Cwe476 (#11)

* improved CWE476-check with dataflow analysis

CHANGES.md

@@ -7,6 +7,7 @@
 -  Added automated test suite (run with make test) (PR #7)
 -  Improved cross compiling for acceptance test cases by using dockcross (PR #8)
 -  Added BAP recipe for standard cwe_checker run (PR #9)
+-  Improved check for CWE-476 (NULL Pointer Dereference) using data flow analysis (PR #11)
 
 0.1 (2018-10-08)
 =====

src/checkers/cwe_190.ml

@@ -27,7 +27,7 @@ let check_multiplication_before_symbol proj prog sub blk jmp tid_map symbols =
                      (Address_translation.translate_tid_to_assembler_address_string (Term.tid blk) tid_map)
                      (Symbol_utils.get_symbol_name_from_jmp jmp symbols))
 
-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
   match symbol_names with
   | hd::[] ->
    let symbols = Symbol_utils.build_symbols hd prog in

src/checkers/cwe_190.mli

@@ -5,4 +5,4 @@ https://cwe.mitre.org/data/definitions/190.html
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit

src/checkers/cwe_215.ml

@@ -30,7 +30,7 @@ let read_lines in_chan =
     List.rev !lines
 
 (* TODO: check if program contains strings like "DEBUG"*)
-let check_cwe _ project _ _ =
+let check_cwe _ project _ _ _ =
   match Project.get project filename with
   | Some fname -> begin
       let cmd = Format.sprintf "readelf --debug-dump=decodedline %s | grep CU" fname in
@@ -42,4 +42,3 @@ let check_cwe _ project _ _ =
         Log_utils.error "[%s] {%s} %s %s %s" name version (Unix.error_message e) fm argm
     end
   | _ -> failwith "[CWE215] symbol_names not as expected"
-

src/checkers/cwe_215.mli

@@ -3,4 +3,4 @@
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list ->  unit

src/checkers/cwe_243.ml

@@ -81,10 +81,9 @@ let check_subfunction prog tid_map sub pathes =
          (Term.name sub)
     end
 
-let check_cwe prog proj tid_map pathes =
+let check_cwe prog proj tid_map pathes _ =
   let chroot_symbol = find_symbol prog "chroot" in
   match chroot_symbol with
   | Some _ ->
     Seq.iter (Term.enum sub_t prog) ~f:(fun sub -> check_subfunction prog tid_map sub pathes)
   | _ -> ()
-

src/checkers/cwe_243.mli

@@ -5,4 +5,4 @@ See https://cwe.mitre.org/data/definitions/243.html for detailed description. *)
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit

src/checkers/cwe_248.ml

@@ -59,7 +59,7 @@ let rec find_uncaught_exceptions subfunction already_checked_functions program ~
 (* Search for uncatched exceptions for each entry point into the binary.
     TODO: Exceptions, that are catched when starting from one entry point, but not from another, are masked this
     way. We should check whether this produces a lot of false negatives. *)
-let check_cwe program project tid_map symbol_pairs =
+let check_cwe program project tid_map symbol_pairs _ =
   let entry_points = Symbol_utils.get_program_entry_points program in
   let _ = Seq.fold entry_points ~init:[] ~f:(fun already_checked_functions sub -> find_uncaught_exceptions ~tid_map:tid_map sub already_checked_functions program) in
   ()

src/checkers/cwe_248.mli

@@ -8,4 +8,4 @@ can actually catch the thrown exceptions, thus we generate some false negatives.
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit

src/checkers/cwe_332.ml

@@ -7,7 +7,7 @@ open Symbol_utils
 let name = "CWE332"
 let version = "0.1"
 
-let check_cwe program proj tid_map symbol_pairs =
+let check_cwe program proj tid_map symbol_pairs _ =
   match Option.both (find_symbol program "srand") (find_symbol program "rand") with
   | None -> begin
       match (find_symbol program "rand") with
@@ -15,4 +15,3 @@ let check_cwe program proj tid_map symbol_pairs =
       | Some _ -> Log_utils.warn "[%s] {%s} (Insufficient Entropy in PRNG) program uses rand without calling srand before" name version
     end
   | Some (srand_tid, rand_tid) -> ()
-

src/checkers/cwe_332.mli

@@ -6,4 +6,4 @@ See https://cwe.mitre.org/data/definitions/332.html for detailed description. *)
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> 'a -> 'b -> string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> 'a -> 'b -> string list list -> 'c -> unit

src/checkers/cwe_367.ml

@@ -57,6 +57,6 @@ let handle_sub sub program tid_map symbols source sink =
   else
     ()
 
-let check_cwe program proj tid_map symbol_pairs =
+let check_cwe program proj tid_map symbol_pairs _ =
   let symbols = Symbol_utils.build_symbols ["access"; "open";] in
   Seq.iter (Term.enum sub_t program) ~f:(fun s -> handle_sub s program tid_map symbols "access" "open")

src/checkers/cwe_367.mli

@@ -5,4 +5,4 @@ https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit

src/checkers/cwe_426.ml

@@ -21,7 +21,7 @@ let handle_sub sub program tid_map symbols =
     end
   else ()
 
-let check_cwe program proj tid_map symbols =
+let check_cwe program proj tid_map symbols _ =
   match symbols with
   | hd::[] ->
      Seq.iter (Term.enum sub_t program) ~f:(fun s -> handle_sub s program tid_map hd)

src/checkers/cwe_426.mli

@@ -11,4 +11,4 @@ drops privileges on startup.  (Debian uses a modified bash which does not do thi
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit

src/checkers/cwe_457.ml

@@ -92,5 +92,5 @@ let check_subfunction prog proj tid_map sub =
             end
         end)
 
-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
   Seq.iter (Term.enum sub_t prog) ~f:(fun sub -> check_subfunction prog proj tid_map sub)

src/checkers/cwe_457.mli

@@ -4,4 +4,4 @@ See https://cwe.mitre.org/data/definitions/457.html for detailed description. *)
 val name: string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit

src/checkers/cwe_467.ml

@@ -24,7 +24,7 @@ let check_input_is_pointer_size proj prog sub blk jmp tid_map symbols =
       | _ -> ())
 
 
-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
   match symbol_names with
   | hd::[] ->
      let symbols = Symbol_utils.build_symbols hd prog in

src/checkers/cwe_467.mli

@@ -9,4 +9,4 @@ See https://cwe.mitre.org/data/definitions/467.html for detailed description. *)
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit

src/checkers/cwe_476.ml

-open Core_kernel.Std
 open Bap.Std
-open Symbol_utils
+open Core_kernel.Std
 
 let name = "CWE476"
-let version = "0.1"
-
-let find_blk_tid_in_sub blk_tid sub =
-  Seq.find (Term.enum blk_t sub) ~f:(fun b -> (Term.tid b) = blk_tid)
-
-let get_jmps blk = Seq.filter (Blk.elts blk) ~f:(fun elt -> match elt with
-          | `Phi phi -> false
-          | `Def def -> false
-          | `Jmp jmp -> true )
-                   |> Seq.map ~f:(fun j -> match j with
-                       | `Jmp jmp -> jmp
-                       | _ -> assert(false))
-
-let jmp_cond_checks_zf jmp =
-  let e = Jmp.cond jmp in
-  (Exp.to_string e) = "~ZF" || (Exp.to_string e) = "ZF"
-
-(* Check if next block contains when zf = 0 goto, if not then there is a chance that this yields a null pointer deref *)
-let check_null_pointer proj prog sub blk jmp tid_map symbols =
-  Seq.iter (Graphs.Tid.Node.succs (Term.tid blk) (Sub.to_graph sub)) ~f:(
-    fun next_blk -> match find_blk_tid_in_sub next_blk sub with
-      | Some b -> begin
-          (* ToDo: Check if there is a definition of ZF = 0 *)
-          let jmps = get_jmps b in
-          match Seq.find jmps ~f:jmp_cond_checks_zf with
-          | Some _ -> ()
-          | None -> Log_utils.warn "[%s] {%s} (NULL Pointer Dereference) There is no check if the return value is NULL at %s (%s)."
+let version = "0.2"
+
+(* Access type denotes whether a variable var gets accessed or the memory stored at
+   address var gets accessed *)
+type access_type = | Access of Bil.var | MemAccess of Bil.var | NoAccess
+
+(* The union of two accesses is the higher access with MemAcces > Access > NoAccess *)
+let union_access access1 access2 : access_type =
+  match (access1, access2) with
+  | (MemAccess(_), _) -> access1
+  | (_, MemAccess(_))
+  | (_, Access(_))    -> access2
+  | _                 -> access1
+
+
+(* union of three accesses for convenience *)
+let union_access_triple access1 access2 access3 =
+  union_access access1 access2
+  |> union_access access3
+
+(* the state contains a list of pairs of register names containing an unchecked
+   return value and the term identifiers of the block where the unchecked
+   return value was generated. *)
+module State = struct
+  type t = (Var.t * Tid.t) list
+
+  (** adds var as a tainted register (with the taint source given by tid) *)
+  let add state var tid =
+    let state = List.Assoc.remove state ~equal:Var.(=) var in
+    List.Assoc.add state ~equal:Var.(=) var tid
+
+  (** returns Some(tid) if var is a tainted register, None otherwise *)
+  let find state var =
+    List.Assoc.find state ~equal:Var.(=) var
+
+  (** returns the tid associated with a tainted register *)
+  let find_exn state var =
+    Option.value_exn (find state var)
+
+  (** only remove the register var from the list of tainted registers *)
+  let remove_var state var =
+    List.Assoc.remove state ~equal:Var.(=) var
+
+  (** filters out all registers from the state with the same tid *)
+  let remove_tid state var =
+    let tid = find_exn state var in
+    List.filter state ~f:(fun (_, state_elem_tid) -> not (state_elem_tid = tid))
+
+  (** two states are equal if they contain the same set of tainted registers*)
+  let equal state1 state2 =
+    (List.length state1) = (List.length state2) &&
+    not (List.exists state1 ~f:(fun (var, tid) -> Option.is_none (find state2 var) ))
+
+  (** The union of two states is the union of the tainted registers*)
+  let union state1 state2 =
+    List.fold state2 ~init:state1 ~f:(fun state (var, tid) ->
+        if Option.is_some (find state var) then
+          state
+        else
+          (var, tid) :: state
+      )
+
+  (** remove virtual registers from the state (useful at the end of a block) *)
+  let remove_virtual_registers state =
+    List.filter state ~f:(fun (var, tid) -> Var.is_physical var)
+
+end
+
+(* check whether an expression contains an unchecked value. *)
+let rec contains_unchecked exp state : access_type =
+  match exp with
+  | Bil.Load(mem, addr, _, _)->
+    begin
+      let acc = contains_unchecked addr state in
+      match acc with
+      | MemAccess(_) -> acc
+      | Access(var) -> MemAccess(var)
+      | NoAccess -> NoAccess
+    end
+  | Bil.Store(mem, addr, val_expression, _,_) ->
+    begin
+      let acc = union_access (contains_unchecked addr state) (contains_unchecked val_expression state) in
+      match acc with
+      | MemAccess(_) -> acc
+      | Access(var) -> MemAccess(var)
+      | NoAccess -> NoAccess
+    end
+  | Bil.BinOp(_, exp1, exp2) -> union_access (contains_unchecked exp1 state) (contains_unchecked exp2 state)
+  | Bil.UnOp(_, exp) -> contains_unchecked exp state
+  | Bil.Var(var) ->
+    begin
+      match State.find state var with
+      | Some(_) -> Access(var)
+      | None -> NoAccess
+    end
+  | Bil.Int(_) -> NoAccess
+  | Bil.Cast(_, _, exp) -> contains_unchecked exp state
+  | Bil.Let(var, exp1, exp2) ->
+    union_access_triple (contains_unchecked exp1 state) (contains_unchecked exp2 state) (contains_unchecked (Bil.var var) state)
+  | Bil.Unknown(_) -> NoAccess
+  | Bil.Ite(if_, then_, else_) ->
+    union_access_triple (contains_unchecked if_ state) (contains_unchecked then_ state) (contains_unchecked else_ state)
+  | Bil.Extract(_,_, exp) -> contains_unchecked exp state
+  | Bil.Concat(exp1, exp2) -> union_access (contains_unchecked exp1 state) (contains_unchecked exp2 state)
+
+(* If an formerly unchecked return value was checked then remove all registers pointing
+   to the source of this return value from state. *)
+let checks_value exp state : State.t =
+  match exp with
+  | Bil.Ite(if_, then_, else_) -> begin
+      match contains_unchecked if_ state with
+      | Access(var) ->
+        (* We filter out all registers with the same generating tid, since we have checked
+           the return value of this source *)
+        State.remove_tid state var
+      | MemAccess(_) (* This is a memory access before checking the return value, so do nothing here. *)
+      | NoAccess -> state
+    end
+  | _ -> state
+
+let append_to_hits (cwe_hits:Tid.t list ref) (tid:Tid.t) =
+  match List.find cwe_hits.contents ~f:(fun elem -> elem = tid) with
+  | Some(_) -> ()
+  | None -> (cwe_hits := (tid :: cwe_hits.contents))
+
+(** flags any access (not just memory access) from an unchecked source as a cwe_hit. *)
+let flag_any_access exp state ~cwe_hits =
+  match contains_unchecked exp state with
+  | MemAccess(var) | Access(var) ->
+    let tid = State.find_exn state var in
+    append_to_hits cwe_hits tid;
+    State.remove_tid state var
+  | NoAccess -> state
+
+(** flag all unchecked registers as cwe_hits, return empty state *)
+let flag_all_unchecked_registers state ~cwe_hits =
+  let () = List.iter state ~f:(fun (var, tid) ->
+      append_to_hits cwe_hits tid) in
+  []
+
+(** Updates the state depending on the def. If memory is accessed using an unchecked return value,
+    then the access is added to the list of cwe_hits. *)
+let update_state_def def state ~cwe_hits =
+  let (lhs, rhs) = (Def.lhs def, Def.rhs def) in
+  let state = checks_value rhs state in
+  match contains_unchecked rhs state with
+  | MemAccess(var) -> begin (* we found a case of unchecked return value *)
+      let tid = State.find_exn state var in
+      append_to_hits cwe_hits tid;
+      State.remove_tid state var
+    end
+  | Access(var) -> (* taint the lhs as an unchecked return value *)
+    let tid = State.find_exn state var in
+    State.add state lhs tid
+  | NoAccess -> (* no access to an unchecked return value in rhs. Since lhs is overwritten, it cannot be an unchecked return value anymore. *)
+    State.remove_var state lhs
+
+(** Taint the return registers of a function as unchecked return values. *)
+let taint_return_registers func_tid state ~program ~block =
+  let func = Term.find_exn sub_t program func_tid in
+  let arguments = Term.enum arg_t func in
+  (* Every return register is tainted as unchecked return value. *)
+  Seq.fold arguments ~init:state ~f:(fun state arg ->
+      match Bap.Std.Arg.intent arg with
+      | None | Some(In) -> state
+      | Some(Out) | Some(Both) ->
+        let variable = match Bap.Std.Arg.rhs arg with
+          | Bil.Var(var) -> var
+          | _ -> failwith "[CWE476] Return register wasn't a register." in
+        State.add state variable (Term.tid block)
+    )
+
+(** Updates the state depending on the jump. On a jump to a function from the function list
+    taint all return registers as unchecked return values. *)
+let update_state_jmp jmp state ~cwe_hits ~function_names ~program ~block ~strict_call_policy =
+  (* first check the guard condition for unchecked access. Any normal access clears the access from being unchecked *)
+  let condition_exp = Jmp.cond jmp in
+  let state = begin
+    match contains_unchecked condition_exp state with
+    | Access(var) ->
+      State.remove_tid state var
+    | MemAccess(var) -> (* a memory access using an unchecked value is still an error *)
+      let tid = State.find_exn state var in
+      let () = append_to_hits cwe_hits tid in
+      State.remove_tid state var
+    | NoAccess -> state
+  end in
+  match Jmp.kind jmp with
+  | Goto(Indirect(exp)) -> flag_any_access exp state cwe_hits
+  | Goto(Direct(_)) -> state
+  | Ret(_) -> if strict_call_policy then
+      flag_all_unchecked_registers state cwe_hits
+    else
+      state
+  | Int(_, _) -> flag_all_unchecked_registers state cwe_hits
+  | Call(call) ->
+    let state = match Call.return call with
+      | Some(Indirect(exp)) -> flag_any_access exp state cwe_hits
+      | _ -> state in
+    let state = match Call.target call with
+      | Indirect(exp) -> flag_any_access exp state cwe_hits
+      | _ -> state in
+    let state = match strict_call_policy with
+      | true -> (* all unchecked registers get flagged as hits *)
+        flag_all_unchecked_registers state cwe_hits
+      | false -> (* we assume that the callee will check all remaining unchecked values *)
+        [] in
+    match Call.target call with
+    | Indirect(_) -> state (* already handled above *)
+    | Direct(tid) ->
+      if List.exists function_names ~f:(fun elem -> String.(=) elem (Tid.name tid)) then
+        taint_return_registers tid state program block
+      else
+        state
+
+(** updates a block analysis.
+    The strict call policy decides the behaviour on call and return instructions:
+    strict: all unchecked values get flagged as cwe-hits
+    non-strict: the state gets cleared, it is assumed that the target of the call/return
+    instruction checks all remaining unchecked values. *)
+let update_block_analysis block register_state ~cwe_hits ~function_names ~program ~strict_call_policy =
+  let elements = Blk.elts block in
+  let register_state = Seq.fold elements ~init:register_state ~f:(fun state element ->
+      match element with
+      | `Def def -> update_state_def def state ~cwe_hits
+      | `Phi phi -> state (* We ignore phi terms for this analysis. *)
+      | `Jmp jmp -> update_state_jmp jmp state ~cwe_hits ~function_names ~program ~block ~strict_call_policy
+    ) in
+  State.remove_virtual_registers register_state (* virtual registers should not be accessed outside of the block where they are defined. *)
+
+let print_hit tid ~sub ~function_names ~tid_map =
+  let block = Option.value_exn (Term.find blk_t sub tid) in
+  let jmps = Term.enum jmp_t block in
+  let _ = Seq.find_exn jmps ~f:(fun jmp ->
+      match Jmp.kind jmp with
+      | Call(call) -> begin
+          match Call.target call with
+          | Direct(call_tid) -> Option.is_some (List.find function_names ~f:(fun name ->
+              if name = (Tid.name call_tid) then begin
+                Log_utils.warn "[%s] {%s} (NULL Pointer Dereference) There is no check if the return value is NULL at %s (%s)."
                   name
                   version
-                      (Address_translation.translate_tid_to_assembler_address_string (Term.tid blk) tid_map)
-                      (Symbol_utils.get_symbol_name_from_jmp jmp symbols)
+                  (Address_translation.translate_tid_to_assembler_address_string tid tid_map)
+                  name;
+                true
+              end else
+                false
+            ))
+          | _ -> false
         end
-      | _ -> assert(false))
-
-let check_cwe prog proj tid_map symbol_names =
-  match symbol_names with
-  | hd::[] ->
-     let symbols = Symbol_utils.build_symbols hd prog in 
-     let calls = call_finder#run prog [] in
-     let relevant_calls = filter_calls_to_symbols calls symbols in
-     check_calls relevant_calls prog proj tid_map symbols check_null_pointer
-  | _ -> failwith "[CWE476] symbol_names not as expected"
+      | _ -> false
+    ) in ()
+
+let check_cwe prog proj tid_map symbol_names parameters =
+  let symbols = match symbol_names with
+    | hd :: _ -> hd
+    | _ -> failwith "[CWE476] symbol_names not as expected" in
+  let (strict_call_policy_string, max_steps_string) = match parameters with
+    | par1 :: par2 :: _ -> (par1, par2)
+    | _ -> failwith "[CWE476] parameters not as expected" in
+  let strict_call_policy = match String.split strict_call_policy_string ~on:'=' with
+    | "strict_call_policy" :: policy :: [] -> bool_of_string policy
+    | _ -> failwith "[CWE476] parameters not as expected" in
+  let max_steps = match String.split max_steps_string ~on:'=' with
+    | "max_steps" :: num :: [] -> int_of_string num
+    | _ -> failwith "[CWE476] parameters not as expected" in
+  let function_names = List.map symbols ~f:(fun symb -> "@" ^ symb)  in
+  let subfunctions = Term.enum sub_t prog in
+  Seq.iter subfunctions ~f:(fun subfn ->
+      let cfg = Sub.to_cfg subfn in
+      let cwe_hits = ref [] in
+      let empty = Map.empty Graphs.Ir.Node.comparator in
+      let init = Graphlib.Std.Solution.create empty [] in
+      let equal = State.equal in
+      let merge = State.union in
+      let f = (fun node state ->
+          let block = Graphs.Ir.Node.label node in
+          update_block_analysis block state ~cwe_hits ~function_names ~program:prog ~strict_call_policy
+        ) in
+      let _ = Graphlib.Std.Graphlib.fixpoint (module Graphs.Ir) cfg ~steps:max_steps ~rev:false ~init:init ~equal:equal ~merge:merge ~f:f in
+      List.iter (!cwe_hits) ~f:(fun hit -> print_hit hit ~sub:subfn ~function_names ~tid_map)
+    )

src/checkers/cwe_476.mli

 (** This module implements a check for CWE-476 (NULL Pointer Dereference).
-It checks if the result of a function that may return a NULL value is checked immediately
-for NULL. The symbols are configurable in config.json.
-See https://cwe.mitre.org/data/definitions/476.html for detailed description. *)
-val name: string
+    It checks if the result of a function that may return a NULL value is checked
+    for NULL before any memory gets accessed using the return values. The symbols
+    are configurable in config.json. See https://cwe.mitre.org/data/definitions/476.html
+    for detailed description.
+
+    Parameters:
+    - strict_call_policy={true, false}: Determines behaviour on call and return instructions.
+      If false, we assume that the callee, resp. the caller on a return instruction,
+      checks all unchecked values still contained in the registers. If true, every
+      unchecked value on a call or return instruction gets reported.
+    - max_steps=<num>: Max number of steps for the dataflow fixpoint algorithm.
+
+    Notes: The check relies on Bap-generated stubs to identify return registers of the
+    checked functions. Therefore it only works for functions for which Bap generates
+    these stubs. *)
+
+val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit

src/checkers/cwe_676.ml

@@ -35,7 +35,7 @@ let resolve_symbols prog symbols =
     Seq.filter ~f:(fun s -> List.exists ~f:(fun x -> x = Sub.name s) symbols)
 
 
-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
   match symbol_names with
   | hd::[] ->
      let subfunctions = Term.enum sub_t prog in
@@ -43,4 +43,3 @@ let check_cwe prog proj tid_map symbol_names =
      get_calls_to_symbols cg subfunctions (resolve_symbols prog hd)
      |> print_calls ~tid_map:tid_map
   | _ -> failwith "[CWE676] symbol_names not as expected"
-

src/checkers/cwe_676.mli

@@ -5,4 +5,4 @@ See https://cwe.mitre.org/data/definitions/676.html for detailed description. *)
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit

src/checkers/cwe_782.ml

@@ -15,5 +15,5 @@ let handle_sub sub program tid_map symbols =
       else
         ()
 
-let check_cwe program proj tid_map symbols =
+let check_cwe program proj tid_map symbols _ =
   Seq.iter (Term.enum sub_t program) ~f:(fun s -> handle_sub s program tid_map symbols)

src/checkers/cwe_782.mli

@@ -4,4 +4,4 @@ https://cwe.mitre.org/data/definitions/782.html *)
 val name : string
 val version : string
 
-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit

src/config.json

@@ -95,6 +95,10 @@
   "CWE476": {
     "_comment": "any function that possibly returns a NULL value.",
     "_comment1": "included functions of the following libs: stdlib.h, locale.h, stdio.h, cstring.h, wchar.h",
+    "parameters": [
+      "strict_call_policy=true",
+      "max_steps=100"
+    ],
     "symbols": [
       "malloc",
       "calloc",

src/cwe_checker.ml

@@ -7,24 +7,25 @@ open Yojson.Basic.Util
 include Self()
 
 type cwe_module = {
-    cwe_func :  Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit;
+    cwe_func :  Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit;
     name : string;
     version : string;
     requires_pairs : bool;
+    has_parameters : bool;
   }
 
-let known_modules = [{cwe_func = Cwe_190.check_cwe; name = Cwe_190.name; version = Cwe_190.version; requires_pairs = false};
-                     {cwe_func = Cwe_215.check_cwe; name = Cwe_215.name; version = Cwe_215.version; requires_pairs = false};
-                     {cwe_func = Cwe_243.check_cwe; name = Cwe_243.name; version = Cwe_243.version; requires_pairs = true};
-                     {cwe_func = Cwe_248.check_cwe; name = Cwe_248.name; version = Cwe_248.version; requires_pairs = false};
-                     {cwe_func = Cwe_332.check_cwe; name = Cwe_332.name; version = Cwe_332.version; requires_pairs = true};
-                     {cwe_func = Cwe_367.check_cwe; name = Cwe_367.name; version = Cwe_367.version; requires_pairs = true};
-                     {cwe_func = Cwe_426.check_cwe; name = Cwe_426.name; version = Cwe_426.version; requires_pairs = false};
-                     {cwe_func = Cwe_457.check_cwe; name = Cwe_457.name; version = Cwe_457.version; requires_pairs = false};
-                     {cwe_func = Cwe_467.check_cwe; name = Cwe_467.name; version = Cwe_467.version; requires_pairs = false};
-                     {cwe_func = Cwe_476.check_cwe; name = Cwe_476.name; version = Cwe_476.version; requires_pairs = false};
-                     {cwe_func = Cwe_676.check_cwe; name = Cwe_676.name; version = Cwe_676.version; requires_pairs = false};
-                     {cwe_func = Cwe_782.check_cwe; name = Cwe_782.name; version = Cwe_782.version; requires_pairs = false}]
+let known_modules = [{cwe_func = Cwe_190.check_cwe; name = Cwe_190.name; version = Cwe_190.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_215.check_cwe; name = Cwe_215.name; version = Cwe_215.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_243.check_cwe; name = Cwe_243.name; version = Cwe_243.version; requires_pairs = true; has_parameters = false};
+                     {cwe_func = Cwe_248.check_cwe; name = Cwe_248.name; version = Cwe_248.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_332.check_cwe; name = Cwe_332.name; version = Cwe_332.version; requires_pairs = true; has_parameters = false};
+                     {cwe_func = Cwe_367.check_cwe; name = Cwe_367.name; version = Cwe_367.version; requires_pairs = true; has_parameters = false};
+                     {cwe_func = Cwe_426.check_cwe; name = Cwe_426.name; version = Cwe_426.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_457.check_cwe; name = Cwe_457.name; version = Cwe_457.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_467.check_cwe; name = Cwe_467.name; version = Cwe_467.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_476.check_cwe; name = Cwe_476.name; version = Cwe_476.version; requires_pairs = false; has_parameters = true};
+                     {cwe_func = Cwe_676.check_cwe; name = Cwe_676.name; version = Cwe_676.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_782.check_cwe; name = Cwe_782.name; version = Cwe_782.version; requires_pairs = false; has_parameters = false}]
 
 let build_version_sexp () =
   List.map known_modules ~f:(fun cwe -> Format.sprintf "(\"%s\" \"%s\")" cwe.name cwe.version)
@@ -36,15 +37,18 @@ let print_module_versions () =
     (build_version_sexp ())
 
 let execute_cwe_module cwe json program project tid_address_map =
+  let parameters = match cwe.has_parameters with
+    | false -> []
+    | true -> Json_utils.get_parameter_list_from_json json cwe.name in
    if cwe.requires_pairs = true then
      begin
        let symbol_pairs = Json_utils.get_symbol_lists_from_json json cwe.name in
-       cwe.cwe_func program project tid_address_map symbol_pairs
+       cwe.cwe_func program project tid_address_map symbol_pairs parameters
      end
    else
      begin
        let symbols = Json_utils.get_symbols_from_json json cwe.name in
-       cwe.cwe_func program project tid_address_map [symbols]
+       cwe.cwe_func program project tid_address_map [symbols] parameters
      end
 
 let partial_run project config modules =

src/utils/json_utils.ml

@@ -23,3 +23,10 @@ let get_symbol_lists_from_json json cwe =
   |> filter_member "pairs"
   |> flatten
   |> List.map ~f:(fun l -> List.map (to_list l) ~f:to_string)
+
+let get_parameter_list_from_json json cwe =
+  [json]
+  |> filter_member cwe
+  |> filter_member "parameters"
+  |> flatten
+  |> List.map ~f:to_string

src/utils/json_utils.mli

@@ -2,3 +2,4 @@
 
 val get_symbol_lists_from_json : Yojson.Basic.json -> string -> string list list
 val get_symbols_from_json : Yojson.Basic.json -> string -> string list
+val get_parameter_list_from_json : Yojson.Basic.json -> string -> string list

test/artificial_samples/cwe_476.c

 #include <stdlib.h>
 
 void func1(){
-  void* data = malloc(20);
+  void* data = malloc(20000);
   if (data == NULL){
     exit(42);
   }
@@ -9,7 +9,8 @@ void func1(){
 }
 
 void func2(){
- void* data = malloc(20);
+ int* data = malloc(200000);
+ printf("%i", data[0]);
  free(data);
 }
 

test/artificial_samples/makefile

@@ -10,114 +10,117 @@ CPP_ARM=arm-linux-gnueabi-g++-5
 CPP_MIPS=mips-linux-gnu-g++-5
 CPP_PPC=powerpc-linux-gnu-g++-5
 
-CFLAGS_X64=-O0 -g -fno-stack-protector -std=c11
-CFLAGS_X86=-O0 -g -m32 -fno-stack-protector -std=c11
-CFLAGS_ARM=-O0 -g -fno-stack-protector -std=c11
-CFLAGS_MIPS=-O0 -g -fno-stack-protector -std=c11
-CFLAGS_PPC=-O0 -g -fno-stack-protector -std=c11
-
-CPPFLAGS_X64=-O0 -g -fno-stack-protector
-CPPFLAGS_X86=-O0 -g -m32 -fno-stack-protector
-CPPFLAGS_ARM=-O0 -g -fno-stack-protector
-CPPFLAGS_MIPS=-O0 -g -fno-stack-protector
-CPPFLAGS_PPC=-O0 -g -fno-stack-protector
+CFLAGS_X64=-g -fno-stack-protector -std=c11
+CFLAGS_X86=-g -m32 -fno-stack-protector -std=c11
+CFLAGS_ARM=-g -fno-stack-protector -std=c11
+CFLAGS_MIPS=-g -fno-stack-protector -std=c11
+CFLAGS_PPC=-g -fno-stack-protector -std=c11
+
+CPPFLAGS_X64=-g -fno-stack-protector
+CPPFLAGS_X86=-g -m32 -fno-stack-protector
+CPPFLAGS_ARM=-g -fno-stack-protector
+CPPFLAGS_MIPS=-g -fno-stack-protector
+CPPFLAGS_PPC=-g -fno-stack-protector
+
+OPTIMIZE=-O3
+NO_OPTIMIZE=-O0
 
 define compile_x64
 	@echo "Compiling x64 target:" $(1)
-	$(CC_x64) $(CFLAGS_X64) -o build/$(1)_x64.out $(1).c
+	$(CC_x64) $(CFLAGS_X64) $(2) -o build/$(1)_x64.out $(1).c
 	 execstack -s build/$(1)_x64.out
 endef
 
 define compile_x64_cpp
 	@echo "Compiling x64 target:" $(1)
-	$(CPP_x64) $(CPPFLAGS_X64) -o build/$(1)_x64.out $(1).cpp
+	$(CPP_x64) $(CPPFLAGS_X64) $(2) -o build/$(1)_x64.out $(1).cpp
 	execstack -s build/$(1)_x64.out
 endef
 
 define compile_x86
 	@echo "Compiling x86 target:" $(1)
-	$(CC_X86) $(CFLAGS_X86) -o build/$(1)_x86.out $(1).c
+	$(CC_X86) $(CFLAGS_X86) $(2) -o build/$(1)_x86.out $(1).c
 	execstack -s build/$(1)_x86.out
 endef
 
 define compile_x86_cpp
 	@echo "Compiling x86 target:" $(1)
-	$(CPP_X86) $(CPPFLAGS_X86) -o build/$(1)_x86.out $(1).cpp
+	$(CPP_X86) $(CPPFLAGS_X86) $(2) -o build/$(1)_x86.out $(1).cpp
 	execstack -s build/$(1)_x86.out
 endef
 
 define compile_mips
 	@echo "Compiling mips target:" $(1)
-	$(CC_MIPS) $(CFLAGS_MIPS) -o build/$(1)_mips.out $(1).c
+	$(CC_MIPS) $(CFLAGS_MIPS) $(2) -o build/$(1)_mips.out $(1).c
 	execstack -s build/$(1)_mips.out
 endef
 
 define compile_mips_cpp
 	@echo "Compiling mips target:" $(1)
-	$(CPP_MIPS) $(CPPFLAGS_MIPS) -o build/$(1)_mips.out $(1).cpp
+	$(CPP_MIPS) $(CPPFLAGS_MIPS) $(2) -o build/$(1)_mips.out $(1).cpp
 	execstack -s build/$(1)_mips.out
 endef
 
 define compile_arm
 	@echo "Compiling arm target:" $(1)
-	$(CC_ARM) $(CFLAGS_ARM) -o build/$(1)_arm.out $(1).c
+	$(CC_ARM) $(CFLAGS_ARM) $(2) -o build/$(1)_arm.out $(1).c
 	execstack -s build/$(1)_arm.out
 endef
 
 define compile_arm_cpp
 	@echo "Compiling arm target:" $(1)
-	$(CPP_ARM) $(CPPFLAGS_ARM) -o build/$(1)_arm.out $(1).cpp
+	$(CPP_ARM) $(CPPFLAGS_ARM) $(2) -o build/$(1)_arm.out $(1).cpp
 	execstack -s build/$(1)_arm.out
 endef
 
 define compile_ppc
 	@echo "Compiling ppc target:" $(1)
-	$(CC_PPC) $(CFLAGS_PPC) -o build/$(1)_ppc.out $(1).c
+	$(CC_PPC) $(CFLAGS_PPC) $(2) -o build/$(1)_ppc.out $(1).c
 	execstack -s build/$(1)_ppc.out
 endef
 
 define compile_ppc_cpp
 	@echo "Compiling ppc target:" $(1)
-	$(CPP_PPC) $(CPPFLAGS_PPC) -o build/$(1)_ppc.out $(1).cpp
+	$(CPP_PPC) $(CPPFLAGS_PPC) $(2) -o build/$(1)_ppc.out $(1).cpp
 	execstack -s build/$(1)_ppc.out
 endef
 
 define compile_all
 	$(shell mkdir -p "build")
-	$(call compile_x64,$(1))
-	$(call compile_x86,$(1))
-	$(call compile_arm,$(1))
-	$(call compile_mips,$(1))
-	$(call compile_ppc,$(1))
+	$(call compile_x64,$(1),$(2))
+	$(call compile_x86,$(1),$(2))
+	$(call compile_arm,$(1),$(2))
+	$(call compile_mips,$(1),$(2))
+	$(call compile_ppc,$(1),$(2))
 endef
 
 define compile_all_cpp
 	$(shell mkdir -p "build")
-	$(call compile_x64_cpp,$(1))
-	$(call compile_x86_cpp,$(1))
-	$(call compile_arm_cpp,$(1))
-	$(call compile_mips_cpp,$(1))
-	$(call compile_ppc_cpp,$(1))
+	$(call compile_x64_cpp,$(1),$(2))
+	$(call compile_x86_cpp,$(1),$(2))
+	$(call compile_arm_cpp,$(1),$(2))
+	$(call compile_mips_cpp,$(1),$(2))
+	$(call compile_ppc_cpp,$(1),$(2))
 endef
 
 all:
-	$(call compile_all,c_constructs)
-	$(call compile_all,cwe_190)
-	$(call compile_all,cwe_243)
-	$(call compile_all,cwe_243_clean)
-	$(call compile_all_cpp,cwe_248)
-	$(call compile_all,cwe_332)
-	$(call compile_all,cwe_367)
-	$(call compile_all,cwe_415)
-	$(call compile_all,cwe_426)
-	$(call compile_all,cwe_457)
-	$(call compile_all,cwe_467)
-	$(call compile_all,cwe_476)
-	$(call compile_all,cwe_478)
-	$(call compile_all,cwe_676)
-	$(call compile_x64,cwe_782)
-	$(call compile_all,arrays)
-	$(call compile_all,memory_access)
+	$(call compile_all,c_constructs,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_190,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_243,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_243_clean,$(NO_OPTIMIZE))
+	$(call compile_all_cpp,cwe_248,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_332,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_367,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_415,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_426,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_457,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_467,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_476,$(OPTIMIZE))
+	$(call compile_all,cwe_478,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_676,$(NO_OPTIMIZE))
+	$(call compile_x64,cwe_782,$(NO_OPTIMIZE))
+	$(call compile_all,arrays,$(NO_OPTIMIZE))
+	$(call compile_all,memory_access,$(NO_OPTIMIZE))
 
 clean:
 	rm -rf build