Merge pull request diffblue#101 from trtikm/security_scanner__extended_expressivity_PR

Security scanner: Initial implementation of the extended expressivity.

Author: marek-trtik

regression/december_demo_sprint/TRAINING/taint_traces_06/APP/README.txt

@@ -0,0 +1,13 @@
+taint_traces_05
+~~~~~~~~~~~~~~~
+
+This is a training benchmarks. It won't be part of the evaluation. Also, this is not Maven
+application (actually it uses Ant). But this fact does not affect it use as a training bemchmark.
+
+Installation on Ubuntu
+
+1. Open terminal in the root directory of the souce code (there should be a file "build.xml")
+   and run there this command: ant
+
+Resulting JAR file is automatically copied into directory ../BENCHMARK, which is a destination
+already consistent with this evaluation. So, no other steps are necessary.

regression/december_demo_sprint/TRAINING/taint_traces_06/APP/roots.json

@@ -0,0 +1,4 @@
+[
+  "taint_test.test.doGet"
+]
+

regression/december_demo_sprint/TRAINING/taint_traces_06/APP/taint.json

@@ -0,0 +1,20 @@
+[
+  {
+    "id": "my_source",
+    "kind": "source",
+    "where": "return_value",
+    "immediate": true,
+    "taint": "X1",
+    "function": "TaintSource.get_tainted_int"
+  },
+  {
+    "id": "my_sink",
+    "kind": "sink",
+    "where": "parameter1",
+    "immediate": true,
+    "taint": "X1",
+    "function": "TaintSink.receive_taint",
+    "message": "Unescaped HTML written to DAO"
+  }
+]
+

regression/december_demo_sprint/TRAINING/taint_traces_06/APP/taint_traces_06/build.xml

@@ -0,0 +1,35 @@
+<project name="taint_traces_06" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}"/>
+  <property name="classes.dir"   value="${root.dir}/classes"/>
+  <property name="serverlib.dir" value="/home/marek/Software/apache-tomcat-9.0.0.M11/lib"/>
+  <property name="install.dir"   value="${root.dir}/../../BENCHMARK"/>
+
+  <path id="server.lib">
+    <fileset dir="${serverlib.dir}">
+      <include name="servlet*.jar"/>
+    </fileset>
+  </path>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_traces_06.war" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+      <classpath refid="server.lib"/>
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+  </target>
+
+
+</project>
+

regression/december_demo_sprint/TRAINING/taint_traces_06/APP/taint_traces_06/test.java

@@ -0,0 +1,299 @@
+package taint_test;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.IOException;
+
+
+/*
+
+** State transformation rules **
+
+Rule no.  Sink?  Base class        Method/operator    Assumptions on args         Effect
+
+0         false  ServletRequest    getInputStream     (*)                         RET -> {1}
+
+1         false  InputStream       read               ({0},*,*,*)                 ARG1 -> {2}
+
+2         false  String            String             ({2},*,*)                   RET -> {3}
+
+3         false  String            charAt             ({3},*)                     RET -> {4}
+
+4         false  String            replace            (*,"<",#)                   ARG0 -> BOTTOM
+
+5         false  ServletResponse   getOutputStream    (*)                         RET -> {6}
+
+6         true   OutputStream      write              ({6},{2},*,*)
+
+7         true   OutputStream      write              ({6},{3})
+
+8         true   OutputStream      write              ({6},{4})
+
+9         false  java.util.List    add                (*,{3})                     ARG0 -> {ARG0}+{3}
+
+10        false  java.util.List    add                (*,{4})                     ARG0 -> {ARG0}+{4}
+
+*/
+public class test extends javax.servlet.http.HttpServlet {
+
+    /*
+    Input map:
+      request -> T1
+      response -> T2
+    Summary:
+    */
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) {
+        // request -> T1
+        // response -> T2
+
+        java.io.InputStream in0 = getInStream(request); // rule: IMPLICIT - applying summary and assignment
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+
+        java.io.InputStream in = in0; // rule: IMPLICIT - copy ref
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+
+        byte[] data = new byte[2048]; // rule: IMPLICIT - new
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+
+        int size = getBytes(data,in); // rule: IMPLICIT - applying summary and assignment
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+
+        String str0 = new String(data, 0, size); // rule: 2
+        
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+        // str0 -> {3}
+       
+        String str = str0; // rule: IMPLICIT - copy ref
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+        // str0 -> {3}
+        // str -> {3}
+
+        char c = str.charAt(size / 2); // rule: 3
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+        // str0 -> {3}
+        // str -> {3}
+        // c -> {4}
+
+        sanitise(str); // rule: IMPLICIT - applying summary
+
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+        // c -> {4}
+
+        java.io.OutputStream out0 = getOutStream(response); // rule: IMPLICIT - applying summary and assignment
+        
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+        // c -> {4}
+        // out0 -> {6}
+        
+        java.io.OutputStream out = out0; // rule: IMPLICIT - copy ref
+        
+        // request -> T1
+        // response -> T2
+        // in0 -> {1}
+        // in -> {1}
+        // data -> {2}
+        // c -> {4}
+        // out0 -> {6}
+        // out -> {6}
+
+        try {
+
+          out.write(data,0,size); // rule: 6 !SINK!
+
+          // request -> T1
+          // response -> T2
+          // in0 -> {1}
+          // in -> {1}
+          // data -> {2}
+          // c -> {4}
+          // out0 -> {6}
+          // out -> {6}
+
+          out.write(str.getBytes()); // rule: 7 !SINK!
+
+          // request -> T1
+          // response -> T2
+          // in0 -> {1}
+          // in -> {1}
+          // data -> {2}
+          // c -> {4}
+          // out0 -> {6}
+          // out -> {6}
+
+          out.write(c); // rule: 8 !SINK!
+
+          // request -> T1
+          // response -> T2
+          // in0 -> {1}
+          // in -> {1}
+          // data -> {2}
+          // c -> {4}
+          // out0 -> {6}
+          // out -> {6}
+
+        } catch(java.io.IOException e) {}
+    }
+
+    /*
+    Input map:
+      request -> T3
+    Summary:
+      return_value -> {1}
+    */
+    private java.io.InputStream getInStream(HttpServletRequest request) {
+        try {
+
+          // request -> T3
+
+          return request.getInputStream(); // rule: 0
+
+          // request -> T3
+          // return_value -> {1}
+
+        } catch(java.io.IOException e) {
+          return null;
+        }
+    }
+
+    /*
+    Input map:
+      data -> T4
+      in -> T5
+    Summary:
+      data -> ITE({1} in T5,{2},BOTTOM)
+    */
+    private int getBytes(byte[] data, java.io.InputStream in) {
+        try {
+
+          // data -> T4
+          // in -> T5
+
+          return in.read(data, 0, data.length); // rule: 1
+
+          // data -> ITE({1} in T5,{2},BOTTOM)
+          // in -> T5
+
+        } catch(java.io.IOException e) {
+          return 0;
+        }
+    }
+
+    /*
+    Input map:
+      str -> T6
+    Summary:
+      str -> BOTTOM
+    */
+    private void sanitise(String str) {
+
+        // str -> T6
+
+        str.replace("<","&lt;"); // rule: 4
+
+        // str -> BOTTOM
+
+        str.replace(">","&gt;"); // rule: IMPLICIT - identity
+
+        // str -> BOTTOM
+    }
+
+    /*
+    Input map:
+      response -> T7
+    Summary:
+      return_value -> {6}
+    */
+   private java.io.OutputStream getOutStream(HttpServletResponse response) {
+        try {
+          // response -> T7
+          
+          return response.getOutputStream(); // rule: 5
+
+          // response -> T7
+          // return_value -> {6}
+
+        } catch(java.io.IOException e) {
+          return null;
+        }
+    }
+
+    
+    /*
+    Input map:
+      ss -> {3}
+      cc -> {4}
+    Summary:
+      return_value -> {3,4}
+    */
+    private java.util.List foo(String ss,  Character cc) {
+    
+        // ss -> {3}
+        // cc -> {4}
+        
+        java.util.List<java.lang.Object> L = new java.util.ArrayList<java.lang.Object>(); // rule: IMPLICIT - new
+
+        // ss -> {3}
+        // cc -> {4}
+        
+        L.add(ss); // rule: 9
+
+        // ss -> {3}
+        // cc -> {4}
+        // L -> {3}
+
+        L.add(cc); // rule: 
+
+        // ss -> {3}
+        // cc -> {4}
+        // L -> {3,4}
+        
+        return L;
+
+        // ss -> {3}
+        // cc -> {4}
+        // L -> {3,4}
+    }
+}
+

regression/december_demo_sprint/goto-analyzer/run.py

@@ -271,6 +271,7 @@ def __main():
             os.path.abspath(os.path.join(__get_my_dir(), "..", "TRAINING/taint_traces_03")),
             os.path.abspath(os.path.join(__get_my_dir(), "..", "TRAINING/taint_traces_04")),
             os.path.abspath(os.path.join(__get_my_dir(), "..", "TRAINING/taint_traces_05")),
+            os.path.abspath(os.path.join(__get_my_dir(), "..", "TRAINING/taint_traces_06")),
         ]
         toy_benchs = [
             os.path.abspath(os.path.join(__get_my_dir(), "..", "TOY_APPS/Fotoalbum")),

src/cbmc.files

@@ -699,11 +699,15 @@ goto-analyzer/taint_summary_json.cpp
 goto-analyzer/taint_summary_json.h
 goto-analyzer/taint_summary_libmodels.cpp
 goto-analyzer/taint_summary_libmodels.h
+goto-analyzer/taint_svalue.cpp
+goto-analyzer/taint_svalue.h
 goto-analyzer/taint_trace_recogniser.cpp
 goto-analyzer/taint_trace_recogniser.h
 goto-analyzer/taint_trace_dump_html.cpp
 goto-analyzer/taint_trace_dump_json.cpp
 goto-analyzer/taint_trace_dump.h
+goto-analyzer/taint_transition_rules.cpp
+goto-analyzer/taint_transition_rules.h
 goto-analyzer/unreachable_instructions.cpp
 goto-analyzer/unreachable_instructions.h
 goto-analyzer/taint_fast_analyser.cpp