Code one C Instrukcja Użytkownika Strona 11
- Strona / 15
- Spis treści
- BOOKMARKI
Oceniono. / 5. Na podstawie oceny klientów
We are unaware of any way to exploit this bug. Though
it is possible for an attacker to corrupt the task file, the at-
tacker has little control over the contents written into the
task file, since at only writes prompts to stderr. Nonethe-
less, this blemish may cause serious problems if future
versions of at write user-supplied strings to stderr.
We also found similar problems in Apache, OpenSSH,
Samba, and VixieCron.
4.3. Temporary File Vulnerability
sshd in OpenSSH sshd makes temporary files using the
secure function mkstemp. It, however, forgets to call
umask(077) before calling mkstemp. This may in-
troduce a vulnerability when used with older versions of
glibc, where mkstemp creates unique temporary files that
are readable and writable by everyone (mode 0666).
5. Experience and Lessons
Checking real, large software packages requires a great
deal of engineering effort. In our experiments, we quickly
discovered that we needed to improve MOPS’s error re-
porting and to automate the build process of software
packages for MOPS before we could practically analyze
large software packages. This forced us to extend MOPS
in two key areas: error reporting and build integration.
5.1. Improvement on MOPS’s Error Reporting
When MOPS finds potential violations of security prop-
erties in a program, it reports error traces, which are use-
ful to the programmers for identifying errors in the pro-
gram. Since MOPS is conservative, it may report false
positive traces, i.e. traces that in fact do not violate secu-
rity properties but that are misconceived as violations due
to MOPS’s imprecise analysis. It is left up to the user to
decide which error traces are real and which are false pos-
itives. In its first implementation, MOPS could only re-
port one error trace for each violated property. Because of
this restriction, the presence of a false positive trace effec-
tively prevented MOPS from reporting further, possibly
real, traces. To overcome this problem, MOPS must be
able to report multiple, and ideally all, error traces. How-
ever, we also discovered that a single programming error
can cause many, sometimes infinitely many, traces, so it is
undesirable or impractical to report all of them. We con-
cluded that what we really want is for MOPS to show all
programming errors by reporting one error trace as a wit-
ness to each programming error. This approach satisfies
our seemingly contradictory desires to review all the pro-
gramming errors and to avoid reviewing redundant error
traces.
We consider two different error traces as witnesses to
the same programming error if both traces make transi-
tions to an identical error state e from an identical non-
error state s at an identical program point p. The unique
programming error that both these traces witness is rep-
resented by the tuple (e, s, p).
10
Using this definition, for
each unique programming error (e, s, p), MOPS searches
for only one shortest error trace as a witness and reports it
if it exists. This improvement provided orders of magni-
tude reduction in the number of error traces that the user
was forced to examine. For example, it gave us the fairly
small number of total traces reported in Figure 7.
This approach is more precise than the one used by Ball
et al. for localizing errors in model checking [2]. The
major difference is that our approach distinguishes each
unique programming error by a unique tuple of a program
point, the non-error state before the program point, and the
error state after the program point, but their approach dis-
tinguishes each error by just a unique program point. It is
clear that their approach is less precise because many pro-
gram points are shared by error traces and correct traces.
To illustrate the limitation of their approach, let us look
at each of the two alternative algorithms used in their ap-
proach. Their first algorithm considers all the program
points that are in some error traces but that are absent
from any correct traces as error causes. This algorithm
has the problem that it will overlook all the error causes
that are shared by error traces and correct traces. Their
second algorithm, intended to solve the above problem,
collects all the tuples (s, p), where p is a program point
and s is the state of the program at p, that are in some
error traces but that are absent from any correct traces.
Then, the algorithm considers all the program points in the
collected tuples as error causes. The drawback of this al-
gorithm is that it will mistakenly treat many innocent pro-
gram points as error causes. To illustrate the problem, let
t =(t
1
,t
2
,...,t
n
) be an error trace, where each element
in the trace is a tuple of a program point and a program
state, and let t
i
be the first element where the trace enters
an error state. Their algorithm will treat all the program
points in the tuples after t
i
on the trace as error causes,
even though many of them may not be error causes at all.
In summary, our approach is more precise in identifying
unique error causes.
5.2. Automated Build Process
One of our goals was to make it easy to check many
software packages. The core of MOPS consists of three
programs:
• mops
cc: a parser that takes a file containing
C source code and generates a Control Flow
Graph(CFG).
10
What constitutes a unique programming error is subjective and de-
batable. Here we use just one possible interpretation.
Powiązane produkty i podręczniki dla Wykrywacze dymu Code one C
(4 strony)© 2020, manymanuals.pl. Wszelkie prawa zastrzeżone. | 0.030 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Komentarze do niniejszej Instrukcji