静态代码分析.ppt

静态代码分析
梁广泰
2011-05-25
提纲
动机
程序静态分析(概念+实例)
程序缺陷分析(科研工作)
动机
云平台特点
应用程序直接部署在云端服务器上,存在安全隐患
直接操作破坏服务器文件系统
存在安全漏洞时,可提供黑客入口
资源共享,动态分配
单个应用的性能低下,会侵占其他应用的资源
解决方案之一:
在部署应用程序之前,对其进行静态代码分析:
是否存在违禁调用?(非法文件访问)
是否存在低效代码?(未借助StringBuilder对String进行大量拼接)
是否存在安全漏洞?(SQL注入,跨站攻击,拒绝服务)
是否存在恶意病毒?
……
静态代码分析
定义:
程序静态分析是在不执行程序的情况下对其进行分析的技术,简称为静态分析。
对比:
程序动态分析:需要实际执行程序
程序理解:静态分析这一术语一般用来形容自动化工具的分析,而人工分析则往往叫做程序理解
用途:
程序翻译/编译(编译器),程序优化重构,软件缺陷检测等
过程:
大多数情况下,静态分析的输入都是源程序代码或者中间码(如Java bytecode),只有极少数情况会使用目标代码;以特定形式输出分析结果
静态代码分析
Basic Blocks
Control Flow Graph
Dataflow Analysis
Live Variable Analysis
Reaching Definition Analysis
Lattice Theory
Basic Blocks
A basic block is a maximal sequence of consecutive three-address instructions with the following properties:
The flow of control can only enter the basic block thru the 1st instr.
Control will leave the block without halting or branching, except possibly at the last instr.
Basic blocks e the nodes of a flow graph, with edges indicating the order.
E
A
B
C
D
F
Basic Block Example
Leaders
i = 1
j = 1
t1 = 10 * i
t2 = t1 + j
t3 = 8 * t2
t4 = t3 - 88
a[t4] =
j = j + 1
if j <= 10 goto (3)
i = i + 1
if i <= 10 goto (2)
i = 1
t5 = i - 1
t6 = 88 * t5
a[t6] =
i = i + 1
if i <= 10 goto (13)
Basic Blocks
Control-Flow Graphs
Control-flow graph:
Node: an instruction or sequence of instructions (a basic block)
Two instructions i, j in same basic blockiff execution of i guarantees execution of j
Directed edge: potential flow of control
Distinguished start node Entry & Exit
First & last instruction in program
Control-Flow Edges
Basic blocks = nodes
Edges:
Add directed edge between B1 and B2 if:
Branch from last statement of B1 to first statement of B2 (B2 is a leader), or
B2 immediately follows B1 in program order and B1 does not end with unconditional branch (goto)
Definition of predecessor and essor
B1 is a predecessor of B2
B2 is a essor of B1