Example/Tutorial: Custom Taint-Related Checks with the Extension API

• Overview
• Files
• iolibrary Functions
• Models
• Incorporating the Models
• Building and Analyzing the Project
• Extension Exercise

Overview

This example is based on a sample I/O library, with declarations in iolibrary.h and definitions in iolibrary.c.

We create CodeSonar models for some of the library functions. (The remaining functions do not require additional modeling work: they are implemented using libc functions with existing CodeSonar library models that provide sufficient checking and taint handling).

• All models call the underlying library function
• Several of the functions have taint-related properties that must be accounted for in the models.
  • There is one taint source, one taint sink, and one taint cleansing function.
  • We define a new taint kind, "iolibrary", to track taint introduced through this library.
  • We define a new warning class, "Tainted Input to print_important_data", to report cases where a tainted value is passed to sensitive function print_important_data().

Note

Files

The following files are used:

• Save copies of the tutorial files to a working directory.

The iolibrary Functions

The following functions are declared in iolibrary.h and defined in iolibrary.c.

The CodeSonar Models

File check_iolibrary.c is reproduced below.

/*
 *      Copyright (c) 2023, an unpublished work by CodeSecure, Inc.
 *                      ALL RIGHTS RESERVED
 *
 *      Copyright (c) 2014-2023, an unpublished work by GrammaTech, Inc.
 *                      ALL RIGHTS RESERVED
 *
 *      This software is furnished under a license and may be used and
 *      copied only in accordance with the terms of such license and the
 *      inclusion of the above copyright notice.  This software or any
 *      other copies thereof may not be provided or otherwise made
 *      available to any other person.  Title to and ownership of the
 *      software is retained by CodeSecure, Inc.
 */

/* check_iolibrary.c
 *
 * Contains CodeSonar models and checks for the functions in iolibrary.h.
 */


#ifdef __CODESONAR__


/* All files that use the Extension API must include csonar.h and
 * stdlib.h. */
#include <stdlib.h>
#include <stdio.h>

#include "csonar.h"
#include "iolibrary.h"


/* We define a new taint kind to track taint entering the program through functions
 * in this library. See documentation for CSONAR_DEFINE_TAINT_SOURCE. */
CSONAR_DEFINE_TAINT_SOURCE(iolibrary);


#define __CSURF_MARKER_LIBRARY_FUNCTION__ 1

/* Some of the library functions are defined (in iolibrary.c) in terms
 * of libc functions that already have CodeSonar models.  The
 * following functions do not require additional modeling work because
 * all necessary checking and taint handling is already accomplished
 * by the libc models.
 *
 *  +-------------------------+------------+
 *  | iolibrary function      | libc model |
 *  +-------------------------+------------+
 *  | open_a_file()           | fopen()    |
 *  | close_a_file()          | fclose()   |
 *  | write_string_to_file()  | fputs()    |
 *  +-------------------------+------------+
 */ 


/* The specially-named csonar_replace_open_a_file() will intercept
 * all calls to open_a_file (and similarly for all other
 * procedures with names of the form csonar_replace_functionname).
 *
 * Note that the symbol __CSURF_MARKER_LIBRARY_FUNCTION__ is defined
 * (as 1) before the definitions of the csonar_replace_*
 * functions. This marks them as LIBRARY FUNCTIONS: any warnings
 * triggered inside a replacement function will be reported at the
 * appropriate call site to that function, not inside the function
 * itself.
 *
 * Our replacement for read_string_from_file() calls the actual
 * read_string_from_file() function so that its implementation can be
 * checked by CodeSonar.  Additionally, it specifies that the string
 * read from the file has all of the taint determined by analyzing
 * read_string_from_file(), plus taint of kind 'iolibrary'.
 */
char * csonar_replace_read_string_from_file(char *dest, 
    size_t numchars,
    FILE *src){
   char * retval;
   size_t len;
   int taintunion;
   retval = read_string_from_file(dest, numchars, src);
   if (retval && CSM_UNKNOWN_INTEGER()){
     /* We want this code to be visible to the taint analysis phase
      * only. If it were analyzed during other phases it could cause
      * CodeSonar to become confused about the size of the buffer.
      */
     csonar_assert_taint_enabled();
     
     /* Construct a value with "iolibrary" taint plus all the taint
      * previously associated with dest. */
     taintunion = csonar_taint_union2(csonar_string_taint(dest), 
      csonar_taint_source_iolibrary());

     /* Model taint on the contents of the string. */
     *dest = taintunion;

     /* Model taint on the length of the string.*/
     len = csonar_bounded_value(taintunion, 
                                0, 
                                numchars - 1 );
     dest[len] = '\0';
   }
   return retval;
}


/* We model sanitized_size() to call the actual sanitized_size()
 * function so that its implementation can be checked by
 * CodeSonar. The model uses analysis 'assertions' to inform the
 * CodeSonar analysis that the return must be either -1, or at least
 * as large as the length of 'raw'.
 * The model cleanses all taint from the return value before returning
 * it: the sanitized size is derived from the size of the 'raw'
 * string, but we have determined it to be safe.
 */
int csonar_replace_sanitized_size(char *raw){
  int retval;
  retval = sanitized_size(raw);
  if (retval < strlen(raw)){
    if (retval != -1){ abort(); }
  }
  csonar_taint_clear_int(&retval);

  return retval;
}

   
/* We model sanitize_file_string() to call the actual
 * sanitize_file_string() function so that its implementation can be
 * checked by CodeSonar. Additionally, the model uses csonar_taint_clear_* to specify that the resulting string
 * has no taint.
 * - The "int" attribute of an address is an alias for the memory contents
 *   at that address.
 * - The "term" attribute of an address is an alias for the distance
 *   (in bits) between that address and the null sentinel.
 */
int csonar_replace_sanitize_file_string(char *raw, char *sanitized){
  int retval;
  retval = sanitize_file_string(raw, sanitized);
  csonar_taint_clear_int(sanitized);
  csonar_taint_clear_term(sanitized);
  return retval;
}


/* If a tainted string is passed to print_important_data(), we want to
 * issue a warning. csonar_taint_sink() performs the taint check and
 * specifies the warning class to use. In this case, we specify a
 * custom warning class.
 */
int csonar_replace_print_important_data(char *str){
  csonar_taint_sink(csonar_taint_source_any(),
                    *str, 
                    "Tainted Input to print_important_data", 
                    "CWE:20",
                    csws_security);
  return print_important_data(str);
}

#endif

Incorporating the Models

We want to compile check_iolibrary.c and include it in the CodeSonar project.

• Identify the hub you will use; start the hub if it is not already running.
• Determine the appropriate values for the following elements, which will be required to customize your build commands.

  host:port	the hub location.
  libmodels_path	the full path to the codesonar/libmodels subdirectory of your CodeSonar installation.
  [-remote analysis-launchd]	if you are using CodeSonar SaaS, include -remote "/saas/*" codesonar analyze command (you do not need to specify it with codesonar build). Otherwise, you can omit this option. For more information, see the documentation for -remote.

• From a command line in your working directory, use codesonar build to observe the compilation of check_iolibrary.c and add a corresponding CodeSonar representation to the test_iolibrary project.

  With gcc:	codesonar build test_iolibrary host:port \ gcc "-Ilibmodels_path" -c check_iolibrary.c
  With cl:	codesonar build test_iolibrary host:port ^ cl "/Ilibmodels_path" /c check_iolibrary.c
  Otherwise:	Use a command of the form: codesonar build test_iolibrary host:port \ compiler_command include_libmodels options check_iolibrary.c where: compiler_command is the command for invoking your compiler. include_libmodels is the compiler option setting required to include the codesonar/libmodels subdirectory of your CodeSonar installation. options are any other compilation options that might be required.

  • Example: with gcc, a hub located at alex:7340, and CodeSonar installed at /opt/codesonar:
    codesonar build test_iolibrary alex:7340 \
    gcc -I/opt/codesonar/libmodels -c check_iolibrary.c
  • For more example command lines, see Implementing and Including Custom Checks (if you use any of those examples directly, remember to change the name of the compiled source file to check_iolibrary.c).

Building and Analyzing the Project

If you are not already familiar with the CodeSonar build and analysis steps, you may wish to refer the following sections.

• Building and Analyzing a CodeSonar Project
• The CodeSonar Hub.

Now build the project and run the CodeSonar analysis.

• Use codesonar analyze to build the remainder of the project and then analyze the entire project.

  With gcc:	codesonar analyze test_iolibrary \ [-no-services] [-remote analysis-launchd] [host:port] gcc -c iolibrary.c use_iolibrary.c
  With cl:	codesonar analyze test_iolibrary ^ [-no-services] [-remote analysis-launchd] [host:port] cl /c iolibrary.c use_iolibrary.c
  Otherwise:	Use a command of the form: codesonar analyze test_iolibrary [-remote analysis-launchd] [host:port] \ compiler_command include_libmodels options iolibrary.c use_iolibrary.c where: compiler_command is the command for invoking your compiler. include_libmodels is the compiler option setting required to include the codesonar/libmodels subdirectory of your CodeSonar installation. options are any other compilation options that might be required.

• View the analysis results.
  • There should be a warning of the new warning class: "Tainted Input to print_important_data".
    (Strictly speaking there will be two warning instances, both in the same warning group: you will see either one or both, depending on your Visible Warnings selection.)
• Open the "Tainted Input to print_important_data" warning report.
  Tainted values are indicated with red underlining (unless you have already customized the display style).
• Hover over one of the tokens that is underlined in red. This marking indicates a tainted value (unless have already customized the display style, in which case you will have a different marking).
  A pop-up will appear, indicating that the value has "file taint" or "points at file taint" .
• Open the highlight legend:
  1. If necessarily, scroll up so you can see the GUI page header.
  2. Click the icon (located to the right of the Visible Warnings selector).
  3. Select show highlight legend from the menu that pops up.
• Use the highlight legend to change the display colors for iolibrary taint.
  1. Click the color sample next to the iolibrary taint label.
     A color selector will open.
  2. Click on the color selector to choose a new color.
     The color sample will change to your selected color, and the underlining colors in the code excerpt will be updated.
• Follow the same steps to change the display color for "points at iolibrary taint".
• Close the highlight legend by clicking the X in the top right corner.

Extension Exercise

We might also want to know if values with iolibrary taint are being passed to write_string_to_file().

Add a write_string_to_file() model to check_iolibrary.c and test it:

• Open check_iolibrary.c for editing.
• Add a model stub for write_string_to_file() to check_iolibrary.c.
  • The model must be named csonar_replace_write_string_to_file().
  • The model must have the same type signature as write_string_to_file() (see the function implementation in iolibrary.c).
• Fill in the model implementation.
  • Call csonar_taint_sink() to perform taint checking. It takes five arguments:

    taint_kind	Specify csonar_taint_source_iolibrary(): for the purpose of this exercise we are interested only in the iolibrary taint kind.
    val	Specify *src (the contents of of the char* argument to write_string_to_file() - if you change the argument names in the write_string_to_file() header, adjust your val argument accordingly)
    warning_class	Choose and specify a name for the new warning class.
    categories	Choose and specify one or more categories for the new warning class (or use the empty string if you don't want any categories).
    sig	Use of tainted values is a security issue, so specify csws_security.

  • Call write_string_to_file() so that CodeSonar will analyze the library function implementation along with the model.
• Build the new version of check_iolibrary.c into the project, using the same codesonar build command line that you used previously.
• Add new code to use_iolibrary.c to test your new check. For example, you could add several calls to write_string_to_file() - some with raw strings obtained by read_string_from_file(), some with strings generated by sanitize_file_string().
• Rebuild and re-analyze the CodeSonar project, using the same codesonar analyze command line that you used previously.