Merge pull request diffblue#170 from diffblue/feature/cmdline_option_old_instrumenter

SEC-5: Introducing a command-line option --use-old-instrumentation.

Author: marek-trtik

benchmarks/TRAINING/diffblue/taint_traces_01_evaluator.json

@@ -8,7 +8,7 @@
     "category": "TRAINING",
     "source": "DiffBlue",
     "installer": "__benchmark_installer_TRAINING_diffblue",
-    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
     "expected-results":
         {
             "error-traces-json": "search_for_error_traces/error_traces.json",

benchmarks/TRAINING/diffblue/taint_traces_02_evaluator.json

@@ -8,7 +8,7 @@
     "category": "TRAINING",
     "source": "DiffBlue",
     "installer": "__benchmark_installer_TRAINING_diffblue",
-    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
     "expected-results":
         {
             "error-traces-json": "search_for_error_traces/error_traces.json",

benchmarks/TRAINING/diffblue/taint_traces_03_evaluator.json

@@ -8,7 +8,7 @@
     "category": "TRAINING",
     "source": "DiffBlue",
     "installer": "__benchmark_installer_TRAINING_diffblue",
-    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
     "expected-results":
         {
             "error-traces-json": "search_for_error_traces/error_traces.json",

benchmarks/TRAINING/diffblue/taint_traces_04_evaluator.json

@@ -8,7 +8,7 @@
     "category": "TRAINING",
     "source": "DiffBlue",
     "installer": "__benchmark_installer_TRAINING_diffblue",
-    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
     "expected-results":
         {
             "error-traces-json": "search_for_error_traces/error_traces.json",

benchmarks/TRAINING/diffblue/taint_traces_05_evaluator.json

@@ -8,7 +8,7 @@
     "category": "TRAINING",
     "source": "DiffBlue",
     "installer": "__benchmark_installer_TRAINING_diffblue",
-    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
     "expected-results":
         {
             "error-traces-json": "search_for_error_traces/error_traces.json",

benchmarks/TRAINING/diffblue/taint_traces_06_evaluator.json

@@ -8,7 +8,7 @@
     "category": "TRAINING",
     "source": "DiffBlue",
     "installer": "__benchmark_installer_TRAINING_diffblue",
-    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
     "expected-results":
         {
             "error-traces-json": "search_for_error_traces/error_traces.json",

security-scanner/analyser.py

@@ -29,6 +29,7 @@ def run_security_analyser(
         dump_html_slice,
         dump_html_program,
         verbosity,
+        data_flow_insensitive_instrumentation,
         results_dir,
         temp_root_dir
         ):
@@ -55,7 +56,8 @@ def run_security_analyser(
         "timeout": timeout,
         "verbosity": verbosity,
         "output-dir": "./",
-        "temp-dir": os.path.relpath(temp_root_dir,results_dir)
+        "temp-dir": os.path.relpath(temp_root_dir,results_dir),
+        "data-flow-insensitive-instrumentation": data_flow_insensitive_instrumentation
     }
     if dump_html_summaries:
         root_config_json["dump_html_summaries"] = True

security-scanner/run.py

@@ -57,6 +57,13 @@ def __parse_cmd_line():
     parser.add_argument("--verbosity", type=int, default=9,
                         help="It specifies how many debugging messages will be printed to the standard output stream "
                              "during the analysis.")
+    parser.add_argument("--data-flow-insensitive-instrumentation", action="store_true",
+                        help="If specified, then the tool 'security-analyser' will use the data-flow insensitive "
+                             "instrumentation of the checked properties into the output GOTO programs. In that case"
+                             "the propagation of taint information will only be control-flow sensitive. The advantage "
+                             "of this data-flow insensitive instrumentation is that it allows more aggressive program "
+                             "slicing and so smaller programs for CBMC to analyse, i.e. considerably faster analysis. "
+                             "The disadvantage is that some of the generated error traces might be false positives.")
     return parser.parse_args()
 
 
@@ -97,6 +104,7 @@ def evaluate(cmdline):
             cmdline.dump_html_slice,
             cmdline.dump_html_program,
             cmdline.verbosity,
+            cmdline.data_flow_insensitive_instrumentation,
             cmdline.results_dir,
             os.path.abspath(os.path.join(cmdline.temp_dir,"GOTO-ANALYSER-TEMP"))
             )

src/taint-analysis/taint_config.cpp

@@ -21,6 +21,7 @@ taint_configt::taint_configt(const std::string &cfg_fname)
   , dump_html_statistics(false)
   , dump_html_slice(false)
   , dump_html_program(false)
+  , data_flow_insensitive_instrumentation(false)
 {
 }
 
@@ -196,34 +197,12 @@ bool taint_configt::load(message_handlert &handler)
         verbosity=std::atoi(attr_it->second.value.c_str());
   }
 
-  {
-    auto attr_it=cfg.object.find("dump_html_summaries");
-    if (attr_it==cfg.object.cend())
-        dump_html_summaries=false;
-    else
-        dump_html_summaries=attr_it->second.is_true();
-  }
-  {
-    auto attr_it=cfg.object.find("dump_html_statistics");
-    if (attr_it==cfg.object.cend())
-        dump_html_statistics=false;
-    else
-        dump_html_statistics=attr_it->second.is_true();
-  }
-  {
-    auto attr_it=cfg.object.find("dump_html_slice");
-    if (attr_it==cfg.object.cend())
-        dump_html_slice=false;
-    else
-        dump_html_slice=attr_it->second.is_true();
-  }
-  {
-    auto attr_it=cfg.object.find("dump_html_program");
-    if (attr_it==cfg.object.cend())
-        dump_html_program=false;
-    else
-        dump_html_program=attr_it->second.is_true();
-  }
+  dump_html_summaries=cfg["dump_html_summaries"].is_true();
+  dump_html_statistics=cfg["dump_html_statistics"].is_true();
+  dump_html_slice=cfg["dump_html_slice"].is_true();
+  dump_html_program=cfg["dump_html_program"].is_true();
+  data_flow_insensitive_instrumentation=
+    cfg["data-flow-insensitive-instrumentation"].is_true();
 
   return false;
 }

src/taint-analysis/taint_config.h

@@ -95,6 +95,11 @@ class taint_configt
     return dump_html_program;
   }
 
+  bool use_data_flow_insensitive_instrumentation() const
+  {
+    return data_flow_insensitive_instrumentation;
+  }
+
 private:
   taint_configt() = delete;
   taint_configt(const taint_configt &) = delete;
@@ -115,6 +120,7 @@ class taint_configt
   bool dump_html_statistics;
   bool dump_html_slice;
   bool dump_html_program;
+  bool data_flow_insensitive_instrumentation;
 };
 
 

src/taint-analysis/taint_security_scanner.cpp

@@ -178,7 +178,7 @@ bool taint_do_security_scan(
           "SLICER"),
         &statistics,
         &logger);
-      slicer.compute_slice();
+      slicer.compute_slice(config.use_data_flow_insensitive_instrumentation());
     }
 
     if(config.is_html_dump_of_program_slice_enabled())

src/taint-slicer/instrumenter.cpp

@@ -41,10 +41,17 @@ static std::string generate_fresh_automaton_variable_for_token(
 taint_instrumentert::taint_instrumentert(
   const taint_instrumentation_propst &props,
   const taint_programt *const in_program,
-  taint_statisticst *const in_statistics)
+  taint_statisticst *const in_statistics,
+  const bool use_data_flow_insensitive_instrumentation)
   : program(in_program)
   , statistics(in_statistics)
+  , use_data_flow_insensitive_version(use_data_flow_insensitive_instrumentation)
 {
+  // The next line must be here in order to prevent clang produce the error:
+  //    `error: private field 'use_data_flow_insensitive_version' is not used
+  //     [-Werror,-Wunused-private-field]`
+  (void)use_data_flow_insensitive_version;
+
   assert(program!=nullptr);
   assert(statistics!=nullptr);
 

src/taint-slicer/instrumenter.h

@@ -52,7 +52,8 @@ class taint_instrumentert
   taint_instrumentert(
     const taint_instrumentation_propst &props,
     const taint_programt * const in_program,
-    taint_statisticst * const in_statistics);
+    taint_statisticst * const in_statistics,
+    const bool use_data_flow_insensitive_instrumentation);
 
   const goto_functionst &get_instrumented_functions() const
   { return instrumented_functions; }
@@ -92,6 +93,7 @@ class taint_instrumentert
   symbol_tablet instrumented_symbol_table;
   std::map<taint_tokent::namet, automaton_variable_idt>
     from_tokens_to_vars;
+  bool use_data_flow_insensitive_version;
 };
 
 typedef taint_instrumentert::automaton_variable_idt

src/taint-slicer/slicer.cpp

@@ -42,7 +42,8 @@ taint_slicert::taint_slicert(
   fileutl_create_directory(this->temp_dir);
 }
 
-void taint_slicert::compute_slice()
+void taint_slicert::compute_slice(
+  const bool use_data_flow_insensitive_instrumentation)
 {
   taint_map_from_rules_to_their_application_sitest
     map_from_functions_to_rule_application_sites;
@@ -97,7 +98,10 @@ void taint_slicert::compute_slice()
   for(std::size_t i=0UL, n=instrumentation_props.size(); i!=n; ++i)
   {
     const taint_instrumentert instrumenter(
-      instrumentation_props.at(i),program,statistics);
+      instrumentation_props.at(i),
+      program,
+      statistics,
+      use_data_flow_insensitive_instrumentation);
     const std::pair<taint_slicing_taskt,std::string> task_valid=
       build_slicing_task(
         instrumentation_props.at(i),

src/taint-slicer/slicer.h

@@ -48,7 +48,7 @@ class taint_slicert
    propagation graph (see member @tokens_propagation_graph).
 
   \*******************************************************************/
-  void compute_slice();
+  void compute_slice(const bool use_data_flow_insensitive_instrumentation);
 
 private:
   taint_slicert(const taint_slicert &)=delete;