaning the source code cannot be exchanged against unsafe versions at run time Fur thermore we allow only the Compass tool builder admin to build versions of Compass that must pass the Compass Verifier e Binary Replacement Our goal is to perform a strong hash e g Secure Hash Algo rithm SHA2 as a checksum on all the checkers part of the binary Compass distribution before Compass is executed In this way Compass will not run if parts of it were modif
95. functions and Section 7 19 6 7 The sscanf function 232 CHAPTER 7 LIST OF COMPASS CHECKERS 7 94 Sub Expression Evaluation Order This checker detects if there exist within an expression sub expressions that update the same variable As the order of eval uation of such expressions is not guaranteed to be left to right any of the sub expressions can be taken place first 7 94 1 Parameter Requirements None 7 94 2 Implementation This checker uses a simple traversal For every function call state ment the checker examines 1 whether the function call has sub expressions that update variables and 2 the variables updated are identical 7 94 3 Non Compliant Code Example int bar int a int b void foo int i 0 bar i i either i could be evaluated first bar i 3 i 4 no particular order is guaranteed He H oul 7 94 4 Compliant Solution int bar int a int b void foo int i 0 H I bar 2 3 fine bar i 2 3 fine H ll 7 94 SUB EXPRESSION EVALUATION ORDER 7 94 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each node check if the node is a function call statement 2 Examine if the function call has sub expressions that update variables 3 If yes examine further if the variables updated are identical 7 94 6 Refer
96. ged to extern by an explicit modifier One of the above cases will always apply 7 98 1 Parameter Requirements This checker does not require any parameters 7 98 2 Non Compliant Code Example void f_noncompliant int x not OK no initializer 7 98 3 Compliant Solution struct foo int member OK class member void f_compliant int n int x n OK initializer present static int y OK static struct foo st OK class type has constructor extern int not_here OK extern 239 240 CHAPTER 7 LIST OF COMPASS CHECKERS 7 98 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each variable declaration without an initializer expression check the above criteria 2 If none of the exceptions apply generate a diagnostic 7 98 5 References A reference for this rule is H Sutter A Alexandrescu C Coding Standards Item 19 Always initialize variables 7 99 UPPER RANGE LIMIT 241 7 99 Upper Range Limit By always using inclusive lower limits and exclusive upper limits a whole class of off by one errors is eliminated Furthermore the following assumptions always apply 1 the size of the interval equals the difference of the two 2 the limits are equal if the interval is empty 3 the upper limit is never less than the lower limit Examples instead of sayi
97. h has been initialized using the contents of the corresponding string literal 1 char c Hello 2 Thus a statement such as c 0 C is valid and will do what is expected 7 17 4 Non Compliant Code Example 1 Although this code example is not compliant with the C99 Stan dard it executes correctly if the contents of CMUfullname are not modified 1 char CMUfullname Carnegie Mellon University 2 char school 3 80 CHAPTER 7 LIST OF COMPASS CHECKERS Get school from user input and validate 4 5 6 if strcmp school CMU 7 school CMUfullname 8 9 7 17 5 Non Compliant Code Example 2 Adding in the const keyword will likely generate a compiler warning as the assignment of CMUfullname to school discards the const qualifier Any modifications to the contents of school after this assignment will lead to errors 1 char const CMUfullname Carnegie Mellon University 2 char school 3 4 Get school from user input and validate 5 6 if stremp school CMU 7 school CMUfullname 8 9 7 17 6 Compliant Solution The compliant solution uses the const keyword to protect the string literal as well as using strcpy to copy the value of CMUfullname into school allowing future modification of school 1 char const CMUfullname Carnegie Mellon University 2 char school 3 Get school from user input and validate if strcmp school CMU Allocate correct a
98. heckers For the latter Compass utilizes the ROSE infrastructure to perform a wide range of general purpose program analyses such as control flow analysis data flow analysis program slicing etc Compass is designed in a way that allows users who do not neces sarily have compiler backgrounds to utilize the ROSE infrastructure to build their own analysis tools Compass is foremost an extensible open source infrastructure for the development of large collections of rules Our current implementation supports automatic defect check ing programming language restriction and malware detection in C C and object code Support for Fortran is a new addition to ROSE and will be supported in Compass in the near future 2 4 Design Compass is designed to be easy to extend Any user may write a checker and add it to Compass Figure 2 3 illustrates the UML design decisions behind Compass Most of the functionality of Compass is in abstract classes hidden in the Compass namespace within compass h a file within the com passSupport directory The figure uses a specific example Const Cast for illustration Compass is designed to support a large number of checkers hundreds All checkers such as the ConstCast checker illustrated in figure 2 3 utilize the abstract classes to traverse a program with all its nodes and to output violations found in that code according to the local algorithm CompassMain is the main executable that initially ca
99. iable in a for loop should be tested against a constant value not a function 85 86 CHAPTER 7 LIST OF COMPASS CHECKERS 7 20 Copy Constructor Const Arg This checks whether the copy constructor for a class uses a const reference as an argument This should always be the case as a copy constructor should never change its input argument and a reference is necessary to avoid needing a copy operator 7 20 1 Parameter Requirements No Parameter necessary 7 20 2 Implementation This checker begins by finding class declarations and getting the class name It then runs through each member of the class until finding a constructor It checks if the constructor has one argument and that argument is a member of the same class If it is and it is not const a message is returned 7 20 3 Non Compliant Code Example class interviewer interviewer interviewer other return 7 20 4 Compliant Solution class interviewer interviewer const interviewer amp other return 7 20 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Identify member function 2 check args for copy constructor 7 20 COPY CONSTRUCTOR CONST ARG 87 3 ensure type and const 4 if not both return notification 7 20 6 References Abbreviated Code Inspection Checklist Section 12 1 2 Copy Con structor 88 CHAPTER 7 LIST OF C
100. ied This is not implemented yet FIXME We should describe the policy for allowing SHA2 to be verified Where the SHAQ results for checkers would be published e g web site etc 18 CHAPTER 2 DESIGN AND VERIFICATION 2 6 Future Work Currently we are engaged in design reviews with CERT we expect that this will lead to improvements in the security to support a key based approach to a trusted execution of tools built within the compass infrastructure including Compass itself Chapter 3 Using Compass Compass is currently distributed as part of ROSE and represents one of many tools that can be built using the ROSE open com piler infrastructure The source code of Compass resides in the ROSE projects compass The compass project is currently divided into three subdirectories representing the compass infrastructure extensions checkers and individual compass like tools As part of building ROSE Compass will be automatically built in the compass directory 3 1 Installation Please follow ROSE Installation Guide to configure make and make install ROSE The Compass executable file compassMain will be available from YOUR_ROSE_INSTALL_PATH bin compassMain needs to know where to find its own configuration information from two files e compass parameters configuration information for compass checkers A default parameter file is generated in your ROSE build tree buildrose projects compass tools compass com pass_param
101. ile Edit Font Help Data read complete Message Folder Displayed FunctionDocumentation Checker 4680 items gt FunctionDocumentation usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h usr include libio h h h h h h h h h h h h FunctionDocumentation gt FunctionDocumentatiol FunctionDocumentatiol gt FunctionDocumentatiol FunctionDocumentatiol gt FunctionDocumentatior gt FunctionDocumentatio gt FunctionDocumentatio gt FunctionDocumentatio gt FunctionDocumentatio gt FunctionDocumentatio gt FunctionDocumentatio FunctionDocumentation usr include libio FunctionDocumentation usr include libio gt FunctionDocumentation usr include libio FunctionDocumentation usr include libio gt FunctionDocumentation usr include libio FunctionDocumentation usr include libio gt FunctionDocumentation usr include libio FunctionDocumentation usr include libio gt FunctionDocumentation usr include stdio FunctionDocumentation usr include stdio pi anatientecunment on usr inelude atdio 4 Traceback usr include libio h 403 This function is not documented function name _10_cooki
102. in stead include lt stdio h gt int main FILE f fopen tmp tmp txt r fclose f return 0 7 43 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting all function call expres sion nodes 2 For each function call expression node unparse node string then to determine the function name and parse the format parame ter 3 Check the format parameter against list of standard values If given format parameter does not conform to list of specified values then flag violation 4 Report any violations 7 43 6 References S ecure Coding FIO11 A Take care when specifying the mode pa 132 CHAPTER 7 LIST OF COMPASS CHECKERS 7 44 For Loop Construction Control Stmt ALE3D Coding Standards amp Style Guide item 6 1 states that for construction loops must only include statements that control the loop In particular for loops must not initial ize or increment decrement variables not directly related to the loop control 7 44 1 Parameter Requirements This checker takes no parameters and inputs the source file 7 44 2 Implementation This pattern is checked using a simple AST traversal that seeks out for loop statement constructs A list of variables set in the initializa tion block is generated A list of variables set in the
103. in order to display all errors for the current line while f4 will move the cursor to the next error A short explanation of the code in figure 3 5 is that the first line will require the flymake extension to be available upon loading emacs while the second line will load the find file hook and flymake find file hook functions The setq sections that follows runs Compass for all files that are being edited that has the c and C extensions The list section tells flymake to execute the check syntax rule in the makefile Example check syntax rule Figure shows an example makefile that compiles a file one C using g If one C is edited using emacs the addition of the check syntax rule is needed as shown in figure 3 3 2 Using Compass With Vim Compass can be used with Vim 7 s QuickFix commands to display warning messages and highlight the source lines in question A com pass compiler plugin compass vim as shown in Figure 3 S has been provided for Vim to parse the warning messages outputted by Com pass Steps to make Compass work with Vim 7 e Save compass vim into vim compiler Create the target di rectory if it does not exist 26 CHAPTER 3 USING COMPASS New Compass support for Emacs using version 22 of Emacs and Flymake Comment out these two lines to use older version of emacs require flymake setq flymake allowed file name masks cons C flymake simple make init flymake
104. increment decre ment block is generated Any variable in the increment decrement list of variables must be in the initialization list of variables 7 44 3 Non Compliant Code Example This non compliant code initializes the array inside the for control statement include lt stdlib h gt int main int array int malloc 100 sizeof int int j 100 for int i 0 i lt 100 i j arraylil j free array return 0 mainO 7 44 4 Compliant Solution The compliant solution simply moves the array initialization inside the for loop body 7 44 FOR LOOP CONSTRUCTION CONTROL STMT 133 include lt stdlib h gt int main int array int malloc 100 sizeof int for int i 0 i lt 100 i array i i free array return 0 mainO 7 44 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting all for statements 2 Generate a list of variables set in the initialization block 3 Generate a list of variables set in the increment decrement block 4 Report any variable in the increment decrement list of variables that are not in the initialization list of variables as a violation 7 44 6 References Arrighi B Neely R Reus J ALE3D Coding Standards amp Style Guide 2005 134 CHAPTER 7 LIST
105. ion Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 2 3 4 5 Identify member function Check Name for operator Get return type check for typename and const find explicit return and check for this 7 4 6 References Abbreviated Code Inspection Checklist Section 12 1 4 Assignment Operator 7 5 AVOID USING THE SAME HANDLER FOR MULTIPLE SIGNALS 59 7 5 Avoid Using The Same Handler For Multiple Signals It is possible to safely use the same handler for multiple signals but doing so increases the likelihood of a security vulnerability The delivered signal is masked and is not delivered until the registered signal handler exits However if this same handler is registered to handle a different signal execution of the handler may be inter rupted by this new signal If a signal handler is constructed with the expectation that it cannot be interrupted a vulnerability might exist To eliminate this attack vector each signal handler should be registered to handle only one type of signal 7 5 1 Parameter Requirements No Parameter specifications 7 5 2 Implementation No implementation yet 7 5 3 Non Compliant Code Example This non compliant program registers a single signal handler to pro cess both SIGUSR1 and SIGUSR2 The variable sig2 should be set to one if one or more SIGUSR1 signals are followed by SIGUSR2
106. ions are given with their class qualifications just as they would be referred to when access ing a pointer to them Choosing one overload from an overload set sharing the same name is not supported The reason field is used to indicate why a particular function is forbidden it may be any string not containing a newline and is printed out as part of the error message when the corresponding function is found It is also possible to omit the comma and the reason field leaving just the function name as the parameter in this case no reason will be given for the function s prohibition 7 46 2 Implementation This pattern is checked using a simple AST traversal visiting all SgFunctionCallExp nodes For each node the name of the function being called is compared to those listed as forbidden functions If a match is found between the function call name and the forbidden function name then flag an error 7 46 FORBIDDEN FUNCTIONS 137 7 46 3 Non Compliant Code Example In this example it is assumed that the function compass_forbidden_function_vfork is forbidden by the pa rameter file compass_forbidden_function_vfork is a function meant to simulate a system routine This makes no difference as an example of how forbiddenFunctions checks errors as it works only on function names The reason we have used this example is to prevent compass from treating this test file as an error during make verify in which compass checks it
107. is test checks to make sure that the first statement in a assignment operator is a check for self assignment As noted in An Abbreviated C Code Inspection Checklist 12 1 3 This will save time allo cating new memory and hopefully deleting the previous copy The check for return this is handled by another checker 7 3 1 Parameter Requirements No parameters required 7 3 2 Implementation This test checks to make sure that the first statement in a assignment operator is a check for self assignment As noted in An Abbreviated C Code Inspection Checklist 12 1 3 This will save time allo cating new memory and hopefully deleting the previous copy The check for return this is handled by another checker 7 3 3 Non Compliant Code Example class bike public const bike amp operator const bike amp other const bikeg bike operator const bike amp other return this 7 3 4 Compliant Solution const bike amp bike operator const bike amp other if this other return this return this 55 56 CHAPTER 7 LIST OF COMPASS CHECKERS 7 3 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm Identify member function Check name for operator Check first statement as If Statement Ae O N e Check arguments to expression to be this and the right hand argument
108. kers in Compass The di rectory compassVerify contains the implementation of this subset of Compass that is used on itself These checkers may not be modified and in the future MD 5 checksums will be provided to ensure the integrity of this subset of Compass To verify the compass checkers run e make verify This makefile rule runs the compassVerify compassMain on all 3 8 TESTING COMPASS AND ITS CHECKERS the source files in all the checkers directories in Compass Be cause it runs compass on so many separate files this step can take a long time e Or make oneBigVerify The makefile rule runs the compassVerify compassMain on a single generated file built from all the checker source files and is particularly quick to run 3 8 Testing Compass and its Checkers The tests directory contains directories of tests that are language specific e C tests This directory contains a Makefile which will use the ROSE C test codes to test Compass e Cxx_tests This directory contains a Makefile which will use the ROSE C test codes to test Compass To run these tests type make check at any level on the Compass directory hierarchy of the build tree 31 32 CHAPTER 3 USING COMPASS 3 9 How To Write A New Checker 3 9 1 Creating A Skeleton Compass has scripts for creating a skeleton for a new Compass checker This skeleton can be easily adapted to write all checkers Follow these steps to generate a checker skeleton 1 Enter a direct
109. ks if node is call to exit then flag violation 3 Report any violations 7 63 6 References Arrighi B Neely R Reus J ALE3D Coding Standards amp Style Guide 2005 170 CHAPTER 7 LIST OF COMPASS CHECKERS 7 64 No Goto This checker detects uses of goto statements conforming with High Integrity C Coding Standard Manual rule 5 8 Do not use goto 7 64 1 Parameter Requirements No parameter is needed 7 64 2 Non Compliant Code Example void foo tryAgain try doSomething catch goto tryAgain 7 64 3 Compliant Solution void foo do try doSomething catch continue break while true 7 64 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Look for goto expressions 7 64 NO GOTO 7 64 5 References The Programming Research Group High Integrity C Coding Standard Manual rule 5 8 Do not use goto 171 172 CHAPTER 7 LIST OF COMPASS CHECKERS 7 65 No Overload Ampersand The C standard ISO IEC 14882 2003 says in Section 5 3 1 para graph 4 that The address of an object of incomplete type can be taken but if the complete type of that object is a class type that declares oper ator amp as a member function then the behavior is undefined and no diagnostic is required Therefore to avoid possible
110. lations of the described cases the analysis results in warnings The algorithm searches first for each occurance of a SgDeleteExp and backtracks this Node to its definition If we find a SgNew operation we need to see if the delete and new operations match i e whether they are both operations on pointers or arrays The following cases are checked for and handled during the back wards dataflow analysis case V_SgNewExp case V_SgVarRefExp case V_SgAddressOfOp case V_SgCastExp case V_SgIntVal The above indicates a recursive algorithm 7 60 5 References 7 61 NO ASM STMTS OPS 165 7 61 No Asm Stmts Ops 7 61 1 Parameter Requirements This checker takes no parameters and inputs source file 7 61 2 Implementation This checker uses a simple AST traversal that checks for SgAsm Stmt s and SgAsmOp s Any such nodes that are found are flagged as violations 7 61 3 Non Compliant Code Example This example is taken from Cxx_tests test2006_98 C typedef int _Atomic_word ifndef __INTEL_COMPILER Intel complains that the input register m cannot have a modifier static inline _Atomic_word __attribute__ __unused__ __exchange_and_add volatile _Atomic_word __mem int __val register _Atomic_word __result __asm__ __volatile__ lock xadd 1 0 11 1 0 r __result m __mem o __val memory return __result endif 7 61 4 Compliant Solution The compliant solution does no
111. ld not necessarily be detected int return_const return 42 int main int s int return_const return 0 7 29 3 Non Compliant Code Example The following illustrates a number of non compliant examples in which functions are assumed to exist at certain fixed addresses fn ptr example direct from MITRE except with added cast int pt2fn_fixed_addr float char char int float char char 0x08040000 int pt2fn_fixed_addr_nocast int 0x08040000 int pt2fn_arith_addr float char char 7 29 DO NOT ASSIGN POINTER TO FIXED ADDRESS 103 int float char char 0x08040000 0x200 int pt2fn_assgn_fixed_addr float char char pt2fn_assgn_fixed_addr int float char char 0x08040000 arrays of function pointers typedef int fnptr void fnptr f 2 fnptr 0x08010000 fnptr 0x08020000 int pt2fn_array_fixed_addr 21 void int void 0x08010000 int void 0x08020000 typedef fnptr ind_fnptr fnptr f_indirect 2 fnptr 0x08010000 fnptr 0x08020000 F int pt2fn_arith_implicit_cast_addr float char char int float char char 0x08010000 0x10 int pint_plus_zero int 0x2 0 7 29 4 References CWE 587 104 CHAPTER 7 LIST OF COMPASS CHECKERS 7 30 Do Not Call Putenv With Auto Var The POSIX function putenv is used to set environment variable values The putenv fu
112. le can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal and visit all declaration state ment nodes 2 For each declaration statement check the friend modifier If friend modifier is set then flag violation 3 Report any violations 7 47 6 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 7 48 FUNCTION CALL ALLOCATES MULTIPLE RESOURCES 141 7 48 Function Call Allocates Multiple Resources CERT Secure Coding RES30 C states Allocating more than one resource in a single statement could result in a memory leak and this could lead to a denial of service attack 7 48 1 Parameter Requirements This checker takes no parameters and inputs source file 7 48 2 Implementation This pattern is checked using a simple AST traversal on each Sg FunctionCallExp node For each node get the expression list of its arguments and check if any such argument expressions are the new keyword If the number of new expressions exceeds one then flag an error 7 48 3 Non Compliant Code Example class A Fs class B Fs int foo A a B b return 0 int main A xa new A B b new B int i fool a b ok return foo new A new B bad 142 CHAPTER 7 LIST OF COMPASS CHECKERS 7 48 4 Compliant Solution See the call to foo above 7 48 5 Mitigation Strategi
113. lgorithm 1 Identify function declaration 2 Check arguments for base type 3 if non intrinsic type and not a reference notify 7 73 6 References Abbreviated Code Inspection Checklist Section 13 1 Argument Passing 190 CHAPTER 7 LIST OF COMPASS CHECKERS 7 74 Non Standard Type Ref Returns While it is cheaper to pass ints longs and such by value passing objects this way incurs significant expense due to the construction of temporary objects The problem becomes more severe when in heritance is involved Simulate pass by value by passing const refer ences 7 74 1 Parameter Requirements No parameters necessary 7 74 2 Implementation The return types to all functions are checked for base type in the declaration If the base type is found to be a struct or a class it is then checked to ensure it is a reference If it is not a notification is raised 7 74 3 Non Compliant Code Example class incrediblyComplex private loads of members incrediblyComplex justLooking incrediblyComplex fullCopy new incrediblyComplex return fullCopy 7 74 4 Compliant Solution class incrediblyComplex private loads of members 7 74 NON STANDARD TYPE REF RETURNS 191 incrediblyComplex amp justLooking incrediblyComplex fullCopy new incrediblyComplex return fullCopy 7 74 5 Mitigation Strategies Static Analysis Compliance with this rule can be checke
114. liant Code Example void print int void f int i i should be declared at the for loop int sum 0 sum is OK i is only used in the for scope for i 0 i lt 10 i sum is used right after the block of declaration it belongs sum i sum is used in the scope of definition print sum 7 54 3 Compliant Solution void print int void f int sum 0 for int i 0 i lt 10 i sum i print sum 7 54 LOCALIZED VARIABLES 7 54 4 Mitigation Strategies Static Analysis The checker uses a scoped symbol table to track some properties about variable Was the variable used Was the variable in the same scope as its declaration Was the variable used right after the the declaration Is the declaration right before the current point of the traversal The traversal updates these flags Once a scope finished to be traversed since the variables declared in the scope cannot be used any further they are checked for the flags used used in the same scope and used right after its declaration There is another flag saying if the variable is a constant In this case only check that the variable have been used whereever it is This implementation does not care about aliasing For more infor mations see subsection 7 54 6 7 54 5 References Alexandrescu A and Sutter H C Coding Standards 101 Rules Guidelines and Best Practices Addison Wesley 2005 7 54 6 Limitations
115. lls ROSE to parse a program Then butldCheckers is called to load all checkers that are specified within a configuration file The configuration file allows users to turn on and turn off specific checkers for their run time analyses However the configuration file only permits checkers to be loaded that were part of Compass at compile time The main interface file compass h contains the class Checker and the abstract class OutputObject Checker is the interface to ROSE giving the metadata for a checker and a function to apply the checker to a given AST OutputObject aids to output defects found by a specific checker More functionality to handle e g file input and parameters provided to Compass is provided within the Compass namespace 2 5 Compass Verifier Compass must be safe so that analyses and their results can be trusted The Compass Verifieris used at build time to run a specific set of separate compass rules offer the source code of all the checkers 2 5 COMPASS VERIFIER 15 lt lt interface gt gt OutputObject addOutput void lt lt interface gt gt getOutputList void TraversalBase parseStringO void tun void openFileQ void traverseQ void findParameterFileQ vaid getOuputQ void outputT gui void PrintingOutputObject getName void getShortDescription void getLongDescriptionQ voig lt lt realize gt gt addOutput void lt lt interface gt gt outputT guid void OutputViolation
116. ls See also the section of this chapter on the include exclude options for path and file names as these will permit the output from header files to be tailored For example to test a checker which warns about error prone pointer comparison You can modify RULE SELECTION to only turn on PointerComparison A test input code pointerCompar isonTest1 C is provided in sourcetree projects compass extension s checkers pointerComparison command line to run compassMain on a source file compassMain pointerComparisonTest1 C output of the command Running Prerequisite SgProject Running checker PointerComparison PointerComparison pointerComparisonTest1 C 16 7 19 Warning Error prone pointer comparison using lt lt gt or gt 3 3 Output from Compass Output from compass can be generated in a number of forms the default is ASCII text output of the messages about rule violations with the source code position in GNU standard source code position format This form can be used to interact with external tools e g Emacs to permit alternative interface to Compass Mechanisms available include 3 3 OUTPUT FROM COMPASS e Emacs Detecting errors while you type 3 5 and 3 1 e Vim 7 Compass can work with Vim 7 s QuickFix commands to high light source lines with error messages 3 9 CompassGUI There is also a Compass GUI for reviewing Compass output and interactively rerunning compass and sifting through the output while
117. ls like Compass that utilizes the work put into Compass checkers There are many reasons why one would like to have a separate executable tool beneath Compass rather than simply customizing a particular build of the Compass tool An individual or organization may consider a specific subset of Compass checker rules to be particularly relevant thus would like to have a custom tool to check only these rules Another scenario may find that the particular interface for Compass through the command line needs to be changed but it is not advisable to alter Compass main directly This section will demonstrate how to extend the Compass infras tructure and checkers to build a separate executable tool beneath the Compass project A simple tutorial will detail the steps nec essary to instantiate the Compass infrastructure The these steps have been followed and the mechanism is demonstrated in an exam ple directory sampleCompassSubset this directory can be copied Suppose one wishes to build a version of Compass with only those checker rules authored by an individual for debugging purposes Cer tainly it would not be desirable for the main Compass tool to only consist of this subset of rules yet this specialized version might be 34 CHAPTER 3 USING COMPASS required regularly enough for repeatedly altering of the static or dynamic checker rule selection files to become troublesome The so lution is to use the Compass infrstructure to build a se
118. luate the structures to be unequal regardless of the contents of their fields 1 struct my_buf 2 size_t size char buffer 50 hs 3 4 5 6 unsigned int buf_compare struct my_buf s1 struct my_buf s2 7 if Imemcmp s1 s2 sizeof struct my_struct 8 return 1 9 10 return 0 11 12 7 12 2 Compliant Solution To accurately compare structures it is necessary to perform a field by field comparison Summit 95 The buf_compare function has been rewritten to do this 1 struct my_buf 2 size_t size 3 char buffer 50 4 5 6 unsigned int buf_compare struct buffer s1 struct buffer s2 7 if si gt size s2 gt size return 0 8 if strcmp si gt buffer s2 gt buffer 0 return 0 9 return 1 10 11 7 12 3 Risk Assessment Failure to correctly compare structure can lead to unexpected pro gram behavior 7 12 SECURE CODING EXP04 A DO NOT PERFORM BYTE BY BYTE COMPARISONS BETWEEN STRUC Rule Severity Likelihood Remediation Cost Priority Level EXP04 A 2 medium 1 unlikely 1 high P2 L3 Related Vulnerabilities Search for vulnerabilities resulting from the violation of this rule on the CERT website 7 12 4 References Dowd 06 Chapter 6 C Language Issues Structure Padding 284 287 Section 6 7 2 1 Structure and union speci fiers Kerrighan 88 Chapter 6 Structures Structures and Functions 129
119. ly one public base class others may be non public class B public Interface private Implementation ko 7 58 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each class definition inspect the list of inheritances If more than one base class is listed as public emit a diagnostic 7 58 MULTIPLE PUBLIC INHERITANCE 7 58 5 References This checker is a small part of the excellent discussion in S Meyers Effective C Second Edition Item 43 Use multiple inheritance judiciously 161 162 CHAPTER 7 LIST OF COMPASS CHECKERS 7 59 Name All Parameters This checker warn for anonymous parameters in function declara tions and definitions For definitions if the argument is not used a static_cast lt void gt should be used instead of not naming the pa rameter This checker check for the rule 22 from The Elements of C Style Misfeldt and al 2004 7 59 1 Parameter Requirements There is no parameter requirement 7 59 2 Non Compliant Code Example void f int 7 59 3 Compliant Solution To avoid warning messages from the compiler about unused vari ables you can use a static_cast lt void gt to mark unused parame ters void f int i static_cast lt void gt i 7 59 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using struc
120. me cases the list of undesirable functions is too large for a mechanism like forbidden functions to be effec tive This allowed functions checker performs the opposite by fil tering function references against a premade accepted list Only those function on this list are allowed in the source and any other function reference used is a reported violation Usually the list of allowed functions is generated based off trusted sources input to the checker 7 2 1 Parameter Requirements The compass_parameter requirement for this checker has several op tions including e AllowedFunctions OutFile specifies the file name path for the output of this checker The list of all allowed func tions are written to this file formatted identically to com pass_parameters All other options passed to allowedFunctions by compass_parameters is also preserved in this output file e AllowedFunctions Function appends an allowed function given in the manged name format written by this checker The parameters of this format must start sequentially at zero and increment until FunctionNum minus one e AllowedFunctions FunctionNum a simultaneous boolean flag and state variable specifies the total number of allowed func tions in the accepted list If this number is postive the allowed function checker executes in testing mode where all new func tion references are written to OutFile as new allowed functions A negative value for FunctionNum switches the che
121. ment given to putenv is used In particular this string becomes part of the environment changing it later will change the environment Thus it is an error to call putenv with a pointer to a buffer of automatic storage duration as the argument then return from the calling function while the string is still part of the environment However glibc 2 0 2 1 1 differs a copy of the string is used On the one hand this causes a memory leak and on the other hand it violates SUSv2 This has been fixed in glibc2 1 2 The BSD4 4 version like glibc 2 0 uses a copy SUSv2 removes the const from the prototype and so does glibc 2 1 3 The FreeBSD implementation of putenv copies the value of the provided string and the old values remain accessible indefinitely 7 30 DO NOT CALL PUTENV WITH AUTO VAR As a result a second call to putenv assigning a differently sized value to the same name results in a memory leak 7 30 3 Non Compliant Code Example In this non compliant coding example a pointer to a buffer of au tomatic storage duration is used as an argument to putenv Dowd 06 The TEST environment variable may take on an unintended value if it is accessed once func has returned and the stack frame containing env has been recycled Note that this example also violates rule DCL30 C Declare objects with appropriate storage durations int func char var char env 1024 if snprintf env sizeof env TEST s
122. mount of space for copy strcpy school CMUfullname COANOO SA 7 17 7 Risk Assessment Modifying string literals causes undefined behavior resulting in ab normal program termination and denial of service vulnerabilities Rule Severity Likelihood Remediation Cost Priority Level STRO5 A 1 low 3 likely 2 medium P6 L3 Related Vulnerabilities Search for vulnerabilities resulting from the violation of this rule on the CERT website 7 17 SECURE CODING STRO5 A PREFER MAKING STRING LITERALS CONST QUALIFIED81 http www open std org jtcl sc22 wg21 docs papers 1993 N0389 asc Section 6 7 8 Initialization Lock heed Martin 2005 Lockheed Martin Joint Strike Fighter Air Vehicle C Coding Standards for the System Development and Demonstration Program Document Number 2RDU00001 Rev C December 2005 AV Rule 151 1 CHAPTER 7 LIST OF COMPASS CHECKERS 7 18 Constructor Destructor Calls Vir tual Function C Coding Standards states that Virtual functions only virtually always behave virtu ally Inside constructors and destructrors they don t Worse any direct or indirect call to an unimplemented pure virtual function from a constructor or destructor re sults in undefined behavior If your design wants virtual dispatch into a derived class from a base class construc tor or destructor you need other techniques such as post constructors 7 18 1
123. n actual vulnerability Freeing memory in different mod ules resulted in a vulnerability in MIT Kerberos 5 MITKRB5 SA 2004 002 The problem was that the MIT Kerberos 5 code contained error handling logic which freed memory allocated by the ASN 1 decoders if pointers to the allocated memory were non NULL How ever if a detectable error occured the ASN 1 decoders freed the memory that they had allocated When some library functions re ceived errors from the ASN 1 decoders they also attempted to free causing a double free vulnerability 7 1 1 Parameter Requirements No Parameter specifications 7 1 2 Implementation No implementation yet 7 1 3 Non Compliant Code Example This example demonstrates an error that can occur when memory is freed in different functions The array which is referred to by list and its size number are then passed to the verify list func tion If the number of elements in the array is less than the value MIN_SIZE_ ALLOWED list is processed Otherwise it is assumed an error has occurred list is freed and the function returns If the error occurs in verify_list the dynamic memory referred to by list will be freed twice once in verify_list and again at the end of process _list 7 1 ALLOCATE AND FREE MEMORY IN THE SAME MODULE AT THE SAME LEVEL OF ABSTRACTION51 write your non compliant code example int verify_size char list size_t list_size if size lt MIN_SIZE_ALLOWED Handle
124. nalFunctions maxIntOps defines the maximum of inte ger operations permitted computationalFunctions maxFloatOps defines the maximum of floating point operations permitted 7 15 4 Implementation The implementation checks for the following direct types e SgAddOp e SgSubtractOp e SgDivideOp e SgMultiplyOp The implementation checks for the following indirect types e SgCastExp operations hidden behind cast e SgVarRefExp variable operations e SgPointerDerefExp pointer operations e SgPntrArrRefExp array operations 75 76 CHAPTER 7 LIST OF COMPASS CHECKERS 7 15 5 References 7 16 CONST CAST 77 7 16 Const Cast Casting the constness away should never be done Casting away constness via const_cast is just plain false advertising If a member function s signature is void someFunc const foo amp arg then the function advertises to it s clients that it will not call any non const member functions on the arg Casting the constness of arg away to allow the use of non const member functions can create unexpected results for clients of this function 7 16 1 Parameter Requirements No paramaters are needed 7 16 2 Implementation The checker inspects every cast in the AST If the type casted to is equal to the type casted from minus the const modifier it is an error 7 16 3 Non Compliant Code Example void foo const int x 2 int y int x 7 16 4 Compliant Solution void foo int x 2 int y x
125. nction does not create a copy of the string supplied to it as an argument rather it inserts a pointer to the string into the environment array If a pointer to a buffer of automatic storage duration is supplied as an argument to putenv the memory allocated for that buffer may be overwritten when the containing function returns and stack memory is recycled This behavior is noted in the Open Group Base Specifications Issue 6 Open Group 04 A potential error is to call putenv with an automatic variable as the argument then return from the calling function while string is still part of the environment The actual problem occurs when passing a pointer to an automatic variable to putenv An automatic pointer to a static buffer would work as intended 7 30 1 Parameter Requirements No Parameter specifications 7 30 2 Implementation The putenv function is not required to be thread safe and the one in libc4 libc5 and glibc2 0 is not but the glibc2 1 version is Description for libc4 libc5 glibc If the argument string is of the form name and does not contain an character then the variable name is removed from the environment If putenv has to allo cate a new array environ and the previous array was also allocated by putenv then it will be freed In no case will the old storage associated to the environment variable itself be freed The libc4 and libc5 and glibc 2 1 2 versions conform to SUSv2 the pointer argu
126. ng a single file RULE SELECTION The name of this file is specified in the compass_parameters file this name may be changed The directo ries searched are current directory user home directory and Com FIXME The current pass source tree respectively implementation may not support all of the mentioned search paths Compass RuleSelection path to your RULE_SELECTION In order to select a checker to run the user must e Add a line lt name of checker gt in a file called RULE_SELECTION e Ifa line lt name of checker gt already exist the can be mod ified into a to enable the checker or into a to disable a checker It is required that every checker integrated into the Compass build is mentioned in the RULE SELECTION 3 6 Including Excluding Paths and File names with Compass Compass permits paths and filenames to be specified for in clusion exclusion in reporting checker rule violations Run compassMain help to see the commandline options Numerous other commandline options provided for all tools build using ROSE may also be relevant 3 7 Checking Security Properties of Checkers Compass is designed for extensibility while providing the security for the codes being checked To support this Compass provides a simple mechanism for verifying specific properties of the checkers used in Compass Compass implements a specific small number of checkers that are used for checking the chec
127. ng x 23 and x 42 use x 23 and xj43 7 99 1 Parameter Requirements No parameters required 7 99 2 Implementation In a fairly straight forward implementation we search for the greater than or equal to operator 7 99 3 Non Compliant Code Example int x 5 if x gt 5 xXt write your non compliant code example write your non compliant code example 7 99 4 Compliant Solution int x 5 if x gt 4 xXt write your non compliant code example write your compliant code example 242 CHAPTER 7 LIST OF COMPASS CHECKERS 7 99 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 find greater than or equal to operator 2 raise alert 7 99 6 References Abbreviated Code Inspection Checklist Section 11 1 2 Control Vari ables 7 100 VARIABLE NAME EQUALS DATABASE NAME 7 100 Variable Name Equals Database Name For some member function accesses the name of the local variable that gets assigned the result of the function call should have a name equal to the first argument ALE3D E g real8 sx regM gt fieldReal sx real8 syy regM gt fieldReal sy Where the name of the local variable is not the same as the name in the database for syy but it is the same for sx This checker will only report the locations of the assign expressions where this rule is n
128. ns Always return objects by refer ences C 6 14 Misc or Undocumented duffsDevice Detect Duffs Device a switch statement contain ing a loop that contains one of the switch s case or default labels explicitCharSign fileReadOnlyAccess Readonly access to fopen used inter nally for Compass Verifier time_tDirectManipulation Do not directly manipulate time_t values Use difftime nameConsistency possibly Replicated Variables staticConstructorInitialization subExpression Evaluation Order typeTypedef binary BufferOverflow binaryInterruptAnalysis binPrint AsmFunctions binPrint AsmInstruction asynchronousSignalHandler bufferOverflowFunctions Chapter 7 List of Compass Checkers 49 50 CHAPTER 7 LIST OF COMPASS CHECKERS 7 1 Allocate And Free Memory In The Same Module At The Same Level Of Ab straction Allocating and freeing memory in different modules and levels of abstraction burdens the programmer with tracking the lifetime of that block of memory This may cause confusion regarding when and if a block of memory has been allocated or freed leading to programming defects such as double free vulnerabilities accessing freed memory or writing to unallocated memory To avoid these situations it is recommended that memory be allo cated and freed at the same level of abstraction and ideally in the same code module The affects of not following this recommendation are best demon strated by a
129. nsequently the second operand should not contain side effects because if it does it is not apparent if the side effect occurs 7 67 1 Parameter Requirements No parameters required 7 67 2 Implementation We check for And or Or We then query for any of a set of operators known to have side effects This checker has the known deficiency of not checking function calls for side effects To avoid false positives it does not notify of functions at all 7 67 3 Non Compliant Code Example int i int max if i gt 0 amp amp i lt max code It is unclear whether the value of i will be incremented as a result of evaluating the condition 7 67 4 Compliant Solution In this compliant solution the behavior is much clearer int i int max if i gt 0 amp amp i 1 lt max i code 7 67 NO SECOND TERM SIDE EFFECTS 177 7 67 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Find the And or Or operator 2 query the right hand child for known side effect having opera tors 7 67 6 References ISO IEC 9899 1999 TC2 ISO IEC 9899 1999 Section 6 5 13 Log ical AND operator and Section 6 5 14 Logical OR operator 178 CHAPTER 7 LIST OF COMPASS CHECKERS 7 68 Secure Coding EXP06 A Operands to the sizeof operator should not contain side effec
130. number 11 char result 100 12 float fnum 3 14159 13 sprintf result f fnum 16 char stri Sample string 17 char str2 40 18 char str3 40 19 memcpy str2 stri strlen stri 1 20 memcpy str3 copy successful 16 21 printf stri s nstr2 s nstr3 s n stri str2 str3 7 11 2 Compliant Solution Example as above use snprintf instead of sprintf 7 11 3 Parameter Requirements None 7 11 4 Implementation The following functions are checked for e sprintf e scanf e sscanf e gets e strcpy 7 11 NO REFERENCE BUFFER OVERFLOW FUNCTIONS e _mbscpy e Istrcat e memcpy e strcat 7 11 5 References Foster James C Foster Vitaly Osipov Nish Bhalla Niels Heinen Buffer Overflow Attacks ISBN 1 932266 67 4 p 211 69 70 CHAPTER 7 LIST OF COMPASS CHECKERS 7 12 Secure Coding EXP04 A Do not perform byte by byte comparisons be tween structures Structures may be padded with data to ensure that they are properly aligned in memory The contents of the padding and the amount of padding added is implementation defined This can can lead to in correct results when attempting a byte by byte comparison between structures 7 12 1 Non Compliant Code Example This example uses memcmp to compare two structures If the struc tures are determined to be equal buf_compare should return 1 otherwise 0 should be returned However structure padding may cause memcmp to eva
131. o be in the buildInterpreter directory The buildInterpreter tool works as a replacement for the C C compiler during compilation like e g buildInterpreter o ex1 ex1 C The output of the run is a database representing how to compile ex1 C The name of the output database is specified by the dbname field in the rqmc file found in the ROSE build directory under pro jects compass tools compass buildInterpreter rqmc and defaults to test db To capture the state of a whole build system use buildInterpreter as a replacement for the C C compiler during the build E g for gnu make 4 2 RUNNING COMPASS GUI ON AN AUTOTOOLS PROJECT 39 make CC buildInterpreter CXX buildInterpreter 4 2 2 Build A Project Using the Discerned Build To build a project using Compass specify the output database from the capturing of the build state with the outputDb paramater to the Compass GUI The environment variable must be defined like in e g cd directory with build project sources env COMPASS_PARAMETERS location of compass_pramateres compass gui build compassMainGui In the GUI click on regenerate to build the project The viola tions found during the build is put into the database for subsequent lookup After regenerating select the checkers that you are interested and and click refresh to display the corresponding violations 40 CHAPTER 4 USING COMPASS GUI Chapter 5 Using Compass Verifier Compass
132. opment and Re Engineering Project NASA IEEE Software Engineering Workshop Washington DC USA April 2005 146 CHAPTER 7 LIST OF COMPASS CHECKERS 7 51 Induction Variable Update This test finds the location in loops for do while while where induction variables is updated through arithmetic operations 7 51 1 Parameter Requirements None 7 51 2 Implementation This pattern is detected using a simple traversal It traverses AST to obtain information about induction variables and to locate state ments that assign a new value to the induction variables However this checker does not track pointers whether or not the pointers ac tually update induction variables In addition function calls that may update induction variables are not considered here either 7 51 3 Non Compliant Code Example void foo int i int j 0 int k 0 for i 0 i 10 i if 0 i 3 while j lt 10 if 1 j 3 j j 2 if 2 k 3 7 51 INDUCTION VARIABLE UPDATE 147 while k lt 10 7 51 4 Compliant Solution write your compliant code example 7 51 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Find a loop and detect its induction variable 2 Check if the variable is updated inside the loop by examining its loop body 7 51 6 References The Programming Research Group
133. or to calls to STL algorithms for reasons of efficiency correctness and maintainability This checker is meant to highlight cases where a loop might be re placed by an equivalent STL algorithm call It reports for loops where the loop head fulfills the following properties e The initialization part contains an assignment or variable dec laration with an initializer e the condition part consists of an inequality comparison and e the increment part consists of an increment or decrement op eration For loops on integer or floating point types are not reported as those cannot be replaced by STL algorithms 7 84 1 Parameter Requirements This checker does not require any parameters 7 84 2 Non Compliant Code Example include lt vector gt void add_x_to_each_element_noncompliant int x std vector lt int gt amp v not OK loop to add x to each element std vector lt int gt iterator v_itr for v_itr v begin v_itr v end v_itr v_itr x 7 84 3 Compliant Solution include lt vector gt include lt algorithm gt include lt functional gt void add_x_to_each_element_compliant int x std vector lt int gt amp v OK using an algorithm to add x to each element transform v begin v end v begin std bind2nd std plus lt int gt x 7 84 PREFER ALGORITHMS 211 7 84 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural sta
134. ors are orthogonal to there use in alternative tools Alternative tool interfaces should be possible and will further demonstrate the independence of the input and output mechanisms to the designs and implementation of the core detectors Add Your Own Detector Detectors written in Compass make direct use of ROSE and are designed to be copied and extended by users to develop their own detectors We welcome the contribution of these detectors back to the ROSE team for inclusion into future releases of Compass full credit for all work will be provide to all authors Compass is an open source project using ROSE an open source compiler infrastructure Each of the detectors are examples of how to add your own detector to Compass If you build a detector that you would like to have be distributed with Compass please send it to us and we will add your as an external contributor Guidelines for contributions e Use any Compass detector and an example e provide the documentation about your detector e Use any features in ROSE to support your detector AST Con trol Flow graph System dependence Graph Call Graph Class Hierarchy Graph etc e Your detector should have NO side effects on the AST Chapter 2 Design and Verification Compass is a tool is used to analyze software both source code and binaries A collection of checkers are built with each of them detecting the violation of a rule By reporting on the violations of rules Comp
135. ory where you want the directory of your checker to be created For example rosesourcetree projects com pass extensions checkers 2 Execute ROSE_SRC_DIR projects compass src compass_scripts gen_checker sh lt name of your checker gt the name of your checker can have space and the script will automatically concatenate them to camel case e g multiple case on same line The results of executing gen_checker sh script is that a new directory name multipleCasesOnSameLine name of your checker in camel case is created with the following files e compass parameters internal parameters for this checker e multipleCasesOnSameLine C main source file e multipleCasesOnSameLine compass external makefile make file if this checker is to be built outside of the ROSE source tree e multipleCasesOnSameLineDocs tex documentation e multipleCasesOnSameLine inc Makefile include file e multipleCasesOnSameLine h header e multipleCasesOnSameLineMain C main driver e multipleCasesOnSameLineTest1 C test input code Some of these files compass_parameters are copied from the com pass_template_generator directory while others are generated mul tiple makefile It is suggested that you keep the following in mind when using gen_checker sh e It is advised that you do not invoke the script gen checker with words like checker detector tester etc Adding these verbs at the command line means that these words a
136. ot followed 7 100 1 Parameter Requirements The checker takes the name of the class and member function that on call should assign it s result to a variable with the same name as the first argument The arguments are VariableNameEquals DatabaseName ClassName CLASSNAME and VariableNameE qualsDatabaseName MemberFunctionName MEMFUNCNAME 7 100 2 Implementation The checker will look for a function call to the member function within the class that we are looking for When such a call is found it assumes that the lhs of the last assign expression is the variable access that we are interested in If the name of that variable does not satisfy the rule we report an error 7 100 3 Non Compliant Code Example include lt string gt class MixMatmodel public double fieldReal std string str return 1 3 int main MixMatmodel x int y x fieldReal test1 int z x fieldReal test1 test2 243 244 CHAPTER 7 LIST OF COMPASS CHECKERS int test2 x fieldReal test1 test2 test3 des 7 100 4 Compliant Solution include lt string gt class MixMatmodel public double fieldReal std string str return 1 3 int main MixMatmodel x int testi x fieldReal testi int test2 x fieldReal test1 test2 int test3 x fieldReal test1 test2 test3 3 7 100 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static
137. ould not be declared on the same line 7 79 1 Parameter Requirements This checker takes no parameters and inputs source file 7 79 2 Implementation This pattern is checked using a simple AST traversal visiting all variable declaration statements The line number of each variable declaration statement node is saved to a std set unique to each file If any line number is added to this set more than once then a violation is flagged 7 79 3 Non Compliant Code Example The non compliant code declares multiple int variables on the same line int main int il 0 i2 0 i3 0 return 0 7 79 4 Compliant Solution The compliant solution is to give each int declaration its own line int main int ii 0 int i2 0 int i3 0 7 79 CERT DCL04 A ONE LINE PER DECLARATION return 0 7 79 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal visiting all variable declaration nodes 2 For each line number associated with a variable declaration node add the line number to a set of line numbers unique to its source file 3 If any line number is added more than once per source file set of line numbers then flag a violation 4 Report any violations 7 79 6 References Secure Coding DCL04 A Take care when declaring more than one 203 204 CHAPTER 7 LI
138. parate tool by creating a subdirectory under Compass with a small portion of Compass infrastructure files Only four files are required com passMain C CHECKER_LIST RULE_SELECTION Makefile am Note also that the compassMain C file can be any name but must only be consistant with the Makefile am This example of using the compass infrastructure is compiled as part of compiling com pass and defines a compass infrastructure based tool that imple ments about 25 randomly selected checkers form the collection in projects compass extensions checkers Assume that the present working directory is projects compass tools of the ROSE source tree First create a directory for the new Compass subset tool mkdir sampleCompassSubset then add this directory in the SUBDIRS variable of the automake file projects compass tools Makefile am Additionally intro duce this new Makefile into the top level source tree configure in file A snippet concerning these changes is given below projects compass tools Makefile am SUBDIRS compass compassVerifier sampleCompassSubset configure in projects compass tools sampleCompassSubset Makefile projects compass tools compassVerifier Makefile Note that after any modification of configure in the configure command for ROSE will have to be rerun else the makefile will cause it to be called for you To specify how this tool is to be con figured and built create a Makefile am projects compass tools sampl
139. piler ROSE Compass 0 9 2a Maintainer Chunhua Liao lt youraccount llnl gov gt Last Change 2008 Apr 3 if exists current_compiler finish endif let current_compiler compass if exists CompilerSet 2 older Vim always used setlocal command nargs CompilerSet setlocal lt args gt endif single line warning multiple line warning W C continue line Z end of multiple line CompilerSet errorformat s X f 1 c X m Was X 1 c 4 Nd X m Vas AE AILA Ae AANA ANd Y m WWA ZEN N linen 1 XMND c x AX TN m some notes about the error warning message format Official guide http vimdoc sourceforge net htmldoc quickfix html error file format Each new rule start with a leading unless it is the first rule in the first line f filename 1 line number c column number only one is permitted m actual error warning message matching a space ANNA matching any number Figure 3 8 A compiler plugin for Vim 7 compass vim The hash mark may only appear at the beginning of the line The compass submission setup sh script must be run again with the regenerate option if any checkers are commented out Note that no space is permitted between the and the name of the checker Usually the CHECKER_LIST is only modified when a user or de veloper wants to add a new checker or select a subset of trusted checkers Checkers can be commented out using a no space is allowed between the
140. quired 7 10 2 Implementation This implementation checks to see if a function returns a boolean if so it checks the first 4 characters in the name of the function for is_ or has It also checks all variable declarations checks for boolean type then does the same substring match on its name 7 10 3 Non Compliant Code Example bool chosen_poorly return true int main bool badly_named return 0 F 7 10 4 Compliant Solution bool has_chosen_poorly return true int main bool is_badly_named return 0 7 10 BOOLEAN IS HAS 67 7 10 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 finds bool declarations or bool return function declarations 2 checks name 7 10 6 References ALE3D Section 3 6 Booleans 68 CHAPTER 7 LIST OF COMPASS CHECKERS 7 11 No Reference Buffer Overflow Functions This analysis detects possible buffer overflows due to the usage of unsafe function calls The results need to be either inspected by the user or if applicable unsafe function calls can be exchanged against their safe counterparts 7 11 1 Non Compliant Code Examples 1 include lt stdio h gt 2 include lt string h gt 3 4 using namespace std 5 6 void fail T char string 50 8 int file_ number 0 9 sprintf string file d file
141. r does not require any parameters 7 35 2 Non Compliant Code Example include lt vector gt bool f const std vector lt int gt amp v if v sizeQ gt 0 not OK use v empty instead return true if 0 v size not OK use v empty instead return false return false 7 35 3 Compliant Solution include lt vector gt bool f2 const std vector lt int gt amp v if v empty return true if v emptyO return false return false 7 35 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each member function call see if the called member func tion is named size and if the call is embedded in an expression that compares its return value against the constant 0 115 116 CHAPTER 7 LIST OF COMPASS CHECKERS 2 If the above check evaluates to true emit a diagnostic There are numerous ways to defeat this simple analysis for instance by assigning the return value from size to a variable by comparing the return value against a variable that is always 0 or by calling size through a member function pointer Further the analysis only looks for member functions named size but does not try to ascertain that it belongs to a container as that is not something that can be checked reliably 7 35 5 References The reference for this checker is S Meyers Effe
142. rategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each scope statement loops if basic blocks count the number of enclosing scopes until a function definition is reached if at all 2 If the count is greater than the specified limit emit a diagnostic 7 25 5 References A reference for this checker is H Sutter A Alexandrescu C Coding Standards Item 20 Avoid long functions Avoid deep nesting 96 CHAPTER 7 LIST OF COMPASS CHECKERS 7 26 Default Case This test checks to ensure each switch statement has a default option It has been noted that unexpected cases falling through can be a cause of difficult to detect bugs A default case will catch those cases 7 26 1 Parameter Requirements No parameters required 7 26 2 Implementation This implementation checks all statements in the basic block of the switch statement searching for defaults Currently this implemen tation may have false positives ie A switch with a default will raise an alert on duff s device In general Duff s device does not use a default 7 26 3 Non Compliant Code Example switch x case 1 case 2 7 26 4 Compliant Solution switch x case 1 case 2 default handle unexpected cases 7 26 DEFAULT CASE 97 7 26 5 Mitigation Strategies Static Analysis Compliance with this rule
143. re added as suffixes into the directory name Which will make it redundant as the compass project is about writing style checkers FIXME What are the readonly e Some of the files have read only permissions and are intended files exactly only for such use Please do not change the permissions of these files 3 10 EXTENDING THE COMPASS INFRASTRUCTURE 33 3 9 2 Integrating New Checkers Into Compass Tool The process for integrating a new checker into Compass has been automated These directions are meant for checkers generated using gen_checker sh The process is similar for all compass like tools that are built using the common infrastructure The steps to integrate a new checker is note that both of the source tree and build tree of ROSE are involved 1 Add lt camel case of your checker name gt to ROSE_SOURCE_DIR projects compass tools compass CHECKER_LIST 2 Enter ROSE_BUILD_DIR projects compass tools compass 3 Execute make regenerate 4 After running make regenerate in the build tree then you may run make as usual 5 Examine the ROSE_SOURCE_DIR projects compass tools compass RULE_SELECTION in file and confirm it reflects your most recent additional checker s choice of execution at run time the default setting is on Please refer to section 3 10 Extending the Compass Infrastruc ture Compass as well as being a tool for software analysis is also a capa ble infrastructure for building other too
144. relating them to the source code 3 2 This work uses the QRose library produced at Imperial College London by Gabriel Coutinho as part of their development of FPGA tools using ROSE QRose is based on the Qt library and provides a wide number of ROSE aware components to make the development of GUls for ROSE based tools easy The source code for the Compass GUI is provided but this work is unfinished and required the QRose library available from Imperial ToolGear post processing Output in XML permits the use of ToolGear LLNL tool avail able on the web for viewing Compass generated output This mechanism is particularly useful for reviewing the results of nightly builds and associated runs of large projects using Com pass See figure 3 3 e ASCII output Output in ASCII format is of the form shown in 3 4 This form permits the connection to multiple external tools the Emacs interface reads the ASCIT output format directly 3 3 1 Using Compass With Emacs Compass as a checker is most useful when the user is notified as early as possible when he violates a desired software property Al though for many purposes it is sufficient to run Compass separately it is possible to use compass seamlessly when developing in emacs By using an emacs extension called flymake together with Compass erroneous lines can be highlighted while programming and the rele vant error messages displayed in a dialog Syntax errors from ROSE will be display
145. requires ROSE to be con figured with sqlite3 The Compass GUI does not try to replace the build system it simply captures how the build system compiles the source files for a specific version of the project Although there is no guarantee that this will work when the source code changes it is reasonable to expect the capturing of the build system should be the same as the code evolves as long as no changes are done to the build system These instructions can apply to Autotool projects as well as projects build in other build systems but the shorthands used here for dis cerning the build system are specific for Autotools 4 2 1 Capturing a Build System State FIXME Document that this requires with sqlites The first step of running the Compass GUI on an autotools project is to figure out how the build system works Capturing the build system state is done with the buildInterpreter tool provided in the Compass distribution in the projects compass tools com pass buildInterpreter directory In order to facilitate capturing the build system once and moving the source files around the ROSE TEST REGRESSION ROOT environment variable must be defined to the string that should be replaced For instance if a projects is build within home user pro ject and it is desired to move the files inside that directoy to a different directory define it to be export ROSE_TEST_REGRESSION_ROOT home user project FIXME Document Need t
146. retcptr return p OK const ref const int amp retcref return p maybe OK depending on operatorsExcepted parameter int amp operator return p 7 52 INTERNAL DATA SHARING 149 private int p 3 7 52 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 While traversing the program representation set a flag upon entering a member function definition that has a non const pointer or reference return type 2 Report any return statement within such a flagged function that returns a possibly dereferenced member variable 7 52 5 References A reference in the literature is H Sutter A Alexandrescu C Coding Standards Item 42 Don t give away your internals Their notion of a handle is more general however as it also in cludes basic types that are used as handles such as ints that are used as file descriptors 150 CHAPTER 7 LIST OF COMPASS CHECKERS 7 53 No Reference Loc Per Function This analysis detects for each function the amount of lines of code LOC and checks the value against a user defined max value If LOC gt max value then an exception is triggered 7 53 1 Non Compliant Code Examples if LocPerFunction Size 2 void fail int x x x x 5 5 5 7 53 2 Compliant Solution if LocPerFunction Size
147. rforms a comparison involving the return value from malloc if this is not the case then flag a violation 4 If a basic block is reached then flag a violation as the return value of malloc may be out of scope 5 Report any violations 7 57 6 References Arrighi B Neely R Reus J ALE3D Coding Standards amp Style Guide 2005 160 CHAPTER 7 LIST OF COMPASS CHECKERS 7 58 Multiple Public Inheritance Multiple inheritance in C can give rise to very complicated issues in particular when a class has several public superclasses in contrast having a single public superclass and several private ones only in heriting code from these but not public interfaces can be much more controllable This checker ensures that no class has more than one public superclass while not prohibiting multiple inheritance in general 7 58 1 Parameter Requirements This checker does not require any parameters 7 58 2 Non Compliant Code Example Dummy classes the first of which is designed to be used as a base class from which one inherits an interface the second designed to be used as a base class from which one only inherits an implementation class Interface class Implementation not OK multiple public base classes class A public Interface public Implementation ko 7 58 3 Compliant Solution class Interface 1 class Implementation 4 y OK on
148. rn foo 0 7 49 4 Compliant Solution The compliant solution simply adds a function prototype for foo int foo int int foo int i 144 CHAPTER 7 LIST OF COMPASS CHECKERS return i int main return foo 0 7 49 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal of code visiting all function declaration nodes 2 For each function declaration node find first non defining dec laration If no non defining declaration is found then flag vio lation 3 Report any violations detected 7 49 6 References Secure Coding DCL31 C Ensure every function has a function prototype 7 50 PAPER FUNCTION DOCUMENTATION 145 7 50 Paper Function Documentation This analysis detects all non compiler generated functions and checks whether they are documented The documentation must be in front of the function 7 50 1 Non Compliant Code Examples void failO 4 this function has no comment in front of it i 7 50 2 Compliant Solution Your test file code goes here void succeed 7 50 3 Parameter Requirements None 7 50 4 Implementation This analysis checks for both and documentation 7 50 5 References Panas05 Thomas Panas Rudiger Lincke Jonas Lundberg Welf Lowe A Qualitative Evaluation of a Software Devel
149. ror 7 69 6 References The ALESD style guide section 16 1 states that templates must not be used 182 CHAPTER 7 LIST OF COMPASS CHECKERS 7 70 No Variadic Functions CERT Secure Coding DCL33 C states A variadic function a function declared with a parameter list ending with ellipsis can accept a varying number of arguments of differing types Variadic functions are flexible but they are also hazardous The compiler can t verify that a given call to a variadic function passes an appropriate number of arguments or that those arguments have appropriate types Consequently a runtime call to a variadic function that passes inappropriate arguments yields undefined behavior Such undefined behavior could be exploited to run arbitrary code 7 70 1 Parameter Requirements This checker takes no parameters and inputs source file 7 70 2 Implementation This pattern is checked using a simple AST traversal that visits all function and member function references checking the function declaration for arguments of variadic type Those defined functions with variadic arguments flag violations of this rule 7 70 3 Non Compliant Code Example include lt cstdarg gt char concatenate char const s return 0 int main char separator t char t concatenate hello separator world 0 return 0 7 70 4 Compliant Solution The compliant solution uses a chain of string binary operations in stea
150. ror checking e preferAlgorithms Warning hand writing loops when equivalent STL algorithms exist 6 12 Dangerous choices e commaOperator avoid using this confusing language features e noSecondTermSideEffects No side effects for second and be yond logical operator in expressions with combined amp and e noSideEffectInSizeof Should not have side effects in sizeof e noVariadicFunctions Do not use variadic functions functions with varying parameter lists e noVfork Do not use vfork e operatorOverloading Avoid operator overloading for amp amp or y EAn e pointerComparison Avoid error prone pointer comparison us ing lt gt lt and gt 47 48 CHAPTER 6 CATEGORIES OF COMPASS CHECKERS noRand Do not use the rand function byteByByteStructureComparison avoid byte to byte compar ison between structures they maybe padded nonVirtualRedefinition Do not redefine an inherited non virtual functions in a class hierarchy noOverloadAmpersand Operator amp should not be overloaded 6 13 Performance Effectiveness control VariableTestAgainstFunction Warning about loop con trol by comparing to a function call emptyInsteadOfSize Using container empty instead of con tainer size pushBack Warning the use of container insert resize which can be replaced by push_back or push front nonStandard TypeRefArgs Always pass objects by references C nonStandard TypeRefRetur
151. s a magic number the floating point constants 42 0 and 3 14159 are allowed to appear in the source code but all others are treated as magic numbers Note that floating point numbers are compared by numeric value which may result in strange effects due to inexact representation 7 56 2 Non Compliant Code Example int f_noncompliant int n int x x 42 not OK magic number return x n 7 56 3 Compliant Solution int f_compliant int n 7 56 MAGIC NUMBER 157 int x 42 OK constant only used in initializer return x n 7 56 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For every integer or floating point literal examine the enclosing statement to find out whether it occurs as part of the initializer in a variable declaration If not emit a diagnostic 7 56 5 References A reference for this pattern is H Sutter A Alexandrescu C Coding Standards Item 17 Avoid magic numbers 158 CHAPTER 7 LIST OF COMPASS CHECKERS 7 57 Malloc Return Value Used In If Stmt ALE3D Coding Standards amp Style Guide item 4 5 states that When using raw malloc and new developers should check the return value for NULL This is especially impor tant when allocating large blocks of memory which may exhaust heap resources 7 57 1 Parameter Requirements This checker take
152. s and inputs source file 7 66 2 Implementation This pattern is checked using a simple AST traversal that visits all function reference expressions If a functino reference expression node corresponds to the rand function then a violation is flagged 7 66 3 Non Compliant Code Example The following code calls rand include lt stdlib h gt int main 1 2 3 4 5 int r rand generate a random integer 6 7 8 return 0 7 66 4 Compliant Solution The compliant solution is to use a implementation specific random number generator int main int r my_rand generate a random integer return 0 1 2 3 4 5 6 7 66 CERT MSC30 C NO RAND 175 7 66 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal visiting all function reference expression nodes 2 For each node visited if the function reference expression cor responds to rand then flag violation 3 Report any violations 7 66 6 References Secure Coding MSC30 C Do not use the rand function 176 CHAPTER 7 LIST OF COMPASS CHECKERS 7 67 No Second Term Side Effects The logical AND and logical OR operators amp amp exhibit short circuit operation That is the second operand is not evaluated if the result can be deduced solely by evaluating the first operand Co
153. s file One may also create the dynamic rule selection file RULE_SELECTION or defer this file to be automatically generated with all checker rules activated by default Finally it is necessary to write or copy the compassMain C file that defines among other function the command line processing options where one may al ter the interface For sampleCompassSubset the compassMain C of projects compass src compassSupport is symbolically linked in place The complete directory list for sampleCompassSubset now looks like CHECKER_LIST compassMain C gt src compassSupport compassMain C Makefile am RULE_SELECTION The source tree creation and configuration of a new Compass like tool is complete with Makefile am CHECKER_LIST RULE_SELECTION and compassMain C rename compassMain C as you like just make sure that the name is consistant with the Makefile am Build and configure ROSE as usual and then invoke Make at the top level build tree or projects compass subdirectory to compile and link the new Compass like tool executable In this tutorial example the new target location is projects compass tools sampleCompassSubset 35 36 CHAPTER 3 USING COMPASS Chapter 4 Using Compass GUI Compass has a GUI available for exploring the checker warnings for either the compilation of a single source file or the compilation of a whole project This GUI allow the user to interactively select checkers run those checkers on the source file s
154. s no parameters and inputs source file 7 57 2 Implementation This pattern is checked using a simple AST traversal that seeks out function references to malloc Then the parent nodes are traversed up until a basic scope block is found at which point a nested AST traversal seeks If statement conditional expressions containing the memory block returned from malloc If no such If statement condi tional is found in the immediate basic containing block scope then an error is flagged 7 57 3 Non Compliant Code Example The non compliant code fails to check the return value of malloc include lt stdlib h gt int main int iptr int malloc 256 sizeof int return 0 mainO 7 57 4 Compliant Solution The compliant solution uses an if statement to check the return value of malloc for NULL include lt stdlib h gt int main 7 57 MALLOC RETURN VALUE USED IN IF STMT 159 int iptr int malloc 256 sizeof int if iptr NULL return 1 return 0 mainO 7 57 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform AST traversal visiting function call nodes correspond ing to malloc 2 For each call to malloc traverse its parent nodes until an if statement or the end of a basic block is reached 3 If an if statement is encountered check that the if state ment pe
155. s own source code int compass_forbidden_function_vfork void helloWorld int char double function double good_function namespace A double function2 struct B void memberFunction 3 int main int argc char argv int w w compass_forbidden_function_vfork 5 helloWorld argc argv double x 3 0 function double y 5 0 good_function double z A function2 B b b memberFunction int fp compass_forbidden_function_vfork return 0 7 46 4 Compliant Solution The compliant example would use a function not listed in the pa rameter file 138 CHAPTER 7 LIST OF COMPASS CHECKERS 7 46 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each SgFunctionCallExp node if the name of the function being called is forbidden by the parameter file then report error 7 46 6 References Foster James C Foster Vitaly Osipov Nish Bhalla Niels Heinen Buffer Overflow Attacks ISBN 1 932266 67 4 p 211 Secure Coding MSC30 C Do not use the rand function Secure Coding POS33 C Do not use vfork ISO IEC 9899 1999 TC2 Section 7 19 9 2 The fseek function 7 19 9 5 The rewind function Klein 02 ISO IEC 9899 1999 Section 7 20 1 4 The strtol strtoll strtoul and strtoull functions Section 7 20 1 2 The atoi
156. s vfork 1 include lt stdlib h gt 2 include lt unistd h gt w int main 4 5 6 pidt pid vfork 7 8 if pid 0 child 9 10 system echo Hello World 13 return 0 7 71 4 Compliant Solution The compliant solution calls fork instead 1 include lt stdlib h gt 2 include lt unistd h gt w 4 int main 5 6 pidt pid fork 7 8 if pid 0 child 10 system echo Hello World 13 return 0 7 71 CERT POS33 C NO VFORK 185 14 7 71 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform a simple AST traversal visiting all function reference expressions 2 For each node visited if the function reference expression cor responds to vfork then flag violation 3 Report any violations 7 71 6 References Secure Coding POS33 C Do not use vfork 186 CHAPTER 7 LIST OF COMPASS CHECKERS 7 72 Non Associative Relational Opera tors C Secure Coding Practices states that The relational and equality operators are left associative not non associative as they often are in other languages This allows a C programmer to write an expression particularly an expression used as a condition that can be easily misinterpreted This checker checks that relational binary operators lt gt lt gt
157. signum sig2 1 int main void signal SIGUSR1 handler 7 5 AVOID USING THE SAME HANDLER FOR MULTIPLE SIGNALS 61 while 1 if sigl break sleep SLEEP_TIME signal SIGUSR2 handler while 1 if sig2 break sleep SLEEP_TIME leo return 0 7 5 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Write your checker algorithm 7 5 6 References ISO IEC 03 SIGOO A Avoid using the same handler for multiple signals 62 CHAPTER 7 LIST OF COMPASS CHECKERS 7 6 Bin Print Asm Functions This binary analysis traverses over the AST and prints all functions within the binary This is an example of how to traverse a binary This is not a security checker per se 7 6 1 Parameter Requirements None 7 6 2 Implementation See binPrintAsmFunctions C 7 7 BIN PRINT ASM INSTRUCTION 63 7 7 Bin Print Asm Instruction This binary analysis traverses over the AST and prints all instruc tions within the binary This is an example of how to traverse a binary This is not a security checker per se 7 7 1 Parameter Requirements None 7 7 2 Implementation See binPrintAsmInstructions C 64 CHAPTER 7 LIST OF COMPASS CHECKERS 7 8 Binary Buffer Overflow This analysis looks for buffer overflows in binaries 7 8 1 Parameter Requirements None 7 8 2 Implement
158. st2006_117 C 37 14 Occurrence of integer or floating constant FunctionDocumentation home ROSE projects compass tests Cxx_tests test2006_123 C 27 1 10 function is not documented nam FunctionDocumentation home ROSE projects compass tests Cxx_tests test2006_123 C 9 10 function is not documented name FunctionDocumentation home ROSE projects compass tests Cxx_tests test2006_123 C 12 10 function is not documented name FunctionDocumentation home ROSE projects compass tests Cxx_tests test2006_123 C 16 10 function is not documented name Figure 3 4 Example of ASCII output from Compass 3 3 OUTPUT FROM COMPASS 25 in the file enacs_compass_config el Emacs Version Requirement Emacs version 22 or newer is required to take advantage of the emacs integration of Compass Before using Compass a 3 step process must be followed e Add the text in figure 3 5 in ROSE AUGO508 ROSE projects compass tools compass emacs_compass_config el to emacs e Change path to makefile in figure to the path to the project you are editing in Compass e Add a check syntax rule to the makefile of the project that you are working on in Compass This rule should compile all the files you want Compass to check or all files that you are editing with Compass as the compiler Figure 3 5 shows the needed changes in emacs for integrating Com pass The last two lines are the most interesting lines since they introduce two shortkeys f3 can be clicked
159. st_only The checker traverses the AST to find all OpenMP lock variable references with a type name omp _lock_t within omp _unset_lock omp set_lock and omp test lock It then compares the scope of the corresponding lock declaration statement and the enclosing parallel region of the lock references If the lock is declared within the parallel region it is a violation 7 78 3 Non Compliant Code Example void foo pragma omp parallel private id omp_lock_t 1ck local declared lock variable wrong int id omp_get_thread_num omp_set_lock amp lck printf My thread id is d n id omp_unset_lock amp lck 7 78 4 Compliant Solution omp_lock_t 1ck a global shared lock lock initialization and destroy calls are omitted 7 78 OMP PRIVATE LOCK void foo pragma omp parallel private id int id omp_get_thread_num omp_set_lock amp 1ck printf My thread id is d n id omp_unset_lock amp lck 7 78 5 References None 201 202 CHAPTER 7 LIST OF COMPASS CHECKERS 7 79 CERT DCLO4 A One Line Per Declaration CERT Secure Coding DCL04 A states Declaring multiple variables on a single line of code can cause confusion regarding the types of the variables and their initial values If more than one variable is declared on a line care must be taken that the actual type and ini tialized value of the variable is known To avoid confusion more than one type of variable sh
160. t make use of C assembly 7 61 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Perform simple AST traversal visiting SgAsmStmt and SgAs mOp nodes 2 For each such node flag violation 3 Report all violations 166 CHAPTER 7 LIST OF COMPASS CHECKERS 7 61 6 References 7 62 NO EXCEPTIONS 167 7 62 No Exceptions This checker detects all usages of C exception handling 7 62 1 Parameter Requirements No parameters are required 7 62 2 Implementation The checker detects try statements throw operations and catch statements 7 62 3 Non Compliant Code Example class Exception int main try throw Exception catch Exception e 7 62 4 Compliant Solution int main 3 7 62 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Traverse the AST 2 For each try statements throw operations and catch statements report and error 7 62 6 References The ALE3D style guide section 17 1 forbids usage of C excep tions 168 CHAPTER 7 LIST OF COMPASS CHECKERS 7 63 No Exit In Mpi Code ALE3D Coding Standards amp Style Guide item 19 1 states that exit must never be called from a parallel code Calling exit from a parallel code will cause the code to dead
161. ter that is assigned to str When str is dereferenced in strcpy the program behaves in an unpredictable manner include assert h include lt stdlib h gt void testme case 1 int size 5 char str char malloc sizet1 char z str case 2 int p 0 int 1 p case 3 char k 0 free k 7 77 3 Compliant Solution EXP33 C Do not reference uninitialized variables We do not check the expressions in if conditions and hence it is irrel evant what the if conditions state However because an if condition occurs there might be a path that leaves sign_flag uninitialized In this case a simple assert helps to avoid the warning caused by this analysis include assert h 198 CHAPTER 7 LIST OF COMPASS CHECKERS void set_flag int number int sign_flag assert sign_flag if number gt 0 sign_flag 1 else if number lt 0 sign_flag 1 int x sign_flag int main int argc char argv int sign set_flag 0 amp sign return 0 7 77 4 EXP34 C Ensure a pointer is valid before dereferencing it include assert h include lt stdlib h gt void testme case 1 int size 5 char str char malloc size 1 if str NULL str 75 char z str case 2 int p 0 assert p int 1 p case 3 char k 0 assert k free k 7 77 5 Parameter Requirements None 7 77 CERT EXP33 C AND EXP34 C NULL
162. tern is detected using a simple traversal It traverses AST to search conditional statements and if an implicit expression is used in the test AST contains a casting expression node underneath the conditional statement to convert from a non boolean values to a boolean value The checker captures this structure 7 39 3 Non Compliant Code Example int bar void foo int i if bar i 2 7 39 EXPLICIT TEST FOR NON BOOLEAN VALUE while bar i 3 do i 4 while bar for i 0 bar i i 5 i bar 6 7 for i bar 8 9 bar i i 10 7 39 4 Compliant Solution if foo 0 do something 7 39 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Check if a node is a conditional statement 2 Check further if the conditional statement contains an implicit expression 7 39 6 References The Programming Research Group High Integrity C Coding Standard Manual Item 5 2 For boolean epressions if for while do and the first operand of the ternary operator in volving non boolean values always use an explicit test of equality or non equality 123 124 CHAPTER 7 LIST OF COMPASS CHECKERS 7 40 File Read Only Access Attempting to open files for writing on read only file systems and files causes errors This checker
163. ters e mallocReturnValueUsedInIfStmt Always check the return value for malloc and new e nullDeref Several checkers for NULL pointers checking a pointer s validity before dereferencing it Do not reference uni tialized variables e floatingPointExactComparison Avoid exact comparisons be tween a variable to a floating point value e floatForLoopCounter floating point variables should not be used as loop counters 6 5 OpenMP e ompPrivateLock locks within parallel regions should be be private 46 CHAPTER 6 CATEGORIES OF COMPASS CHECKERS 6 6 Security allowedFunctions security analysis limit the use to a set of allowed functions forbiddenFunctions Avoid using a set of dangerous functions avoidUsing TheSameHandlerForMultipleSignals dedicated handler for each signal constStringLiterals protect string literals using const qualifi cation doNotDeleteThis Do not delete this pointer functionCallAllocatesMultipleResources Avoid allocating mul tiple resources within a single statement e g a function call rightShiftMask Always use a shift mask for gt gt to avoid buffer overflow 6 7 Portability charStarForString C strings must be used instead of STL strings fopenFormatParameter Format parameter of fopen should not contain non portable value noAsmStmtsOps warn the use of embedded assembly code 6 8 Clarity explicitTestForNonBooleanValue Non boolean values should be compared to expli
164. that it is not used It reports any use of the built in comma operator and any declaration of an overloaded comma operator 7 14 1 Parameter Requirements This checker does not require any parameters 7 14 2 Non Compliant Code Example int f_noncompliant int n return n n n not OK twice comma operator 7 14 3 Compliant Solution int f_compliant int n nts return n 7 14 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers identifying any appearance of the built in comma operator and any declaration of a function overloading the comma operator 7 14 5 References A reference to this pattern is The Programming Research Group High Integrity C Coding Standard Manual Item 10 19 Do not use the comma operator 7 15 NO REFERENCE COMPUTATIONAL FUNCTIONS 7 15 No Reference Computational Functions This analysis computes the amount of floating point integer floating point pointer and integer pointer operations within each function If the value is larger than specified than a warning is triggered The analysis helps to identify functions with high computatuional value 7 15 1 Non Compliant Code Examples void failO int x 4 int y x b 7 int z amp x y Z Z 6 8 9 7 15 2 Compliant Solution void pass int x 4 int y x 5 7 7 15 3 Parameter Requirements computatio
165. tic analysis checkers using the following algorithm 1 For each for loop check the criteria explained above taking both built in and overloaded operators 2 If the loop fulfills all criteria generate a diagnostic 7 84 5 References A reference for this checker is S Meyers Effective STL Item 43 Prefer algorithm calls to hand written loops 212 CHAPTER 7 LIST OF COMPASS CHECKERS 7 85 Secure Coding FIOO7 A Prefer fseek to rewind rewind sets the file position indicator for a stream to the beginning of that stream However rewind is equivalent to fseek with OL for the offset and SEEK_SET for the mode with the error return value suppressed Therefore to validate that moving back to the beginning of a stream actually succeeded fseek should be used instead of rewind 7 85 1 Non Compliant Code Example The following non compliant code sets the file position indicator of an input stream back to the beginning using rewind 1 FILE fptr fopen file ext r 2 if fptr NULL 3 handle open error 4 read data Now 8 rewind fptr 9 10 continue 11 However there is no way of knowing if rewind succeeded or not 7 85 2 Compliant Solution This compliant solution instead using fseek and checks to see if the operation actually succeeded 1 FILE fptr fopen file ext r 2 if fptr NULL 3 handle open error 4 5 6 read data
166. tructural static analysis checkers using the following algorithm 1 Check if a node is a function declaration 2 Check if the name of the function contains operator amp amp operator or operator 7 80 6 References T Misfeldt G Bumgardner A Gray The Elements of C Style Item 111 Do not overload operator amp amp or operator 206 CHAPTER 7 LIST OF COMPASS CHECKERS 7 81 Other Argument This checker enforce the name convention of the first argument in copy constructors and copy operators This is taken from rule 23 from the Elements of C Style Misfeldt and al 2004 The pa rameter should be called other This checker also accept two other naming conventions that and the class name in lower camel case 7 81 1 Parameter Requirements There is no parameter requirement 7 81 2 Non Compliant Code Example A A const A amp foo 7 81 3 Compliant Solution A A const A amp other Liso 7 81 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For all constructors and operator fulfilling the copy requirement of the C standard check that the first parameter is of the three possible name 7 81 5 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 7 82 PLACE CONSTANT ON THE LHS
167. ts The sizeof operator yields the size in bytes of its operand which may be an expression or the parenthesized name of a type If the type of the operand is not a variable length array type the operand is not evaluated Providing an expression that appears to produce side effects may be misleading to programmers who are not aware that these expres sions are not evaluated As a result programmers may make invalid assumptions about program state leading to errors and possible soft ware vulnerabilities 7 68 1 Non Compliant Code Example In this example the variable a will still have a value 14 after b has been initialized 1 int a 14 2 int b sizeof at 3 The expression a is not evaluated Consequently side effects in the expression are not executed Implementation Specific Details This example compiles cleanly under Microsoft Visual Studio 2005 Version 8 0 with the W4 option 7 68 2 Compliant Solution In this compliant solution the variable a is incremented 1 int a 14 2 int b sizeof a 3 att 4 Implementation Specific Details This example compiles cleanly under Microsoft Visual Studio 2005 Version 8 0 with the W4 option 7 68 SECURE CODING EXP06 A OPERANDS TO THE SIZEOF OPERATOR SHOULD NOT CONTAIN SIDE 7 68 3 Risk Assessment If expressions that appear to produce side effects are supplied to the sizeof operator the returned result may be different then expected Depending on how this r
168. ts of C Style Cambridge University Press 2004 7 92 SIZE OF POINTER 227 7 92 Size Of Pointer Do not take the size of a pointer to a type when you are trying to determine the size of the type Taking the size of a pointer to a type always returns the size of the pointer and not the size of the type This can be particularly problematic when tyring to determine the size of an array 7 92 1 Parameter Requirements No Parameter specifications yet 7 92 2 Implementation Finds calls to the sizeof function Checks argument for level of pointer ie pointer to pointer etc then checks the number of deref erence levels If these do not match an alert is raised 7 92 3 Non Compliant Code Example This non compliant code example mistakenly calls the sizeof oper ator on the variable d_array which is declared as a pointer to double instead of the variable d which is declared as a double double d_array size_t num_elems 2 if num_elems gt SIZE_MAX sizeof d_array handle error condition else d_array malloc sizeof d_array num_elems The test of num _elems is to ensure that the multiplication of sizeof d_array num_elems does not result in an integer overflow For many implementaion the size of a pointer and the size of double or other type is likely to be different On IA 32 implementations for example the sizeof d_array is four while the sizeof d is eight In this case ins
169. tural static analysis checkers using the following algorithm 1 For all function declarations check that all parameter has a name 7 59 5 References Bumgardner G Gray A and Misfeldt T The Elements of C Style Cambridge University Press 2004 7 60 NO REFERENCE NEW DELETE 7 60 No Reference New Delete This analysis checks for the validity of all delete operations in a specific source code It checks for violations of a Deleting an array with a simple delete operator instead of an delete array operator b Deleting a NULL pointer c Checks for the deletion of uninitialized pointers 7 60 1 Non Compliant Code Examples In the following examples a b and c from above are demonstrated class Y int y Es void failO Y int x 2 deleting array Y m new Y 5 delete m deleting NULL Y n 0 delete n deleting NULL Yx c if x 5 x 7 delete c 7 60 2 Compliant Solution Use assert statements to make sure that a pointer cannot be null or use the delete operator if a new operator precedes on that pointer 7 60 3 Parameter Requirements None 163 164 CHAPTER 7 LIST OF COMPASS CHECKERS 7 60 4 Implementation This analysis uses the BOOST library in order to utilize the breadth first search BFS algorithm Together with the control flow graph and the BFS the implementation backtracks the code from the delete operation to its definition On vio
170. tural static analysis checkers using the following algorithm 1 For every member function declaration traverse the inheritance DAG of the enclosing class 2 Identify any functions that may be overridden by the current one by checking name and type 3 Issue a diagnostic if the overridden function is not declared virtual 7 75 5 References A reference for this checker is S Meyers Effective C Second Edition Item 37 Never redefine an inherited nonvirtual func tion 193 194 CHAPTER 7 LIST OF COMPASS CHECKERS 7 76 Nonmember Function Interface Namespace User defined classes should typically reside in the same namespace as their nonmember function interface i e friend functions and op erators for that class The reasons are uniform lookup of overloaded functions and that the interface of a class consists not only of its member functions This checker enforces this guideline It reports friend function declarations that refer to functions from a different namespace Further it makes sure that every class mentioned in a nonmember operator s signature return and argument types is in the same namespace as the operator or in the global std namespace 7 76 1 Parameter Requirements No parameters are required 7 76 2 Non Compliant Code Example void f not OK used as friend in class N A not in same namespace namespace N class A public friend void f 7 76 3 Compliant
171. ufficient space is allocated to contain an array of 100 values of type double 228 CHAPTER 7 LIST OF COMPASS CHECKERS 7 92 4 Compliant Solution Make sure you correctly calculate the size of the element to be contained in the aggregate data structure The expression sizeof d_array returns the size of the data structure referenced by d_array and not the size of the pointer double d_array size_t num_elems o if num_elems gt SIZE_MAX sizeof d_array handle error condition else d_array malloc sizeof d_array num_elems 7 92 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Write your checker algorithm 7 92 6 References ISO IEC 9899 1999 TC2 Viega 05 Section 5 6 8 Use of sizeof on a pointer type ISO IEC 9899 1999 Section 6 5 3 4 The sizeof operator Drepper 06 Section 2 1 1 Respecting Memory Bounds 7 93 SECURE CODING INT06 A USE STRTOL TO CONVERT A STRING TOKEN TO AN INTEGER229 7 93 Secure Coding INTO6 A Use str tol to convert a string token to an integer Use strtol or a related function to convert a string token to an integer The strtol strtoll strtoul and strtoull functions convert the initial portion of a string token to long int long long int unsigned long int and unsigned long long int representation respectivel
172. upport interactions with lab cus tomers e Provide a home for the security analysis specific detectors being built within external research projects e Provide an external tool for general analysis of software e Provide a tool to support improvements to the ROSE source code base e Define an infrastructure for an evolving and easily tailored pro gram analysis tool e Provide a simple motivation for expanded use of ROSE by ex ternal users Development testing and evaluation of ROSE infrastructure is best facilitated through its expanded use by 1Story not really specific to softare analysis found at http www corsinet com braincandy hlife html 10 CHAPTER 1 INTRODUCTION others and this provides a specific and attractive tool that can provide feedback to users about their own code projects Even though optimization research is our focus this gets our sup porting infrastructure for optimization research out and into use by others in the form of an extensible tool Note that as the collection of detectors grows we will periodically re organize the collection At some point soon we will build a hierarchy to organize the evolving collection A basis for other source analysis tools Input and output to ROSE is organized so that any number of sources could be used So although we provide a compiler interface for simplicity we will also provide a GUI interface as an alternative interface to demon strate that the detect
173. ut class definitions that fit into neither of the above patterns Specifically it warns about class definitions that contain both public and nonpublic data members 7 24 1 Parameter Requirements This checker does not require any parameters 7 24 2 Non Compliant Code Example class NoNo not acceptable contains both public and nonpublic data members public int get_a const void set_a int double d protected int a 3 7 24 3 Compliant Solution struct C_style acceptable all data members are public int a b double d class WellProtected acceptable no data members are public public int get_a const void set_a int double get_d const void set_d double protected 7 24 DATA MEMBER ACCESS 93 int a private double d 7 24 4 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 For each class definition count the numbers of public and non public data members 2 If both of the counts for a given class definition are greater than zero a mix of public and nonpublic data members is present emit a diagnostic 7 24 5 References A literature reference for this checker is H Sutter A Alexandrescu C Coding Standards Item 41 Make data members private except in behaviorless aggregates C style structs Note that the authors advise not onl
174. var lt 0 Handle Error return putenv env 7 30 4 Compliant Solution The setenv function allocates heap memory for environment vari ables This eliminates the possibility of accessing volatile stack memory int func char var return setenv TEST var 1 7 30 5 Mitigation Strategies Static Analysis Compliance with this rule can be checked using structural static analysis checkers using the following algorithm 1 Checks to see if the variable being passed to putenv is declared in the global scope If it is not the checker creates new output 105 106 CHAPTER 7 LIST OF COMPASS CHECKERS 7 30 6 References Open Group 04 The putenv function ISO TEC9899 19995ection 6 2 4 Storage durations of objects and Section 7 20 3 Memory management functions Dowd 06 Chapter 10 UNIX Processes Confusing putenv and setenv 7 31 DO NOT DELETE THIS 107 7 31 Do Not Delete This CERT Secure Coding C DAN32 C states that Deleting this leaves it as a dangling pointer which leads to undefined behavior if it is accessed 7 31 1 Parameter Requirements This checker takes no parameters and inputs source file 7 31 2 Implementation This pattern is checked using a simple AST traversal visiting all delete expressions and checking its argument to be a this expres sion if so flag a violation 7 31 3 Non Compliant Code Example class SomeClass
175. ve to be carefully written to not represent examples that violate Compass Verifier e Fast once on the union of all the checkers make oneBigVerify This step forms a single file of all the checkers and in doing so can miss some files and so is less secure It is mostly for testing purposes 3 The person building the Compass executable is trusted 4 The environment where the testing using Compass is done is trusted 5 Compass is designed so that the user running Compass need not be trusted It is unclear at present how weak the assumption of trust on the compass checker developer can be and it may ultimately depend directly on the capabilities of the Compass Verifier 2 3 Architecture Figure 2 2 Compass Architecture Compass is a tool that allows users to implement checkers to lo cate and report software defects Documentation of various kinds of software defects can be found in sources such as the CERT Se cure Coding Rules Common Weakness Enumeration from MITRE and other sources Our focus is not to define new software defects but rather to provide a platform that allows the easy implemen tation of defect checkers Compass has been designed to be easy to extend allowing users to implement their own custom checkers custom source code analyses for identifying defects as shown in Figure Compass supports the implementation of both simple 14 CHAPTER 2 DESIGN AND VERIFICATION as well as more advanced defect c
176. y These functions provide more ro bust error handling than alternative solutions 7 93 1 Non Compliant Example This non compliant code example converts the string token stored in the static array buff to a signed integer value using the atoi function 1 int si 2 3 if argc gt 1 4 si atoi argv 1 5 6 The atoi atol and atol1 functions convert the initial por tion of a string token to int long int and long long int repre sentation respectively Except for the behavior on error they are equivalent to 1 atoi int strtol nptr char NULL 10 2 atol strtol nptr char NULL 10 3 atoll strtoll nptr char NULL 10 4 Unfortunately atoi and related functions lack a mechanism for reporting errors for invalid values Specifically the atoi atolO and atol1 functions 7 93 2 Non Compliant Example This non compliant example uses the sscanf function to convert a string token to an integer The sscanf function has the same problems as atoi 1 int si 2 3 if argc gt 1 4 sscanf argv 1 d amp si 5 6 7 93 3 Compliant Solution This compliant example uses strtol to convert a string token to an integer value and provides error checking to make sure that the 230 CHAPTER 7 LIST OF COMPASS CHECKERS value is in the range of int long sl int si char end_ptr 1 2 3 4 5 if argc gt 1 6 7 errno 0 8 9 sl strtol argv 1
177. y against public but also against protected data members this checker does not report protected data 94 CHAPTER 7 LIST OF COMPASS CHECKERS 7 25 Deep Nesting It is widely agreed that functions should not be too big without a good reason at least Various size measures exist including source code lines and cyclomatic complexity This checker adds one more It tests if function definitions contain more nested scopes than al lowed by the user 7 25 1 Parameter Requirements This checker requires an integer entry DeepNest ingChecker maximumNestedScopes in the Compass parameters specifying the maximum allowed number of nested scopes 7 25 2 Non Compliant Code Example The innermost scope the if statement in this toy function will be reported by the DeepNestingChecker if maximumNestedScopes is set to 2 void matrix_abs int n int m int matrix for int i 0 i lt n i for int j 0 j lt m j if matrix i j lt 0 matrix i j matrix i j 7 25 3 Compliant Solution The nesting in each function is not greater than 2 the if statement has been pulled out into its own function void abs_if_necessary int p if p lt 0 xp p void matrix_abs2 int n int m int matrix for int i 0 i lt n i 7 25 DEEP NESTING 95 for int j 0 j lt m j abs_if_necessary amp matrix i j 7 25 4 Mitigation St
Download Pdf Manuals
Related Search