Cwe476 (#11)

* improved CWE476-check with dataflow analysis

Cwe476 (#11)
* improved CWE476-check with dataflow analysis
41b84a41 · Enkelmann · Thomas Barabosch · 44cb572a · 41b84a41 · 41b84a41
Commit 41b84a41 authored Feb 22, 2019 by Enkelmann Committed by Thomas Barabosch Feb 22, 2019
31 changed files
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,6 +7,7 @@
 -  Added automated test suite (run with make test) (PR #7)
 -  Improved cross compiling for acceptance test cases by using dockcross (PR #8)
 -  Added BAP recipe for standard cwe_checker run (PR #9)
+-  Improved check for CWE-476 (NULL Pointer Dereference) using data flow analysis (PR #11)

 0.1 (2018-10-08)
 =====

--- a/src/checkers/cwe_190.ml
+++ b/src/checkers/cwe_190.ml
@@ -27,7 +27,7 @@ let check_multiplication_before_symbol proj prog sub blk jmp tid_map symbols =
                     (Address_translation.translate_tid_to_assembler_address_string (Term.tid blk) tid_map)
                     (Symbol_utils.get_symbol_name_from_jmp jmp symbols))

-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
  match symbol_names with
  | hd::[] ->
   let symbols = Symbol_utils.build_symbols hd prog in

--- a/src/checkers/cwe_190.mli
+++ b/src/checkers/cwe_190.mli
@@ -5,4 +5,4 @@ https://cwe.mitre.org/data/definitions/190.html
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit
--- a/src/checkers/cwe_215.ml
+++ b/src/checkers/cwe_215.ml
@@ -30,7 +30,7 @@ let read_lines in_chan =
    List.rev !lines

 (* TODO: check if program contains strings like "DEBUG"*)
-let check_cwe _ project _ _ =
+let check_cwe _ project _ _ _ =
  match Project.get project filename with
  | Some fname -> begin
      let cmd = Format.sprintf "readelf --debug-dump=decodedline %s | grep CU" fname in
@@ -42,4 +42,3 @@ let check_cwe _ project _ _ =
        Log_utils.error "[%s] {%s} %s %s %s" name version (Unix.error_message e) fm argm
    end
  | _ -> failwith "[CWE215] symbol_names not as expected"
-
--- a/src/checkers/cwe_215.mli
+++ b/src/checkers/cwe_215.mli
@@ -3,4 +3,4 @@
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list ->  unit
--- a/src/checkers/cwe_243.ml
+++ b/src/checkers/cwe_243.ml
@@ -81,10 +81,9 @@ let check_subfunction prog tid_map sub pathes =
         (Term.name sub)
    end

-let check_cwe prog proj tid_map pathes =
+let check_cwe prog proj tid_map pathes _ =
  let chroot_symbol = find_symbol prog "chroot" in
  match chroot_symbol with
  | Some _ ->
    Seq.iter (Term.enum sub_t prog) ~f:(fun sub -> check_subfunction prog tid_map sub pathes)
  | _ -> ()
-
--- a/src/checkers/cwe_243.mli
+++ b/src/checkers/cwe_243.mli
@@ -5,4 +5,4 @@ See https://cwe.mitre.org/data/definitions/243.html for detailed description. *)
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit
--- a/src/checkers/cwe_248.ml
+++ b/src/checkers/cwe_248.ml
@@ -59,7 +59,7 @@ let rec find_uncaught_exceptions subfunction already_checked_functions program ~
 (* Search for uncatched exceptions for each entry point into the binary.
    TODO: Exceptions, that are catched when starting from one entry point, but not from another, are masked this
    way. We should check whether this produces a lot of false negatives. *)
-let check_cwe program project tid_map symbol_pairs =
+let check_cwe program project tid_map symbol_pairs _ =
  let entry_points = Symbol_utils.get_program_entry_points program in
  let _ = Seq.fold entry_points ~init:[] ~f:(fun already_checked_functions sub -> find_uncaught_exceptions ~tid_map:tid_map sub already_checked_functions program) in
  ()
--- a/src/checkers/cwe_248.mli
+++ b/src/checkers/cwe_248.mli
@@ -8,4 +8,4 @@ can actually catch the thrown exceptions, thus we generate some false negatives.
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit
--- a/src/checkers/cwe_332.ml
+++ b/src/checkers/cwe_332.ml
@@ -7,7 +7,7 @@ open Symbol_utils
 let name = "CWE332"
 let version = "0.1"

-let check_cwe program proj tid_map symbol_pairs =
+let check_cwe program proj tid_map symbol_pairs _ =
  match Option.both (find_symbol program "srand") (find_symbol program "rand") with
  | None -> begin
      match (find_symbol program "rand") with
@@ -15,4 +15,3 @@ let check_cwe program proj tid_map symbol_pairs =
      | Some _ -> Log_utils.warn "[%s] {%s} (Insufficient Entropy in PRNG) program uses rand without calling srand before" name version
    end
  | Some (srand_tid, rand_tid) -> ()
-
--- a/src/checkers/cwe_332.mli
+++ b/src/checkers/cwe_332.mli
@@ -6,4 +6,4 @@ See https://cwe.mitre.org/data/definitions/332.html for detailed description. *)
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> 'a -> 'b -> string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> 'a -> 'b -> string list list -> 'c -> unit
--- a/src/checkers/cwe_367.ml
+++ b/src/checkers/cwe_367.ml
@@ -57,6 +57,6 @@ let handle_sub sub program tid_map symbols source sink =
  else
    ()

-let check_cwe program proj tid_map symbol_pairs =
+let check_cwe program proj tid_map symbol_pairs _ =
  let symbols = Symbol_utils.build_symbols ["access"; "open";] in
  Seq.iter (Term.enum sub_t program) ~f:(fun s -> handle_sub s program tid_map symbols "access" "open")
--- a/src/checkers/cwe_367.mli
+++ b/src/checkers/cwe_367.mli
@@ -5,4 +5,4 @@ https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit
--- a/src/checkers/cwe_426.ml
+++ b/src/checkers/cwe_426.ml
@@ -21,7 +21,7 @@ let handle_sub sub program tid_map symbols =
    end
  else ()

-let check_cwe program proj tid_map symbols =
+let check_cwe program proj tid_map symbols _ =
  match symbols with
  | hd::[] ->
     Seq.iter (Term.enum sub_t program) ~f:(fun s -> handle_sub s program tid_map hd)

--- a/src/checkers/cwe_426.mli
+++ b/src/checkers/cwe_426.mli
@@ -11,4 +11,4 @@ drops privileges on startup.  (Debian uses a modified bash which does not do thi
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit
--- a/src/checkers/cwe_457.ml
+++ b/src/checkers/cwe_457.ml
@@ -92,5 +92,5 @@ let check_subfunction prog proj tid_map sub =
            end
        end)

-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
  Seq.iter (Term.enum sub_t prog) ~f:(fun sub -> check_subfunction prog proj tid_map sub)
--- a/src/checkers/cwe_457.mli
+++ b/src/checkers/cwe_457.mli
@@ -4,4 +4,4 @@ See https://cwe.mitre.org/data/definitions/457.html for detailed description. *)
 val name: string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit
--- a/src/checkers/cwe_467.ml
+++ b/src/checkers/cwe_467.ml
@@ -24,7 +24,7 @@ let check_input_is_pointer_size proj prog sub blk jmp tid_map symbols =
      | _ -> ())


-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
  match symbol_names with
  | hd::[] ->
     let symbols = Symbol_utils.build_symbols hd prog in

--- a/src/checkers/cwe_467.mli
+++ b/src/checkers/cwe_467.mli
@@ -9,4 +9,4 @@ See https://cwe.mitre.org/data/definitions/467.html for detailed description. *)
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit
--- a/src/checkers/cwe_476.ml
+++ b/src/checkers/cwe_476.ml
--- a/src/checkers/cwe_476.mli
+++ b/src/checkers/cwe_476.mli
 (** This module implements a check for CWE-476 (NULL Pointer Dereference).
-It checks if the result of a function that may return a NULL value is checked immediately
-for NULL. The symbols are configurable in config.json.
-See https://cwe.mitre.org/data/definitions/476.html for detailed description. *)
-val name: string
+    It checks if the result of a function that may return a NULL value is checked
+    for NULL before any memory gets accessed using the return values. The symbols
+    are configurable in config.json. See https://cwe.mitre.org/data/definitions/476.html
+    for detailed description.
+
+    Parameters:
+    - strict_call_policy={true, false}: Determines behaviour on call and return instructions.
+      If false, we assume that the callee, resp. the caller on a return instruction,
+      checks all unchecked values still contained in the registers. If true, every
+      unchecked value on a call or return instruction gets reported.
+    - max_steps=<num>: Max number of steps for the dataflow fixpoint algorithm.
+
+    Notes: The check relies on Bap-generated stubs to identify return registers of the
+    checked functions. Therefore it only works for functions for which Bap generates
+    these stubs. *)
+
+val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit
--- a/src/checkers/cwe_676.ml
+++ b/src/checkers/cwe_676.ml
@@ -35,7 +35,7 @@ let resolve_symbols prog symbols =
    Seq.filter ~f:(fun s -> List.exists ~f:(fun x -> x = Sub.name s) symbols)


-let check_cwe prog proj tid_map symbol_names =
+let check_cwe prog proj tid_map symbol_names _ =
  match symbol_names with
  | hd::[] ->
     let subfunctions = Term.enum sub_t prog in
@@ -43,4 +43,3 @@ let check_cwe prog proj tid_map symbol_names =
     get_calls_to_symbols cg subfunctions (resolve_symbols prog hd)
     |> print_calls ~tid_map:tid_map
  | _ -> failwith "[CWE676] symbol_names not as expected"
-
--- a/src/checkers/cwe_676.mli
+++ b/src/checkers/cwe_676.mli
@@ -5,4 +5,4 @@ See https://cwe.mitre.org/data/definitions/676.html for detailed description. *)
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit
--- a/src/checkers/cwe_782.ml
+++ b/src/checkers/cwe_782.ml
@@ -15,5 +15,5 @@ let handle_sub sub program tid_map symbols =
      else
        ()

-let check_cwe program proj tid_map symbols =
+let check_cwe program proj tid_map symbols _ =
  Seq.iter (Term.enum sub_t program) ~f:(fun s -> handle_sub s program tid_map symbols)
--- a/src/checkers/cwe_782.mli
+++ b/src/checkers/cwe_782.mli
@@ -4,4 +4,4 @@ https://cwe.mitre.org/data/definitions/782.html *)
 val name : string
 val version : string

-val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> unit
+val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t ->  string list list -> string list -> unit
--- a/src/config.json
+++ b/src/config.json
@@ -95,6 +95,10 @@
  "CWE476": {
    "_comment": "any function that possibly returns a NULL value.",
    "_comment1": "included functions of the following libs: stdlib.h, locale.h, stdio.h, cstring.h, wchar.h",
+    "parameters": [
+      "strict_call_policy=true",
+      "max_steps=100"
+    ],
    "symbols": [
      "malloc",
      "calloc",

--- a/src/cwe_checker.ml
+++ b/src/cwe_checker.ml
@@ -7,24 +7,25 @@ open Yojson.Basic.Util
 include Self()

 type cwe_module = {
-    cwe_func :  Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list ->  unit;
+    cwe_func :  Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> string list -> unit;
    name : string;
    version : string;
    requires_pairs : bool;
+    has_parameters : bool;
  }

-let known_modules = [{cwe_func = Cwe_190.check_cwe; name = Cwe_190.name; version = Cwe_190.version; requires_pairs = false};
-                     {cwe_func = Cwe_215.check_cwe; name = Cwe_215.name; version = Cwe_215.version; requires_pairs = false};
-                     {cwe_func = Cwe_243.check_cwe; name = Cwe_243.name; version = Cwe_243.version; requires_pairs = true};
-                     {cwe_func = Cwe_248.check_cwe; name = Cwe_248.name; version = Cwe_248.version; requires_pairs = false};
-                     {cwe_func = Cwe_332.check_cwe; name = Cwe_332.name; version = Cwe_332.version; requires_pairs = true};
-                     {cwe_func = Cwe_367.check_cwe; name = Cwe_367.name; version = Cwe_367.version; requires_pairs = true};
-                     {cwe_func = Cwe_426.check_cwe; name = Cwe_426.name; version = Cwe_426.version; requires_pairs = false};
-                     {cwe_func = Cwe_457.check_cwe; name = Cwe_457.name; version = Cwe_457.version; requires_pairs = false};
-                     {cwe_func = Cwe_467.check_cwe; name = Cwe_467.name; version = Cwe_467.version; requires_pairs = false};
-                     {cwe_func = Cwe_476.check_cwe; name = Cwe_476.name; version = Cwe_476.version; requires_pairs = false};
-                     {cwe_func = Cwe_676.check_cwe; name = Cwe_676.name; version = Cwe_676.version; requires_pairs = false};
-                     {cwe_func = Cwe_782.check_cwe; name = Cwe_782.name; version = Cwe_782.version; requires_pairs = false}]
+let known_modules = [{cwe_func = Cwe_190.check_cwe; name = Cwe_190.name; version = Cwe_190.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_215.check_cwe; name = Cwe_215.name; version = Cwe_215.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_243.check_cwe; name = Cwe_243.name; version = Cwe_243.version; requires_pairs = true; has_parameters = false};
+                     {cwe_func = Cwe_248.check_cwe; name = Cwe_248.name; version = Cwe_248.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_332.check_cwe; name = Cwe_332.name; version = Cwe_332.version; requires_pairs = true; has_parameters = false};
+                     {cwe_func = Cwe_367.check_cwe; name = Cwe_367.name; version = Cwe_367.version; requires_pairs = true; has_parameters = false};
+                     {cwe_func = Cwe_426.check_cwe; name = Cwe_426.name; version = Cwe_426.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_457.check_cwe; name = Cwe_457.name; version = Cwe_457.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_467.check_cwe; name = Cwe_467.name; version = Cwe_467.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_476.check_cwe; name = Cwe_476.name; version = Cwe_476.version; requires_pairs = false; has_parameters = true};
+                     {cwe_func = Cwe_676.check_cwe; name = Cwe_676.name; version = Cwe_676.version; requires_pairs = false; has_parameters = false};
+                     {cwe_func = Cwe_782.check_cwe; name = Cwe_782.name; version = Cwe_782.version; requires_pairs = false; has_parameters = false}]

 let build_version_sexp () =
  List.map known_modules ~f:(fun cwe -> Format.sprintf "(\"%s\" \"%s\")" cwe.name cwe.version)
@@ -36,15 +37,18 @@ let print_module_versions () =
    (build_version_sexp ())

 let execute_cwe_module cwe json program project tid_address_map =
+  let parameters = match cwe.has_parameters with
+    | false -> []
+    | true -> Json_utils.get_parameter_list_from_json json cwe.name in
   if cwe.requires_pairs = true then
     begin
       let symbol_pairs = Json_utils.get_symbol_lists_from_json json cwe.name in
-       cwe.cwe_func program project tid_address_map symbol_pairs
+       cwe.cwe_func program project tid_address_map symbol_pairs parameters
     end
   else
     begin
       let symbols = Json_utils.get_symbols_from_json json cwe.name in
-       cwe.cwe_func program project tid_address_map [symbols]
+       cwe.cwe_func program project tid_address_map [symbols] parameters
     end

 let partial_run project config modules =

--- a/src/utils/json_utils.ml
+++ b/src/utils/json_utils.ml
@@ -23,3 +23,10 @@ let get_symbol_lists_from_json json cwe =
  |> filter_member "pairs"
  |> flatten
  |> List.map ~f:(fun l -> List.map (to_list l) ~f:to_string)
+
+let get_parameter_list_from_json json cwe =
+  [json]
+  |> filter_member cwe
+  |> filter_member "parameters"
+  |> flatten
+  |> List.map ~f:to_string
--- a/src/utils/json_utils.mli
+++ b/src/utils/json_utils.mli
@@ -2,3 +2,4 @@

 val get_symbol_lists_from_json : Yojson.Basic.json -> string -> string list list
 val get_symbols_from_json : Yojson.Basic.json -> string -> string list
+val get_parameter_list_from_json : Yojson.Basic.json -> string -> string list
--- a/test/artificial_samples/cwe_476.c
+++ b/test/artificial_samples/cwe_476.c
 #include <stdlib.h>

 void func1(){
-  void* data = malloc(20);
+  void* data = malloc(20000);
  if (data == NULL){
    exit(42);
  }
@@ -9,7 +9,8 @@ void func1(){
 }

 void func2(){
- void* data = malloc(20);
+ int* data = malloc(200000);
+ printf("%i", data[0]);
 free(data);
 }


--- a/test/artificial_samples/makefile
+++ b/test/artificial_samples/makefile
@@ -10,114 +10,117 @@ CPP_ARM=arm-linux-gnueabi-g++-5
 CPP_MIPS=mips-linux-gnu-g++-5
 CPP_PPC=powerpc-linux-gnu-g++-5

-CFLAGS_X64=-O0 -g -fno-stack-protector -std=c11
-CFLAGS_X86=-O0 -g -m32 -fno-stack-protector -std=c11
-CFLAGS_ARM=-O0 -g -fno-stack-protector -std=c11
-CFLAGS_MIPS=-O0 -g -fno-stack-protector -std=c11
-CFLAGS_PPC=-O0 -g -fno-stack-protector -std=c11
-
-CPPFLAGS_X64=-O0 -g -fno-stack-protector
-CPPFLAGS_X86=-O0 -g -m32 -fno-stack-protector
-CPPFLAGS_ARM=-O0 -g -fno-stack-protector
-CPPFLAGS_MIPS=-O0 -g -fno-stack-protector
-CPPFLAGS_PPC=-O0 -g -fno-stack-protector
+CFLAGS_X64=-g -fno-stack-protector -std=c11
+CFLAGS_X86=-g -m32 -fno-stack-protector -std=c11
+CFLAGS_ARM=-g -fno-stack-protector -std=c11
+CFLAGS_MIPS=-g -fno-stack-protector -std=c11
+CFLAGS_PPC=-g -fno-stack-protector -std=c11
+
+CPPFLAGS_X64=-g -fno-stack-protector
+CPPFLAGS_X86=-g -m32 -fno-stack-protector
+CPPFLAGS_ARM=-g -fno-stack-protector
+CPPFLAGS_MIPS=-g -fno-stack-protector
+CPPFLAGS_PPC=-g -fno-stack-protector
+
+OPTIMIZE=-O3
+NO_OPTIMIZE=-O0

 define compile_x64
 	@echo "Compiling x64 target:" $(1)
-	$(CC_x64) $(CFLAGS_X64) -o build/$(1)_x64.out $(1).c
+	$(CC_x64) $(CFLAGS_X64) $(2) -o build/$(1)_x64.out $(1).c
 	 execstack -s build/$(1)_x64.out
 endef

 define compile_x64_cpp
 	@echo "Compiling x64 target:" $(1)
-	$(CPP_x64) $(CPPFLAGS_X64) -o build/$(1)_x64.out $(1).cpp
+	$(CPP_x64) $(CPPFLAGS_X64) $(2) -o build/$(1)_x64.out $(1).cpp
 	execstack -s build/$(1)_x64.out
 endef

 define compile_x86
 	@echo "Compiling x86 target:" $(1)
-	$(CC_X86) $(CFLAGS_X86) -o build/$(1)_x86.out $(1).c
+	$(CC_X86) $(CFLAGS_X86) $(2) -o build/$(1)_x86.out $(1).c
 	execstack -s build/$(1)_x86.out
 endef

 define compile_x86_cpp
 	@echo "Compiling x86 target:" $(1)
-	$(CPP_X86) $(CPPFLAGS_X86) -o build/$(1)_x86.out $(1).cpp
+	$(CPP_X86) $(CPPFLAGS_X86) $(2) -o build/$(1)_x86.out $(1).cpp
 	execstack -s build/$(1)_x86.out
 endef

 define compile_mips
 	@echo "Compiling mips target:" $(1)
-	$(CC_MIPS) $(CFLAGS_MIPS) -o build/$(1)_mips.out $(1).c
+	$(CC_MIPS) $(CFLAGS_MIPS) $(2) -o build/$(1)_mips.out $(1).c
 	execstack -s build/$(1)_mips.out
 endef

 define compile_mips_cpp
 	@echo "Compiling mips target:" $(1)
-	$(CPP_MIPS) $(CPPFLAGS_MIPS) -o build/$(1)_mips.out $(1).cpp
+	$(CPP_MIPS) $(CPPFLAGS_MIPS) $(2) -o build/$(1)_mips.out $(1).cpp
 	execstack -s build/$(1)_mips.out
 endef

 define compile_arm
 	@echo "Compiling arm target:" $(1)
-	$(CC_ARM) $(CFLAGS_ARM) -o build/$(1)_arm.out $(1).c
+	$(CC_ARM) $(CFLAGS_ARM) $(2) -o build/$(1)_arm.out $(1).c
 	execstack -s build/$(1)_arm.out
 endef

 define compile_arm_cpp
 	@echo "Compiling arm target:" $(1)
-	$(CPP_ARM) $(CPPFLAGS_ARM) -o build/$(1)_arm.out $(1).cpp
+	$(CPP_ARM) $(CPPFLAGS_ARM) $(2) -o build/$(1)_arm.out $(1).cpp
 	execstack -s build/$(1)_arm.out
 endef

 define compile_ppc
 	@echo "Compiling ppc target:" $(1)
-	$(CC_PPC) $(CFLAGS_PPC) -o build/$(1)_ppc.out $(1).c
+	$(CC_PPC) $(CFLAGS_PPC) $(2) -o build/$(1)_ppc.out $(1).c
 	execstack -s build/$(1)_ppc.out
 endef

 define compile_ppc_cpp
 	@echo "Compiling ppc target:" $(1)
-	$(CPP_PPC) $(CPPFLAGS_PPC) -o build/$(1)_ppc.out $(1).cpp
+	$(CPP_PPC) $(CPPFLAGS_PPC) $(2) -o build/$(1)_ppc.out $(1).cpp
 	execstack -s build/$(1)_ppc.out
 endef

 define compile_all
 	$(shell mkdir -p "build")
-	$(call compile_x64,$(1))
-	$(call compile_x86,$(1))
-	$(call compile_arm,$(1))
-	$(call compile_mips,$(1))
-	$(call compile_ppc,$(1))
+	$(call compile_x64,$(1),$(2))
+	$(call compile_x86,$(1),$(2))
+	$(call compile_arm,$(1),$(2))
+	$(call compile_mips,$(1),$(2))
+	$(call compile_ppc,$(1),$(2))
 endef

 define compile_all_cpp
 	$(shell mkdir -p "build")
-	$(call compile_x64_cpp,$(1))
-	$(call compile_x86_cpp,$(1))
-	$(call compile_arm_cpp,$(1))
-	$(call compile_mips_cpp,$(1))
-	$(call compile_ppc_cpp,$(1))
+	$(call compile_x64_cpp,$(1),$(2))
+	$(call compile_x86_cpp,$(1),$(2))
+	$(call compile_arm_cpp,$(1),$(2))
+	$(call compile_mips_cpp,$(1),$(2))
+	$(call compile_ppc_cpp,$(1),$(2))
 endef

 all:
-	$(call compile_all,c_constructs)
-	$(call compile_all,cwe_190)
-	$(call compile_all,cwe_243)
-	$(call compile_all,cwe_243_clean)
-	$(call compile_all_cpp,cwe_248)
-	$(call compile_all,cwe_332)
-	$(call compile_all,cwe_367)
-	$(call compile_all,cwe_415)
-	$(call compile_all,cwe_426)
-	$(call compile_all,cwe_457)
-	$(call compile_all,cwe_467)
-	$(call compile_all,cwe_476)
-	$(call compile_all,cwe_478)
-	$(call compile_all,cwe_676)
-	$(call compile_x64,cwe_782)
-	$(call compile_all,arrays)
-	$(call compile_all,memory_access)
+	$(call compile_all,c_constructs,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_190,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_243,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_243_clean,$(NO_OPTIMIZE))
+	$(call compile_all_cpp,cwe_248,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_332,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_367,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_415,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_426,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_457,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_467,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_476,$(OPTIMIZE))
+	$(call compile_all,cwe_478,$(NO_OPTIMIZE))
+	$(call compile_all,cwe_676,$(NO_OPTIMIZE))
+	$(call compile_x64,cwe_782,$(NO_OPTIMIZE))
+	$(call compile_all,arrays,$(NO_OPTIMIZE))
+	$(call compile_all,memory_access,$(NO_OPTIMIZE))

 clean:
 	rm -rf build