SUDS: An Infrastructure for Creating Bug Detection Tools Eric Larson October 1, 2007 Seattle University
What is SUDS? • SUDS is an infrastructure to facilitate the construction of software bug detection tools. • SUDS primarily used to create dynamic bug detection tools. • Contains static analysis phases used to improve / focus dynamic bug detection. • At the heart of SUDS is a C to (instrumented) C converter.
Parse Simplify Analyze Instrumentation Model Instrument Link Overview of SUDS SUDS Program (preprocessed C source code) AST Simplified AST Analysis Results Instrumented Source Code Instrumented Executable
Static Analysis • Standard compiler analyses • Control flow graph / call graph • Data flow analysis (mostly intraprocedural) • Flow-sensitive pointer analysis (Hind et. al.) • Tainted propagation • Propagates tainted attribute of variables (forward) • User can modify infrastructure to change what tainted means • Program slicing • Propagates interesting uses backwards • User can modify slicing criterion (can be all statements that have this property or characteristic) • Context-insensitive
Instrumentation • Direct SUDS where to add instrumentation. • Add instrumentation based on statement, expression, or event. • Support functions allow users to easily pass parameters into the instrumentation functions. • Write the instrumentation routines. • Can use provided state table: allows the instrumented program to keep track of additional state when the program is running. • Can take advantage of results from static analysis phases.
Example of how SUDS is used • Goal: To detect buffer overflows for array references that uses data that came from input. • Tainted analysis: All input data is tainted. • Program slicing: All data that can lead to an array reference is in the slice. • Instrumentation: • Track all arrays and their sizes. • Track pointers to arrays. • Track integers that are tainted and in the slice. • At array references, check for bugs.
Future Work • Add phase(s) that attempt to detect bugs using static analysis. • Certain types of bugs can use data flow analysis but need to prune false alarms. • Develop static analysis phases that improve the quality of dynamic bug detection, not just the performance.