DE102021206045A1 - Computer-implemented method and device for detecting code deficits in a program code of a software - Google Patents

Abstract

The invention relates to a computer-implemented method for finding code deficits in a program code (1) to be examined, having the following steps: - providing (S1) a code property graph (3) for the program code (1) to be examined; - queries ( S3) of the code property graph (3) with one or more search queries in order to find sensitive code positions as potential code deficits (4);- determining (S4) one or more functions and/or methods that identify the sensitive code positions contain, and one or more input variables that have an influence on the existence of the potential code deficits (4); - respective execution (S10) of a symbolic execution method (5) on each of the one or more specific functions and/or Methods, in each case the one or more specific input variables are assumed symbolically, the symbolic execution method (5) being carried out in order to in each case have one or more predetermined ones checking deficit properties or one or more predetermined deficit conditions;- if the one or more predetermined deficit properties or one or more predetermined deficit conditions are met, indicating (S6) the corresponding code deficit (6) and a value of the respective one or more input variables of the considered function or method, which meet the one or more deficit properties or the one or more predetermined deficit conditions, as a result of the respective symbolic execution method (5).

Description

technical field

The invention relates to methods for automatically finding code deficits, such as weak points, possible attacks and errors in a software code.

Technical background

Code Property Graphs (CPG) are used to map properties of a program code in a graph data structure. They are formed by analyzing the program code by storing an abstract syntax tree, a control flow graph and a program dependency graph in a common graph. A CPG is stored in a graph database and can be examined by searching queries in a dedicated search language. This search language allows searching for patterns in the graph, such as B. Data flows from input variables to expressions of a specific syntax. This can be used to find potential code vulnerabilities in the software, as per F. Yamaguchi et al., "Modeling and discovering vulnerabilities with code property graphs", In Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P), 2014 .is known.

Disclosure of Invention

According to the invention, a method for finding code deficits in a program code according to claim 1 and a corresponding device according to the independent claim are provided.

Further developments are specified in the dependent claims.

• - Bereitstellen eines Code Property Graphen für den zu untersuchenden Programmcode;
• - Abfragen des Code Property Graphen mit einer oder mehreren Suchabfragen, um sensitive Code-Positionen als potenzielle Code-Defizite aufzufinden;
• - Bestimmen einer oder mehrerer Funktionen und/oder Methoden, die die sensitiven Code-Positionen enthalten, und einer oder mehrerer Eingangsvariablen, die einen Einfluss auf das Vorliegen der potenziellen Code-Defizite haben;
• - jeweiliges Ausführen eines Symbolic Execution-Verfahrens auf jeweils die eine oder die mehreren bestimmten Funktionen und/oder Methoden, wobei jeweils die eine oder die mehreren bestimmten Eingangsvariablen symbolisch angenommen werden, wobei das Symbolic Execution-Verfahren ausgeführt wird, um jeweils eine oder mehrere vorgegebene Defizit-Eigenschaften oder eine oder mehrere vorgegebene Defizit-Bedingungen zu überprüfen;
• - wenn die eine oder die mehreren vorgegebenen Defizit-Eigenschaften oder die eine oder die mehreren vorgegebenen Defizit-Bedingungen erfüllt sind, Angeben des entsprechenden Code-Defizits und eines Werts der jeweiligen einen oder mehreren Eingangsvariablen der betrachteten Funktion oder Methode, die die eine oder die mehreren Defizit-Eigenschaften oder die eine oder die mehreren vorgegebenen Defizit-Bedingungen erfüllen, als Ergebnis des jeweiligen Symbolic Execution-Verfahrens.

According to a first aspect, a computer-implemented method for finding code deficits in a program code to be examined is provided, with the following steps:

• - Providing a code property graph for the program code to be examined;
• - Query the code property graph with one or more search queries to find sensitive code positions as potential code deficits;
• - determining one or more functions and/or methods that contain the sensitive code positions and one or more input variables that have an impact on the existence of the potential code deficits;
• - respective execution of a symbolic execution method on each of the one or more specific functions and/or methods, the one or more specific input variables being assumed symbolically, the symbolic execution method being executed for one or more specified ones verify deficit properties or one or more predetermined deficit conditions;
• - if the one or more predetermined deficit properties or the one or more predetermined deficit conditions are met, specifying the corresponding code deficit and a value of the respective one or more input variables of the considered function or method that the one or the multiple deficit properties or satisfying one or more predetermined deficit conditions as a result of the respective symbolic execution procedure.

In particular, when the symbolic execution method is executed in each case for the one or more specific functions and/or methods, only precisely that or those specific input variables that have an influence on the presence of the potential code deficits can be symbolically accepted.

Basically, there is a great need to determine and localize code deficits in a software code. Such code deficits correspond to code positions, i. H. Positions in the program code where illegal operations, such as positions of possible divisions by zero, illegal calls to external code components, such as illegal SQL calls, and the like take place. It is desirable that such code deficits in a program code can be detected in an automated manner.

A common way to find code deficits is to use a symbolic execution technique. Symbolic execution is a code analysis technique in which program code is executed symbolically for selected variables. In symbolic program code execution, variables that are considered symbols are not assigned concrete values, but are symbolically assumed to be algebraic variables and used in calculation formulas.

The values that these symbolic variables should take on to achieve specific pieces of code can then be found by solving for these shapes. Thus, instead of assuming concrete values for the variables, they are treated as symbols, and the code segment that uses the Symbols used, modeled as one or more deficit properties and/or one or more deficit conditions, in particular in the form of Satisfiability Modulo Theory (SMT) queries or formulas. These formulas are then solved using an SMT solver to determine one or more concrete values that trigger a particular code segment that may contain a code deficit. The one or more predetermined deficit properties or the one or more predetermined deficit conditions can be understood as criteria that lead to an incorrect execution of the program code.

In principle, the symbolic execution method is very well suited to uncovering code deficits, especially when all input variables are considered symbolically. However, a disadvantage of the symbolic execution method is that the method becomes very computationally expensive when the number of input variables that are considered as symbols becomes very large.

Therefore, the Symbolic Execution method is usually used in such a way that only part of the input variables are considered as symbols. These are usually selected manually by an expert, and thus user intervention or user contribution is required to detect code deficits. There is a risk that relevant input variables that are not considered symbolically will be overlooked.

Code Property Graphs (CPG) can also be used to find data flows. CPGs are data structures designed to search large program code for code patterns. To this end, these code patterns can be described in a domain-specific language (DSL) based on Scala. CPG serves as a common inter-program representation across a variety of programming languages. CPGs are a generic abstraction of program code and are composed of nodes that represent program constructs (methods, variables and control structures) and their node types, labeled edges, the relationships between the program constructs, i.e. between any two related nodes, where the label indicates the type of relationship, as well as key-value pairs that are assigned to the nodes as attributes and that depend on the node type.

CPGs have the disadvantage that these code path conditions or the range of values that a considered variable can assume at a specific code position cannot be taken into account. This leads to the detection of false positives when using CPG to find code deficits.

According to the above method, the program code is analyzed using CPG to find code positions that may be problematic and may contain a code deficit. The CPG is determined by analyzing the program code, with the resulting graphs being stored in a graph database.

The CPG is then searched for potential code deficits in the program code using predefined search queries. The search queries result in potential code deficits, the code positions, such as e.g. B. Lines of code and variables where an error may occur, such as an arithmetic expression that involves division and a variable that results in division by zero. Since false positives are often determined when using CPG to find code positions, a verification procedure based on the symbolic execution procedure is used.

The Symbolic Execution method checks the potential code deficits in the form of the code positions and variables as input variables to determine whether the potential code deficit actually corresponds to a code deficit. To do this, the symbolic execution method is only applied to the part of the program code that contains the potential code deficit, usually to the function or method that contains the code position of the potential code deficit.

Evidence that a code deficit exists in the considered function or method is based on the nature of the potential code deficit to be checked, which underlies the selection of the considered function or method, and the deficit properties associated with it and/or deficit conditions. For example, if the function involves division by an expression involving a variable, this represents a potential code deficit because the expression involving the variable can potentially be null. The deficit condition, which then results from this potential code deficit, then corresponds to the condition that the expression with the variable assumes the value zero.

As another example, if a line of code contains an access to an array data structure using an index variable, there is a code deficit if the index variable is less than 0, or greater than the allocated size of the array.

The deficit condition then corresponds to the condition that the index variable is less than 0 or greater than the size of the array.

As another example, if a line of code contains a reference access to an object or recordset (data structures), there is a code deficit if the referenced location was previously freed, does not contain an object of the expected type, or is set to "Null " indicates. Similarly, the deficit constraint defines that the memory location being referenced does not contain a valid object or recordset.

If the symbolic execution procedure can prove that the code deficit does not exist, the code deficit found by analyzing the CPGs corresponds to a false positive and can be discarded.

Otherwise, i.e. a code deficit was detected, the symbolic execution method can be applied to the next larger part of the program code, i. H. the Symbolic Execution technique will be applied to the higher-level functions that call the previously examined functions or methods. In other words, the one or more functions and / or methods that contain the sensitive code positions, further include one or more functions and / or methods that call the one or more functions and / or methods in which a code deficit was detected.

This continues until either the potential code deficit is identified as a false positive or program path conditions are determined for the variables that identify the code deficit as actual code deficit. In the simplest case, the analysis ends when the program entry point, i.e. the "main" function, is reached and the code deficit is not recognized as a false positive. If the program being analyzed is a program library, then the "main" function does not exist. In this case, the procedure is terminated when a function has been analyzed that is offered by the library to a using program (e.g. in Java methods marked as "public", in C functions described in header files).

If the symbolic execution method is used to determine program path conditions for the variables that identify the code deficit as an actual code deficit, then corresponding input variables are generated that trigger the erroneous behavior. As a result of the method, confirmed code deficiencies can be output together with path conditions and/or values of input quantities demonstrating the erroneous behavior.

The main idea of the above method is to find data flows to code positions that may contain code deficits and to identify the relevant variables in the program code. These variables can then be applied to the program code as symbolic variables for the symbolic execution method.

The above method thus makes it possible to provide a fully automated method for finding actual code deficiencies using CPGs to determine those variables that will be used as symbolic variables in a subsequent Symbolic Execution method. Thus, the symbolic execution method can be applied in a targeted manner to parts of the program code to be examined and only relevant variables can be used as symbolic variables. This keeps the state space for applying the symbolic execution technique limited, making the execution of the method more efficient than applying the symbolic execution technique to all variables as symbolic variables. By combining the detection of potential code deficits with the symbolic execution method, the computing time can be significantly reduced on the one hand and the entire method can be carried out automatically on the other.

character list

• 1 eine schematische Darstellung einer Blockdarstellung eines Verfahrens zum Ermitteln von Code-Defiziten in einem Programmcode; und
• 2 ein Flussdiagramm zur Veranschaulichung eines beispielhaften Verfahrens zum Ermitteln von Code-Defiziten in einem Programmcode.

Embodiments are explained in more detail below with reference to the accompanying drawings. Show it:

• 1 a schematic representation of a block representation of a method for determining code deficits in a program code; and
• 2 a flowchart to illustrate an exemplary method for determining code deficits in a program code.

Description of Embodiments

1 illustrates the basic procedure for the automated detection of code deficits in a program code 1. The program code is created using suitable tools 2, such as joern from ShiftLeft. converted into a Code Property Graph 3 and searched through suitable queries for sensitive code positions. The result is potential code deficits 4 that correspond to the sensitive code positions of the search result.

Determining the code positions where potential code deficits exist can be done using a syntax search and identifying variables used in the considered syntax searches. The code positions determined by the syntax search are determined as the sensitive code positions if input quantities of the program code can modify these sensitive code positions. For this purpose, a data flow query is carried out for each sensitive code position in order to check whether an input variable has an influence on the corresponding code position. When a data flow is found, the result is a sequence of all program instructions from the input source to the target code position that affect the data at the target position, ie affect the variable under consideration.

Examples of sensitive positions as potential code deficits 4 are, for example, functions that involve memory accesses, such as MEMCPY or STRNCPY in the C programming language, field (array) accesses that are indexed by variables, calls with non-constant arguments from external components, such as of SQL databases, and divisions by variables that can potentially take on the value zero.

This results in potential code deficits 4, which correspond to positions in the program code where there is potentially an error, an uncertainty or another weak point.

The potential code deficits 4 result in those variables which are to be examined more closely as symbolic variables in a symbolic execution method 5 in order to confirm the presence of an actual code deficit 6 at the corresponding code position.

In 2 an exemplary method is described in detail using a flowchart.

In step S1, a program code to be analyzed is first specified. The program code can be specified in any programming language, but also as byte or machine code. This program code is provided as Code Property Graphs (CPG).

In step S2, a deficit list is specified as an empty list. The deficit list generally corresponds to a list of potential code deficits and inputs that cause those code deficits.

In step S3, a number of predefined syntax queries are first made in the code property graph in order to find potential code positions as search hits, at which a code deficit could be present. As described above, these queries correspond to the queries for the sensitive code positions.

In step S4, the functions and/or methods in which the potential code positions are located are written into a function list according to the potential code position.

Furthermore, the respective code positions of the potential code deficits are assigned to the identified functions and methods of the program code.

In step S5 it is checked whether the function list is empty. If this is the case (alternative: yes), the deficit list with the code deficits found is output in step S6 and the method is then terminated. If it is determined in step S5 that the function list is not empty (alternative: no), the method continues with step S7.

In step S7 one of the entries in the function list is selected and in step S8 the selected function or the selected feature is removed from the function list.

In step S9, a query is carried out in the code property graph in order to find one or more of the input variables of the selected function or the selected method that have an influence on the sensitive code position with the potential code deficit.

In step S10, a symbolic execution method is then carried out with respect to the input variables determined in step S9, in which all input variables found for the selected function or the selected method are regarded as symbols.

In step S11 it is checked according to predefined deficit properties and conditions whether a code deficit was found by executing the symbolic execution method. If this is the case (alternative: yes), the method is continued with step S12, otherwise (alternative: no) a jump is made back to step S5.

For generic deficit properties (e.g. division by 0), the conditions are defined manually in a catalog independently of the program (this happens once for "division by 0" and can be reused in any analysis.) This generic deficit condition is then either created when the formula in the frame ment of the symbolic execution method is added to the generated formula, or the program is supplemented with a line of code for analysis purposes that programmatically contains this condition (eg an assert(x != 0)). The results of both methods are equivalent. Depending on the tool that is used for symbolic execution, there are other options (eg specially marked comments in Java), which, however, essentially work with the same mechanisms.

In step S12, the code deficit list is supplemented by the code deficit found and the input variables that cause this code deficit. For this purpose, a specific value is specified for the corresponding input variable, which leads to the faulty behavior of the program code.

In a subsequent step S13, superordinate functions are determined for the function in which faulty behavior has been determined, using a Code Property Graph query, which call up the previously found faulty function and add this to a list of additional functions.

In step S14 it is checked whether the list of additional functions is empty. If this is the case (alternative: yes), the method is continued with step S5, otherwise the list of additional functions is added to the function list and a jump is then made back to step S5.

The method thus processes all functions with potential code deficits using a separate symbolic execution method, which is only executed on part of the program code with only selected variables that are considered symbolically. By successively considering higher-level functions and methods, dependencies between the functions and/or methods can also be examined.

Claims (8)

Computer-implemented method for finding code deficits in a program code to be examined (1), with the following steps: - Providing (S1) a code property graph (3) for the program code (1) to be examined; - Queries (S3) of the code property graph (3) with one or more search queries in order to locate sensitive code positions as potential code deficits (4); - Determine (S4) one or more functions and/or methods containing the sensitive code positions and one or more input variables that have an impact on the existence of the potential code deficits (4) in the one or more functions and /or have methods; - Respective execution (S10) of a symbolic execution method (5) on each of the one or more specific functions and/or methods, the one or more specific input variables being assumed symbolically, the symbolic execution method (5) is executed to check one or more predetermined deficit properties or one or more predetermined deficit conditions, respectively; - If the one or more predetermined deficit properties or the one or more predetermined deficit conditions are met, specifying (S6) the corresponding code deficit (6) and a value of the respective one or more input variables of the function or method considered , which meet the one or more deficit properties or the one or more predetermined deficit conditions, as a result of the respective symbolic execution method (5). procedure after claim 1 , wherein the one or more predetermined deficit properties or the one or more predetermined deficit conditions represent criteria that lead to incorrect execution of the program code. procedure after claim 1 or 2 , wherein the one or more functions and/or methods containing the sensitive code locations further comprise one or more functions and/or methods that call the one or more functions and/or methods in which a code deficit was identified. Procedure according to one of Claims 1 until 3 , where the potential code deficits (4) include at least one of the following functions or function parts: a function involving memory access, a function involving array access indexed by a variable, a call to a external component with a non-constant argument and a division by a variable that can possibly be zero. Procedure according to one of Claims 1 until 4 , wherein in the respective execution (S10) of the symbolic execution method (5) on the one or more specific functions and/or methods, only that or those specific input variables are symbolically accepted that have an influence on the presence of the potential code have deficits (4). Device for carrying out one of the methods according to one of the preceding claims. Computer program product, comprising instructions which, when the program is executed by a computer, cause the latter to carry out the steps of the method according to one of Claims 1 until 5 to execute. A machine-readable storage medium comprising instructions which, when executed by a computer, cause the computer to perform the steps of the method of any one of Claims 1 until 5 to execute.

Images