diff --git a/SVF-linux/Release-build/bin/ae b/SVF-linux/Release-build/bin/ae index 0e84da8d..de7b7261 100755 Binary files a/SVF-linux/Release-build/bin/ae and b/SVF-linux/Release-build/bin/ae differ diff --git a/SVF-linux/Release-build/include/AE/Svfexe/AEDetector.h b/SVF-linux/Release-build/include/AE/Svfexe/AEDetector.h index c782292b..307b589e 100644 --- a/SVF-linux/Release-build/include/AE/Svfexe/AEDetector.h +++ b/SVF-linux/Release-build/include/AE/Svfexe/AEDetector.h @@ -75,6 +75,12 @@ class AEDetector */ virtual void detect(AbstractState& as, const ICFGNode* node) = 0; + /** + * @brief Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS) + * @param call Pointer to the ext call ICFG node. + */ + virtual void handleStubFunctions(const CallICFGNode* call) = 0; + /** * @brief Pure virtual function to report detected bugs. */ @@ -169,6 +175,13 @@ class BufOverflowDetector : public AEDetector */ void detect(AbstractState& as, const ICFGNode*); + + /** + * @brief Handles external API calls related to buffer overflow detection. + * @param call Pointer to the call ICFG node. + */ + void handleStubFunctions(const CallICFGNode*); + /** * @brief Adds an offset to a GEP object. * @param obj Pointer to the GEP object. @@ -277,11 +290,11 @@ class BufOverflowDetector : public AEDetector /** * @brief Checks if memory can be safely accessed. * @param as Reference to the abstract state. - * @param value Pointer to the SVF value. + * @param value Pointer to the SVF var. * @param len The interval value representing the length of the memory access. * @return True if the memory access is safe, false otherwise. */ - bool canSafelyAccessMemory(AbstractState& as, const SVFValue *value, const IntervalValue &len); + bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len); private: /** diff --git a/SVF-linux/Release-build/include/AE/Svfexe/AbsExtAPI.h b/SVF-linux/Release-build/include/AE/Svfexe/AbsExtAPI.h new file mode 100644 index 00000000..f06faa83 --- /dev/null +++ b/SVF-linux/Release-build/include/AE/Svfexe/AbsExtAPI.h @@ -0,0 +1,147 @@ +//===- AbsExtAPI.h -- Abstract Interpretation External API handler-----// +// +// SVF: Static Value-Flow Analysis +// +// Copyright (C) <2013-> +// + +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. + +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. + +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . +// +//===----------------------------------------------------------------------===// + + +// +// Created by Jiawei Wang on 2024/9/9. +// +#pragma once +#include "AE/Core/AbstractState.h" +#include "AE/Core/ICFGWTO.h" +#include "AE/Svfexe/AEDetector.h" +#include "AE/Svfexe/AbsExtAPI.h" +#include "Util/SVFBugReport.h" +#include "WPA/Andersen.h" + +namespace SVF +{ + +// Forward declaration of AbstractInterpretation class +class AbstractInterpretation; + +/** + * @class AbsExtAPI + * @brief Handles external API calls and manages abstract states. + */ +class AbsExtAPI +{ +public: + /** + * @enum ExtAPIType + * @brief Enumeration of external API types. + */ + enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT }; + + /** + * @brief Constructor for AbsExtAPI. + * @param abstractTrace Reference to a map of ICFG nodes to abstract states. + */ + AbsExtAPI(Map& abstractTrace); + + /** + * @brief Initializes the external function map. + */ + void initExtFunMap(); + + /** + * @brief Reads a string from the abstract state. + * @param as Reference to the abstract state. + * @param rhs Pointer to the SVF variable representing the string. + * @return The string value. + */ + std::string strRead(AbstractState& as, const SVFVar* rhs); + + /** + * @brief Handles an external API call. + * @param call Pointer to the call ICFG node. + */ + void handleExtAPI(const CallICFGNode *call); + + /** + * @brief Handles the strcpy API call. + * @param call Pointer to the call ICFG node. + */ + void handleStrcpy(const CallICFGNode *call); + + /** + * @brief Calculates the length of a string. + * @param as Reference to the abstract state. + * @param strValue Pointer to the SVF variable representing the string. + * @return The interval value representing the string length. + */ + IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue); + + /** + * @brief Handles the strcat API call. + * @param call Pointer to the call ICFG node. + */ + void handleStrcat(const SVF::CallICFGNode *call); + + /** + * @brief Handles the memcpy API call. + * @param as Reference to the abstract state. + * @param dst Pointer to the destination SVF variable. + * @param src Pointer to the source SVF variable. + * @param len The interval value representing the length to copy. + * @param start_idx The starting index for copying. + */ + void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx); + + /** + * @brief Handles the memset API call. + * @param as Reference to the abstract state. + * @param dst Pointer to the destination SVF variable. + * @param elem The interval value representing the element to set. + * @param len The interval value representing the length to set. + */ + void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len); + + /** + * @brief Gets the range limit from a type. + * @param type Pointer to the SVF type. + * @return The interval value representing the range limit. + */ + IntervalValue getRangeLimitFromType(const SVFType* type); + + /** + * @brief Retrieves the abstract state from the trace for a given ICFG node. + * @param node Pointer to the ICFG node. + * @return Reference to the abstract state. + * @throws Assertion if no trace exists for the node. + */ + AbstractState& getAbsStateFromTrace(const ICFGNode* node); + + /** + * @brief Retrieves the SVF variable from a given SVF value. + * @param val Pointer to the SVF value. + * @return Pointer to the corresponding SVF variable. + */ + const SVFVar* getSVFVar(const SVFValue* val); + +protected: + SVFIR* svfir; ///< Pointer to the SVF intermediate representation. + ICFG* icfg; ///< Pointer to the interprocedural control flow graph. + Map& abstractTrace; ///< Map of ICFG nodes to abstract states. + Map> func_map; ///< Map of function names to handlers. +}; + +} // namespace SVF diff --git a/SVF-linux/Release-build/include/AE/Svfexe/AbstractInterpretation.h b/SVF-linux/Release-build/include/AE/Svfexe/AbstractInterpretation.h index 5e686c50..ddb5dd25 100644 --- a/SVF-linux/Release-build/include/AE/Svfexe/AbstractInterpretation.h +++ b/SVF-linux/Release-build/include/AE/Svfexe/AbstractInterpretation.h @@ -31,12 +31,14 @@ #include "AE/Core/AbstractState.h" #include "AE/Core/ICFGWTO.h" #include "AE/Svfexe/AEDetector.h" +#include "AE/Svfexe/AbsExtAPI.h" #include "Util/SVFBugReport.h" #include "WPA/Andersen.h" namespace SVF { class AbstractInterpretation; +class AbsExtAPI; class AEStat; class AEAPI; @@ -104,7 +106,6 @@ class AbstractInterpretation friend class BufOverflowDetector; public: - enum ExtAPIType { UNCLASSIFIED, MEMCPY, MEMSET, STRCPY, STRCAT }; typedef SCCDetection CallGraphSCC; /// Constructor AbstractInterpretation(); @@ -128,7 +129,9 @@ class AbstractInterpretation detectors.push_back(std::move(detector)); } -protected: + Set checkpoints; // for CI check + +private: /// Global ICFGNode is handled at the entry of the program, virtual void handleGlobalNode(); @@ -213,77 +216,6 @@ class AbstractInterpretation AbstractState& as); - /** - * handle external function call - * - * @param call call node whose callee is external function - */ - virtual void handleExtAPI(const CallICFGNode *call); - - /** - * the map of external function to its API type - * - * In AEAPI, this function is mainly used for abstract explanation. - * In subclasses, this function is mainly used to check specific bugs - */ - virtual void initExtFunMap(); - - - /** - * get byte size of alloca inst - * e.g. source code str = "abc", there are str value, return "abc" - * - * @param rhs SVFValue of string - * @return the string - */ - std::string strRead(AbstractState& as,const SVFValue* rhs); - - /** - * get length of string - * e.g. source code str = "abc", return 3 - * - * @param strValue SVFValue of string - * @return IntervalValue of string length - */ - IntervalValue getStrlen(AbstractState& as, const SVF::SVFValue *strValue); - - /** - * execute strcpy in abstract execution - * e.g arr = new char[10] - * str = "abc" - * strcpy(arr, str) - * we can set arr[0]='a', arr[1]='b', arr[2]='c', arr[3]='\0' - * @param call callnode of strcpy like api - */ - virtual void handleStrcpy(const CallICFGNode *call); - /** - * execute strcpy in abstract execution - * e.g arr[10] = "abc" - * str = "de" - * strcat(arr, str) - * we can set arr[3]='d', arr[4]='e', arr[5]='\0' - * @param call callnode of strcat like api - */ - virtual void handleStrcat(const CallICFGNode *call); - /** - * execute memcpy in abstract execution - * e.g arr = new char[10] - * str = "abcd" - * memcpy(arr, str, 5) - * we can set arr[3]='d', arr[4]='e', arr[5]='\0' - * @param call callnode of memcpy like api - */ - virtual void handleMemcpy(AbstractState& as, const SVFValue* dst, const SVFValue* src, IntervalValue len, u32_t start_idx); - /** - * execute memset in abstract execution - * e.g arr = new char[10] - * memset(arr, 'c', 2) - * we can set arr[0]='c', arr[1]='c', arr[2]='\0' - * @param call callnode of memset like api - */ - virtual void handleMemset(AbstractState& as, const SVFValue* dst, IntervalValue elem, IntervalValue len); - - void collectCheckPoint(); void checkPointAllSet(); @@ -309,8 +241,6 @@ class AbstractInterpretation void updateStateOnPhi(const PhiStmt *phi); - IntervalValue getRangeLimitFromType(const SVFType* type); - /// protected data members, also used in subclasses SVFIR* svfir; @@ -324,18 +254,6 @@ class AbstractInterpretation Map funcToWTO; Set recursiveFuns; -private: - // helper functions in handleCallSite - virtual bool isExtCall(const CallICFGNode* callNode); - virtual void extCallPass(const CallICFGNode* callNode); - virtual bool isRecursiveCall(const CallICFGNode* callNode); - virtual void recursiveCallPass(const CallICFGNode* callNode); - virtual bool isDirectCall(const CallICFGNode* callNode); - virtual void directCallFunPass(const CallICFGNode* callNode); - virtual bool isIndirectCall(const CallICFGNode* callNode); - virtual void indirectCallFunPass(const CallICFGNode* callNode); - -protected: AbstractState& getAbsStateFromTrace(const ICFGNode* node) { @@ -356,16 +274,31 @@ class AbstractInterpretation return abstractTrace.count(repNode) != 0; } -protected: + AbsExtAPI* getUtils() + { + return utils; + } + + // helper functions in handleCallSite + virtual bool isExtCall(const CallICFGNode* callNode); + virtual void extCallPass(const CallICFGNode* callNode); + virtual bool isRecursiveCall(const CallICFGNode* callNode); + virtual void recursiveCallPass(const CallICFGNode* callNode); + virtual bool isDirectCall(const CallICFGNode* callNode); + virtual void directCallFunPass(const CallICFGNode* callNode); + virtual bool isIndirectCall(const CallICFGNode* callNode); + virtual void indirectCallFunPass(const CallICFGNode* callNode); + // there data should be shared with subclasses Map> func_map; - Set checkpoints; - Set checkpoint_names; - Map - abstractTrace; // abstract states immediately after nodes + + Map abstractTrace; // abstract states immediately after nodes std::string moduleName; std::vector> detectors; + AbsExtAPI* utils; + + }; } \ No newline at end of file diff --git a/SVF-linux/Release-build/lib/libSvfCore.a b/SVF-linux/Release-build/lib/libSvfCore.a index 0aa7b724..405f400e 100644 Binary files a/SVF-linux/Release-build/lib/libSvfCore.a and b/SVF-linux/Release-build/lib/libSvfCore.a differ