-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/12/11 13:33, Hargett, Matt wrote:
> Hey Sarah,
>
> Many array bounds and format string problems can already be found, especially
> with LTO, ClooG, loop-unrolling, and -O3 enabled. Seeing across object-file
> boundaries, understanding loop boundaries, and aggressive inlining allows GCC
> to warn about a lot of real-world vulnerabilities. When multiple IPA passes
> lands in trunk, it should be even better.
>
> What I think is missing is:
>
> 1) detection of double-free. This is already a function attribute called
> 'malloc', which is used to express a specific kind of allocation function
> whose return value will never be aliased. You could use that attribute, in
> addition to a new one ('free'), to track potential double-frees of values via
> VRP/IPA.
To do a good job at this, I think we need to be able to annotate
functions which must/may free one of their parameters. We then need to
be able to propagate that information through the call graph.
Once you've got that annotation propagated through the call graph, a
use-after-free (which is a superset of double-free) is a lot more powerful.
This may be a subset of what you want for #2 (taint & filtering side
effects for parameters).
Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNpLCfAAoJEBRtltQi2kC7FBEIAKA+R7ILHrCtIFoXBbH7fmsL
rU2Mjcv5enJndlqz/0yHNPQKpC4wNLrsrYghBytHCT/NC0xYXSfh4WsYqq2uRhMo
GNSBl630f2/zPBZxomZFwdxmrkRSozeM69/JVyDL5jDVBdMcYZ4KwG0Wc3SybaTi
OCxoCPb+GEoQqZ9HBwXp6svy+uYPZjAhpKFlW8PFksJ86x2YvBjg77ByZonY1Rku
7XeUWxFkOShLaaFlcyQWo5FI8fSLMO0lihzSgeiTQEgOYjvFX6lXTH5J6o41UQDb
9ZPr2gz5Y6ubaY7ZZM6jXDnovFVKzlRj4Bu9YEN/U7EDtUW4bKOXFqcOb4fE3SA=
=snnv
-----END PGP SIGNATURE-----
