New training benchmark 07.

This benchmark mostly reproduces the benchmark 06; The key difference
is that it replaces of uses of Java libraries by locally defined
classes. It thus simplifies and boost development of the
data-flow-sensitive instrumenter as the program is still small (no need
to load libraries) and does not suffer from the issue of functions
without bodies (if we do not load libraries e.g. with the benchmark 06).

Author: marek-trtik

benchmarks/TRAINING/diffblue/.gitignore

@@ -19,3 +19,6 @@ taint_traces_05/dist
 taint_traces_06/build
 taint_traces_06/dist
 
+taint_traces_07/build
+taint_traces_07/dist
+

benchmarks/TRAINING/diffblue/taint_traces_07/build.xml

@@ -0,0 +1,29 @@
+<project name="taint_traces_07" basedir="." default="jar">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+  <property name="install.dir"   value="${root.dir}/dist"/>
+
+  <target name="jar">
+    <antcall target="compile" />
+    <mkdir dir="${install.dir}"/>
+    <jar destfile="${install.dir}/taint_traces_07.jar" basedir="${classes.dir}" />
+  </target>  
+  
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on">
+    </javac>
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+    <delete dir="${install.dir}"/>
+  </target>
+
+
+</project>
+
+

benchmarks/TRAINING/diffblue/taint_traces_07/test.java

@@ -0,0 +1,153 @@
+package training07;
+
+class BBB
+{
+  int bbb;
+  private byte[] s;
+  public BBB() {
+    bbb = 0;
+    s = new byte[10];
+  }
+}
+
+class DDD extends BBB
+{
+  int ddd;
+  private byte[] ss = new byte[20];
+}
+
+class XXX {
+    public DDD ddd;
+};
+
+class String {
+  public String() {
+    this.bytes = new byte[1];
+    this.bytes[0] = 0;
+  }
+  public String(byte[] data, int shift, int count) {
+    this.bytes = new byte[count];
+    for (int i = 0; i != count; ++i)
+      this.bytes[i] = data[shift + i];
+  }
+  public byte[] getBytes() {
+    byte[] result = new byte[this.bytes.length];
+    for (int i = 0; i != result.length; ++i)
+      result[i] = this.bytes[i];
+    return result;
+  }
+  private byte[] bytes;
+}
+
+class InputStream {
+  public InputStream(String init) {
+    this.s = init.getBytes();
+  }
+  int read(byte[] data, int shift, int count) {
+    for (int i = shift; i != count; ++i)
+      data[i] = this.s[i];
+    return count;
+  }
+  private byte[] s;
+  int a1;
+  int a2;
+  int a3;
+  int a4;
+  int a5;
+  int a6;
+  int a7;
+  int a8;
+  int a9;
+}
+
+class OutputStream {
+  public OutputStream() {
+    this.s = new byte[100];
+  }
+  public void write(byte[] data, int shift, int count) {
+    for (int i = 0; i != count; ++i)
+      this.s[i] = data[i];
+  }
+  public void write(byte[] data) {
+    write(data,0,data.length);
+  }
+  private byte[] s;
+}
+
+class ServletInputStream extends InputStream {
+  public ServletInputStream() {
+    super(new String());
+  }
+}
+
+class ServletOutputStream extends OutputStream {
+}
+
+class HttpServletRequest {
+  public HttpServletRequest() {
+    this.s = new ServletInputStream();
+  }
+  public InputStream getInputStream() {
+    return s;
+  }
+  private ServletInputStream s;
+}
+
+class HttpServletResponse {
+  public HttpServletResponse() {
+    this.s = new ServletOutputStream();
+  }
+  public OutputStream getOutputStream() {
+    return s;
+  }
+  private ServletOutputStream s;
+}
+
+class HttpServlet {
+  public void doGet(HttpServletRequest request, HttpServletResponse response) {}
+}
+
+public class test extends HttpServlet {
+
+  @Override
+  public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    InputStream in0 = getInStream(request);
+    InputStream in = in0;
+    byte[] data = new byte[2048];
+    int size = getBytes(data,in);
+    String str0 = new String(data, 0, size);
+    String str = str0;
+    //str = sanitise(str);
+    OutputStream out0 = getOutStream(response);
+    OutputStream out = out0;
+    out.write(data,0,size);
+    out.write(str.getBytes());
+    foo();
+  }
+
+  private InputStream getInStream(HttpServletRequest request) {
+    return request.getInputStream();
+  }
+
+  private int getBytes(byte[] data, InputStream in) {
+    return in.read(data, 0, data.length);
+  }
+
+  private String sanitise(String str) {
+      //str = str.replace("<","&lt;");
+      //str = str.replace(">","&gt;");
+      //return str;
+      return new String();
+  }
+
+  private OutputStream getOutStream(HttpServletResponse response) {
+    return response.getOutputStream();
+  }
+  
+  public void foo() {
+    XXX xxx = new XXX();
+    xxx.ddd = new DDD();
+  }
+}
+
+

benchmarks/TRAINING/diffblue/taint_traces_07_evaluator.json

@@ -0,0 +1,45 @@
+{
+    "sources-dir": "TRAINING/diffblue/taint_traces_07",
+    "install-dir": "TRAINING/diffblue/taint_traces_07/dist",
+    "results-dir": "TRAINING/diffblue/RESULTS/taint_traces_07",
+    "temp-dir": "TRAINING/diffblue/TEMP/taint_traces_07",
+    "rules-file": "TRAINING/diffblue/taint_traces_07_rules.json",
+    "name": "taint_traces_07",
+    "category": "TRAINING",
+    "source": "DiffBlue",
+    "installer": "__benchmark_installer_TRAINING_diffblue",
+    "custom-options-for-security-scanner": "--rebuild --verbosity 0 --dump-html-summaries --dump-html-statistics --dump-html-slice --dump-html-program --data-flow-insensitive-instrumentation",
+    "expected-results":
+        {
+            "error-traces-json": "search_for_error_traces/error_traces.json",
+            "data":
+                [
+                    {
+                        "error_traces": {
+                            "cbmc": [
+                                "search_for_error_traces/error_trace_0.json"
+                            ], 
+                            "symex": []
+                        }, 
+                        "file": "training07/test.java", 
+                        "function": "java::training07.test.doGet:(Ltraining07/HttpServletRequest;Ltraining07/HttpServletResponse;)V", 
+                        "goto_binary_file": "program_slicing/instrumented_goto_program_0.gbf", 
+                        "line": 123
+                    },
+                    {
+                        "error_traces": {
+                            "cbmc": [
+                                "search_for_error_traces/error_trace_0.json"
+                            ], 
+                            "symex": []
+                        }, 
+                        "file": "training07/test.java", 
+                        "function": "java::training07.test.doGet:(Ltraining07/HttpServletRequest;Ltraining07/HttpServletResponse;)V", 
+                        "goto_binary_file": "program_slicing/instrumented_goto_program_0.gbf", 
+                        "line": 124
+                    }
+                ]
+        }
+}
+
+

benchmarks/TRAINING/diffblue/taint_traces_07_rules.json

@@ -0,0 +1,106 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Streams returned by getInputStream on ServletRequest are tainted",
+        "class": "training07.HttpServletRequest",
+        "method": "getInputStream:()Ltraining07/InputStream;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted stream"
+        }
+      },
+      {
+        "comment": "Read from tainted stream gives tainted string",
+        "class": "training07.InputStream",
+        "method": "read:([BII)I",
+        "input": {
+          "location": "this",
+          "taint": "Tainted stream"
+        },
+        "result": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Construction from an array of tainted bytes gives a tainted string",
+        "class": "training07.String",
+        "method": "<init>:([BII)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Bytes obtained from a tainted string are tainted.",
+        "class": "training07.String",
+        "method": "getBytes:()[B",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Streams returned by getOutputStream on ServletResponse are vulnerable",
+        "class": "training07.HttpServletResponse",
+        "method": "getOutputStream:()Ltraining07/OutputStream;",
+        "result": {
+          "location": "returns",
+          "vulnerability": "Vulnerable stream"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes (in a given range) to a vulnerable stream is a sink.",
+        "class": "training07.OutputStream",
+        "method": "write:([BII)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "sinkTarget": {
+          "location": "this",
+          "vulnerability": "Vulnerable stream"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes (the whole array) to a vulnerable stream is a sink.",
+        "class": "training07.OutputStream",
+        "method": "write:([B)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "sinkTarget": {
+          "location": "this",
+          "vulnerability": "Vulnerable stream"
+        },
+        "message": "Unescaped HTML potentially written back to browser"
+      },
+      {
+        "comment": "Calling sanitise on a tainted string removes all taint from it.",
+        "class": "training07.test",
+        "method": "sanitise:(Ltraining07/String;)Ltraining07/String;",
+        "sanitizes": {
+          "taint": "Tainted string",
+          "location": "return_value"
+        }
+      }
+    ]
+}
+
+