Bug Hunting & Linting Activity ------------------------------ 0) setup * run a Ubuntu 16.04 LTS or later VM - get help on Piazza if you don't know how to do this - you'll _definitely_ want a VM for HW 2 anyways * install static analysis tools - see "Tool Install Script" below * clone your repository to the VM - you are using git, right? - or use scp (or whatever) to get the source to the VM 1) run tools to find bugs in your HW 1 code * see "Running the Tools" below * keep an inventory of all bugs found - see "Inventory Example" below * DO NOT FIX THEM _yet_. 2) try to exploit the bugs you find * e.g. "buffer overflow" --> try to get that buffer to actually overflow - this may require some effort to trace HOW to do it - it may not actually be possible (static analysis can't see the whole picture) * make test cases out of successful exploits - e.g. {"tests"=[{"input":"logappend -T 1 -K secret -A -D -F log","output":""}]} 3) fix the bugs and lint found * this could take hours to days * after every bug fix, re-run your test cases to make sure you didn't break anything else (regression testing) 4) run tools to find bugs in your HW 1 code * make a new inventory of all bugs found * some "bugs" may not be "fixable" -- because they're false positives * some bugs may not get fixed because of time or skill -- that's OK 5) submit your first and last inventories (and any exploits you found) * you should be able to fix at least 1 bug - unless you only have false positives - unless you got very unlucky and found none (no bugs found means there are almost certainly bugs that were not found. this is somewhat of an inferior situation to knowing what and where the bugs are.) * you should be able to fix a majority of the lint issues - some of these fixes can be carried out by advanced find+replace (e.g. using sed) * file names: {bug,lint}_inventory_{init,final}.txt - bug_inventory_init.txt - bug_inventory_final.txt - lint_inventory_init.txt - lint_inventory_final.txt * if you want to keep the changes you made (you probably should), commit and push them back to your repo (or scp the files back, whatever). Tool Install Script ------------------- sudo apt-get install python3-pip cppcheck llvm clang sudo pip3 install flawfinder cpplint VERSION=0.15.0; curl -sSL "https://github.com/facebook/infer/releases/download/v$VERSION/infer-linux64-v$VERSION.tar.xz" | sudo tar -C /opt -xJ && sudo ln -s "/opt/infer-linux64-v$VERSION/bin/infer" /usr/local/bin/infer DIR=$(pwd); cd /opt; sudo wget http://downloads.sourceforge.net/project/expat/expat/2.0.1/expat-2.0.1.tar.gz; sudo tar -xvf expat-2.0.1.tar.gz; cd expat-2.0.1; sudo ./configure && sudo make && sudo make install; cd /opt; sudo wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/rough-auditing-tool-for-security/rats-2.4.tgz; sudo tar -xzvf rats-2.4.tgz; cd rats-2.4; sudo ./configure && sudo make && sudo make install; cd $DIR Running the Tools ----------------- cd /PATH/TO/secure_log/build # bug hunting flawfinder . cppcheck . rats . make clean; scan-build make make clean; infer run -- make # linting cpplint *.cpp *.h Inventory Example ----------------- file | line # | tool | issue --------------+--------+------------+----------------- common.h | 531 | infer | NULL_DEREFERENCE logappend.cpp | 299 | flawfinder | (buffer) sprintf: Does not check for buffer overflows (CWE-120) common.h | 281 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) common.h | 282 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) common.h | 317 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) common.h | 321 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) common.h | 331 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) common.h | 335 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) logappend.cpp | 235 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) logappend.cpp | 236 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) logappend.cpp | 247 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) logappend.cpp | 248 | flawfinder | (buffer) memcpy: Does not check for buffer overflows (CWE-120) logappend.cpp | 298 | flawfinder | (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120) common.h | 531 | flawfinder | (buffer) read: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20). ... (keep the bugs organized!) cpplint results ------------------------------------ logappend.cpp:0: No copyright message found. You should have a line: "Copyright [year] " [legal/copyright] [5] logappend.cpp:1: Include the directory when naming .h files [build/include_subdir] [4] logappend.cpp:6: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:6: At least two spaces is best between code and comments [whitespace/comments] [2] logappend.cpp:7: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:7: At least two spaces is best between code and comments [whitespace/comments] [2] logappend.cpp:8: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:9: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:10: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:11: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:11: Line ends in whitespace. Consider deleting these extra spaces. [whitespace/end_of_line] [4] logappend.cpp:12: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:12: At least two spaces is best between code and comments [whitespace/comments] [2] logappend.cpp:13: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:17: Tab found; better to use spaces [whitespace/tab] [1] logappend.cpp:17: Lines should be <= 80 characters long [whitespace/line_length] [2] ... Total errors found: 1260 (just copy-paste the results from the terminal)