Usage - Discovering security bugs in source code using graph database queries

The tool can be started by running the CodeTester.py file, using the command: python C o d e T e s t e r . py

with or without arguments. In both mods, the same options are available and the result of the chosen tests has the same format.

5.3.1 Running Code-tester with the arguments

Using the command-line options and arguments, the desired task will be immediately carried out and after the task, the application exists.

The command-line options and their arguments are:

• −o { 1 , 2 , 3 , 4 , 5 , 6 } , −−o p t i o n { 1 , 2 , 3 , 4 , 5 , 6 }

which controls which of the respective options will be carried out, the option are: 1) Run all Buffer Overflow tests 2) Run all Memory Disclosure tests 3) Run all Null Pointer Dereference tests 4) Run all tests 5) Settings 6) Help

• − l LIMIT , −−l i m i t LIMIT

which sets the maximum query time in minutes allowed "code" • −h , −−h e l p

which shows help message with usage description

The command-line options are defined as optional, but if is not specified the -o parameter, the application will print the interactive console menu (5.3). If the option argument is specified, but without the limit argument, as the maximum query time limit will be used default value in the CodeTester.py file.

5.3.2 Running Code-tester without the arguments

Running the application without the arguments (Listing5.3) prints the interactive console menu with the numbered options, which can be chosen by typing desired number and pressing enter.

5.3. USAGE / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /// Code−t e s t e r 1 . 0 /// / / / / / / / / / / / / / / / / / / / / / / / / / / / / / O p t i o n s : 1 ) Run a l l B u f f e r O v e r f l o w t e s t s 2 ) Run a l l Memory D i s c l o s u r e t e s t s 3 ) Run a l l N u l l P o i n t e r D e r e f e r e n c e t e s t s 4 ) Run a l l t e s t s 5 ) S e t t i n g s 6 ) Help 7 ) Quit

Listing 5.3: The interactive console menu of the code testing tool, written into the console. The chosen option will be executed and after the task the application will wait for the next commands. As the maximum query time limit is used the default value stored in the CodeTester.py file.

5.3.3 Example of the use

As the example, the Code-tester can be used to analyze the source code of VLC media player 2.1.5. After the usage of the Joern platform to parse the source code and starting the database server, Code-tester can be started from its folder, simply by using the command line options and arguments.

The command

python C o d e T e s t e r . py −o 1 − l 20

starts the buffer-overflow tests with time limit of 20 minutes over the VLC MP, which will yield over time the complete results:

========================================= [ + ] Running B u f f e r −O v e r f l o w t e s t s . [ + ] C r e a t i n g c o n n e c t i o n . [ + ] C o n n e c t i n g t o t h e d a t a b a s e . [ + ] F e t c h i n g q u e r y l i s t . [ + ] Running q u e r y 1 , B u f f e r −o v e r f l o w [ + ] Quering f i n i s h e d . [ + ] E l a p s e d t i m e : 4 2 . 2 2 5 1 8 3 9 6 3 8 s e c o n d s . [ + ] Number o f p o s i t i v e s a m p l e s : 4 [ + ] P o s s i b l e v u l n e r a b i l i t i e s :

Node i d : 630547 End s o u r c e : memcpy ( ( ( c h a r ∗ ) & i d −> c l u t I D ) + 2 , p_vide + 70 , i _ v i d e − 70 ) F u n c t i o n : OpenVideo F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules / c o d e c / q u i c k t i m e . c

Node i d : 872623 End s o u r c e : memcpy ( p_box −> d a t a . p_name −> p s z _ t e x t , p_peek , p_box −> i _ s i z e − 8 ) F u n c t i o n :

MP4_ReadBox_name F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules /demux/mp4/ libmp4 . c

CHAPTER 5. THE CODE TESTING TOOL

namelen + 1 ) F u n c t i o n : sink_add_cb F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules / audio_output / p u l s e . c

Node i d : 2151103 End s o u r c e : memcpy ( psz_buf , psz_command , psz_temp − psz_command ) F u n c t i o n : ExecuteCommand F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / s r c / i n p u t / v l m s h e l l . c [ + ] Running q u e r y 2 , b u f f e r c a l l o c [ + ] Quering f i n i s h e d . [ + ] E l a p s e d t i m e : 6 . 6 5 4 2 5 7 0 5 9 1 s e c o n d s . [ + ] Number o f p o s i t i v e s a m p l e s : 1 [ + ] P o s s i b l e v u l n e r a b i l i t i e s :

Node i d : 337126 End s o u r c e : memcpy ( ∗ p p _ s e c t o r s , p_vcddev −> p _ s e c t o r s , ( i _ t r a c k s + 1 ) ∗

s i z e o f ( ∗ ∗ p p _ s e c t o r s ) ) F u n c t i o n : ioctl_GetTracksMap F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules / a c c e s s / vcd / cdrom . c [ + ] Running q u e r y 3 , m o d i f i e d b u f f e r [ + ] Quering f i n i s h e d . [ + ] E l a p s e d t i m e : 8 . 6 5 2 7 5 5 0 2 2 0 5 s e c o n d s . [ + ] Number o f p o s i t i v e s a m p l e s : 13 [ + ] P o s s i b l e v u l n e r a b i l i t i e s :

Node i d : 1562312 End s o u r c e : memcpy ( psz_uri_scheme ,

p s z _ s u b t i t l e s , i_scheme_len ) F u n c t i o n : Item : : b u i l d I n p u t S l a v e O p t i o n F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules /

s e r v i c e s _ d i s c o v e r y /upnp . cpp

Node i d : 1396529 End s o u r c e : memcpy ( p_data , psz_data , i_data ) F u n c t i o n : v l c l u a _ t o d a t a F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 /

v l c − 2 . 1 . 4 / modules / l u a / l i b s / h t t p d . c

Node i d : 535696 End s o u r c e : memcpy ( p_enc −> fmt_out . p_extra , p_block −> p _ b u f f e r , l e n ) F u n c t i o n : Encode F i l e p a t h :

/home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules / c o d e c / d i r a c . c Node i d : 599057 End s o u r c e : memcpy ( p_sys −> name , name_ptr , name_len ) F u n c t i o n : OpenDecoder F i l e p a t h : /home/ ondra / j o e r n − 0 . 3 . 1 / v l c − 2 . 1 . 4 / modules / c o d e c / o m x i l / a nd r o id _ m ed i a co d e c . c

. . .

The complete result spans the 10 query results for the buffer-overflow kind of test.

In document Discovering security bugs in source code using graph database queries (Page 52-54)