Merge pull request diffblue#183 from diffblue/benchmarks/new_training_benchmark_07

marek-trtik · web-flow · commit a86c870f1706 · 2017-09-15T14:23:16.000+01:00
SEC-48: New training benchmark 07.
diff --git a/benchmarks/TRAINING/diffblue/.gitignore b/benchmarks/TRAINING/diffblue/.gitignore
@@ -19,3 +19,6 @@ taint_traces_05/dist
 taint_traces_06/build
 taint_traces_06/dist
 
+taint_traces_07/build
+taint_traces_07/dist
+
diff --git a/benchmarks/TRAINING/diffblue/taint_traces_07/build.xml b/benchmarks/TRAINING/diffblue/taint_traces_07/build.xml
@@ -0,0 +1,29 @@
+<project name="taint_traces_07" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_traces_07.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>
+
+
diff --git a/benchmarks/TRAINING/diffblue/taint_traces_07/test.java b/benchmarks/TRAINING/diffblue/taint_traces_07/test.java
@@ -0,0 +1,132 @@
+package training07;
+
+class String {
+  public String() {
+    this.bytes = new byte[1];
+    this.bytes[0] = 0;
+  }
+  public String(byte[] data, int shift, int count) {
+    this.bytes = new byte[count];
+    for (int i = 0; i != count; ++i)
+      this.bytes[i] = data[shift + i];
+  }
+  public byte[] getBytes() {
+    byte[] result = new byte[this.bytes.length];
+    for (int i = 0; i != result.length; ++i)
+      result[i] = this.bytes[i];
+    return result;
+  }
+  private byte[] bytes;
+}
+
+class InputStream {
+  public InputStream(String init) {
+    this.s = init.getBytes();
+  }
+  int read(byte[] data, int shift, int count) {
+    for (int i = 0; i != count; ++i) {
+      if (i == this.s.length)
+        return i;
+      data[shift + i] = this.s[i];
+    }
+    return count;
+  }
+  private byte[] s;
+  int a1;
+  int a2;
+  int a3;
+  int a4;
+  int a5;
+  int a6;
+  int a7;
+  int a8;
+  int a9;
+}
+
+class OutputStream {
+  public OutputStream() {
+    this.s = new byte[100];
+  }
+  public void write(byte[] data, int shift, int count) {
+    for (int i = 0; i != count; ++i) {
+      if (i == this.s.length)
+        return;
+      this.s[i] = data[i];
+    }
+  }
+  public void write(byte[] data) {
+    write(data,0,data.length);
+  }
+  private byte[] s;
+}
+
+class ServletInputStream extends InputStream {
+  public ServletInputStream() {
+    super(new String());
+  }
+}
+
+class ServletOutputStream extends OutputStream {
+}
+
+class HttpServletRequest {
+  public HttpServletRequest() {
+    this.s = new ServletInputStream();
+  }
+  public InputStream getInputStream() {
+    return s;
+  }
+  private ServletInputStream s;
+}
+
+class HttpServletResponse {
+  public HttpServletResponse() {
+    this.s = new ServletOutputStream();
+  }
+  public OutputStream getOutputStream() {
+    return s;
+  }
+  private ServletOutputStream s;
+}
+
+class HttpServlet {
+  public void doGet(HttpServletRequest request, HttpServletResponse response) {}
+}
+
+public class test extends HttpServlet {
+
+  @Override
+  public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    InputStream in0 = getInStream(request);
+    InputStream in = in0;
+    byte[] data = new byte[2048];
+    int size = getBytes(data,in);
+    String str0 = new String(data, 0, size);
+    String str = str0;
+    str = sanitise(str);
+    OutputStream out0 = getOutStream(response);
+    OutputStream out = out0;
+    out.write(data,0,size);
+    out.write(str.getBytes());
+  }
+
+  private InputStream getInStream(HttpServletRequest request) {
+    return request.getInputStream();
+  }
+
+  private int getBytes(byte[] data, InputStream in) {
+    return in.read(data, 0, data.length);
+  }
+
+  private String sanitise(String str) {
+      //str = str.replace("<","&lt;");
+      //str = str.replace(">","&gt;");
+      //return str;
+      return new String();
+  }
+
+  private OutputStream getOutStream(HttpServletResponse response) {
+    return response.getOutputStream();
+  }
+}
+
diff --git a/benchmarks/TRAINING/diffblue/taint_traces_07_evaluator.json b/benchmarks/TRAINING/diffblue/taint_traces_07_evaluator.json
@@ -0,0 +1,33 @@
+{
+    "sources-dir": "TRAINING/diffblue/taint_traces_07",
+    "install-dir": "TRAINING/diffblue/taint_traces_07/dist",
+    "results-dir": "TRAINING/diffblue/RESULTS/taint_traces_07",
+    "temp-dir": "TRAINING/diffblue/TEMP/taint_traces_07",
+    "rules-file": "TRAINING/diffblue/taint_traces_07_rules.json",
+    "name": "taint_traces_07",
+    "category": "TRAINING",
+    "source": "DiffBlue",
+    "installer": "__benchmark_installer_TRAINING_diffblue",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
+    "expected-results":
+        {
+            "error-traces-json": "search_for_error_traces/error_traces.json",
+            "data":
+                [
+                    {
+                        "error_traces": {
+                            "cbmc": [
+                                "search_for_error_traces/error_trace_0.json"
+                            ], 
+                            "symex": []
+                        }, 
+                        "file": "training07/test.java", 
+                        "function": "java::training07.test.doGet:(Ltraining07/HttpServletRequest;Ltraining07/HttpServletResponse;)V", 
+                        "goto_binary_file": "program_slicing/instrumented_goto_program_0.gbf", 
+                        "line": 109
+                    }
+                ]
+        }
+}
+
+
diff --git a/benchmarks/TRAINING/diffblue/taint_traces_07_rules.json b/benchmarks/TRAINING/diffblue/taint_traces_07_rules.json
@@ -0,0 +1,106 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Streams returned by getInputStream on ServletRequest are tainted",
+        "class": "training07.HttpServletRequest",
+        "method": "getInputStream:()Ltraining07/InputStream;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted stream"
+        }
+      },
+      {
+        "comment": "Read from tainted stream gives tainted string",
+        "class": "training07.InputStream",
+        "method": "read:([BII)I",
+        "input": {
+          "location": "this",
+          "taint": "Tainted stream"
+        },
+        "result": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Construction from an array of tainted bytes gives a tainted string",
+        "class": "training07.String",
+        "method": "<init>:([BII)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Bytes obtained from a tainted string are tainted.",
+        "class": "training07.String",
+        "method": "getBytes:()[B",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Streams returned by getOutputStream on ServletResponse are vulnerable",
+        "class": "training07.HttpServletResponse",
+        "method": "getOutputStream:()Ltraining07/OutputStream;",
+        "result": {
+          "location": "returns",
+          "vulnerability": "Vulnerable stream"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes (in a given range) to a vulnerable stream is a sink.",
+        "class": "training07.OutputStream",
+        "method": "write:([BII)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "sinkTarget": {
+          "location": "this",
+          "vulnerability": "Vulnerable stream"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes (the whole array) to a vulnerable stream is a sink.",
+        "class": "training07.OutputStream",
+        "method": "write:([B)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "sinkTarget": {
+          "location": "this",
+          "vulnerability": "Vulnerable stream"
+        },
+        "message": "Unescaped HTML potentially written back to browser"
+      },
+      {
+        "comment": "Calling sanitise on a tainted string removes all taint from it.",
+        "class": "training07.test",
+        "method": "sanitise:(Ltraining07/String;)Ltraining07/String;",
+        "sanitizes": {
+          "taint": "Tainted string",
+          "location": "return_value"
+        }
+      }
+    ]
+}
+
+
