100 likes | 244 Views
SUDS: An Infrastructure for Creating Bug Detection Tools. Eric Larson October 1, 2007 Seattle University. What is SUDS?. SUDS is an infrastructure to facilitate the construction of software bug detection tools. SUDS primarily used to create dynamic bug detection tools.
E N D
SUDS: An Infrastructure for Creating Bug Detection Tools Eric Larson October 1, 2007 Seattle University
What is SUDS? • SUDS is an infrastructure to facilitate the construction of software bug detection tools. • SUDS primarily used to create dynamic bug detection tools. • Contains static analysis phases used to improve / focus dynamic bug detection. • At the heart of SUDS is a C to (instrumented) C converter.
Parse Simplify Analyze Instrumentation Model Instrument Link Overview of SUDS SUDS Program (preprocessed C source code) AST Simplified AST Analysis Results Instrumented Source Code Instrumented Executable
Static Analysis • Standard compiler analyses • Control flow graph / call graph • Data flow analysis (mostly intraprocedural) • Flow-sensitive pointer analysis (Hind et. al.) • Tainted propagation • Propagates tainted attribute of variables (forward) • User can modify infrastructure to change what tainted means • Program slicing • Propagates interesting uses backwards • User can modify slicing criterion (can be all statements that have this property or characteristic) • Context-insensitive
Instrumentation • Direct SUDS where to add instrumentation. • Add instrumentation based on statement, expression, or event. • Support functions allow users to easily pass parameters into the instrumentation functions. • Write the instrumentation routines. • Can use provided state table: allows the instrumented program to keep track of additional state when the program is running. • Can take advantage of results from static analysis phases.
Example of how SUDS is used • Goal: To detect buffer overflows for array references that uses data that came from input. • Tainted analysis: All input data is tainted. • Program slicing: All data that can lead to an array reference is in the slice. • Instrumentation: • Track all arrays and their sizes. • Track pointers to arrays. • Track integers that are tainted and in the slice. • At array references, check for bugs.
Future Work • Add phase(s) that attempt to detect bugs using static analysis. • Certain types of bugs can use data flow analysis but need to prune false alarms. • Develop static analysis phases that improve the quality of dynamic bug detection, not just the performance.