prosyslab-classroom / is511-2021-spring Goto Github PK

I do not under stand the filter operates in memory exactley. Would filter (x<0) true mem with mem : (x -> Top/y -> Pos) return (x -> Neg/y -> Pos)?

int main() {
  int i;
  int sum = 0;
  int z;
  for (i = 10; i > 1; i--) {
    sum = 10 / i;
  }
  z = 10 / (i - 1); // safe by interval with narrowing, false alarm by sign
  z = 10 / i;       // error
  return 0;
}

About above code, it says z = 10 / i; has potential error in sign domain.
However, the variable i comes from for loop, and i should be Pos by its condition i > 1.
I wonder why it has potential error, and also wonder the logic. Could you give an advice?

The department informed us that the overall usage of the storage area of KCLOUD2 VM has increased dramatically from the original estimate(about 95%).

Please delete the unused data in the VM('/dev/vda` area), so that there is no problem with your assignment environment.

Thank you.

It says like "cannot login with this account" when I try kcloudvpn logins (not like "wrong password").
I think my account is disabled because of consequent login failures.
Could you please enable the account or reset the password? Or how can I contact kcloudvpn admin?
ID is is511-21. I'm so sorry for this.

Here's the link for preparing homework environment.

https://docs.google.com/presentation/d/1y5Pk-Ks3883ut5WqYRnj8YggxBiAK3ZVzf-hJN6Z8XY/edit?usp=sharing

Check your KCLOUD VPN/VM information from KLMS.

I have a question about running the clang on the example.
when I tried to use the script that
clang -c -emit-llvm -S -fno-discard-value-names -Xclang -disable-O0-optnone -o example1.tmp.ll -g example1.c,
clang omitted error that
unknown argument: '-fno-discard-value-names'.

How should I solve it?
Thanks.

Q. Can I branch mutation logic based on target filename?
What I mean is, Can you guarantee that the filename will be same as test directory in the evaluation?

for instance,

if "json_parser" = env.exe then
  mutate_json ~~
else
  mutate_default ~~

I have committed Hw3 yesterday (5/5), but I want to submit better performing code.
As far as i know, I'm allowed for 5 grace days, so is it allowed to commit more codes after the deadline?

Hi,
I try to use Llvm in utop by: "open Llvm;;" but it returns: "Error: Unbound module Llvm".
I have checked the environment and the dependencies have been installed right version:
llvm-config --version : 10.0.0
opt --version: LLVM version 10.0.0
clang --version: clang version 10.0.0-4ubuntu1~18.04.2

Please help me with my problem
Thank you!

• Please apply the following patch to test/dune:

--- a/test/dune
+++ b/test/dune
@@ -2,34 +2,58 @@
  (deps example1.ll)
  (action
   (with-stdout-to
-   example1.sign.output
-   (run ../analyzer example1.ll))))
+   example1.output
+   (run ../analyzer sign example1.ll))))

 (rule
  (alias runtest)
  (action
-  (diff example1.sign.expected example1.sign.output)))
+  (diff example1.expected example1.output)))

 (rule
  (deps example2.ll)
  (action
   (with-stdout-to
-   example2.sign.output
-   (run ../analyzer example2.ll))))
+   example2.output
+   (run ../analyzer sign example2.ll))))

 (rule
  (alias runtest)
  (action
-  (diff example2.sign.expected example2.sign.output)))
+  (diff example2.expected example2.output)))

 (rule
  (deps example3.ll)
  (action
   (with-stdout-to
-   example3.sign.output
-   (run ../analyzer example3.ll))))
+   example3.output
+   (run ../analyzer sign example3.ll))))

 (rule
  (alias runtest)
  (action
-  (diff example3.sign.expected example3.sign.output)))
+  (diff example3.expected example3.output)))
+
+(rule
+ (deps example4.ll)
+ (action
+  (with-stdout-to
+   example4.output
+   (run ../analyzer taint example4.ll))))
+
+(rule
+ (alias runtest)
+ (action
+  (diff example4.expected example4.output)))
+
+(rule
+ (deps example5.ll)
+ (action
+  (with-stdout-to
+   example5.output
+   (run ../analyzer taint example5.ll))))
+
+(rule
+ (alias runtest)
+ (action
+  (diff example5.expected example5.output)))

• add two files:

new file mode 100644
index 0000000..ac488ee
--- /dev/null
+++ b/test/example4.expected
@@ -0,0 +1 @@
+Potential Tainted-flow @ example4.c:main:5:3 (call void @sink(i32 %call), !dbg !14)
diff --git a/test/example5.expected b/test/example5.expected
new file mode 100644
index 0000000..ccb4aef
--- /dev/null
+++ b/test/example5.expected
@@ -0,0 +1 @@
+Potential Tainted-flow @ example5.c:main:12:3 (call void @sink(i32 %y.0), !dbg !23)

• Remove .travis.yml

Students, who checkout the skeleton code from now on, will have the fixed code.

• Goal: setting up and getting familiarized with OCaml and Git

  • Implement simple programs in OCaml (e.g., hello-world)
  • Push to your Github repository
  • Will not be graded

• Invitation URLs

  • hello-world: https://classroom.github.com/a/eZe5Pv-c
  • ocaml-programming: https://classroom.github.com/a/G4S8mlaB

I would like to ask two questions about semantics of sanitizer() function.

1. Is the semantics of sanitizer() to be fixed as a single abstract value? In skeleton, type of of_sanitizer takes no parameter into account. I guess we can do better(?) in terms of SIGN domain. I just want to make sure if this is intended for simplicity.

2. In 12th week lecture slides, there is an example showing how sanitizer() function works and I found one to be a bit spurious. Below is the third example in 16th page:

sink(z) in the last line shall be SAFE as joined value of z from two branches are both sanitized.

Please correct me if I got wrong or missed anything.

TAs will not check KLMS submissions(제출물) for Prof. Kihong Heo's assignments(Assignment 3-5).
Please commit your code directly to your personal assignment repository.
(ex. is511-2021-spring-hw3-YOUR_GITHUB_ID)

In git, it's possible to change the date of a commit.
We do not allow to change the date of any commit to earlier one to get a better score.
So please, check your commits before pushing them to your remote repository.

I copied my HW3's instrument.ml into my HW4 repository, ran make on root directory, then ran make on test directory, which resulted in a segmentation fault.

Makefile:13: recipe for target 'json_parser' failed
make: *** [json_parser] Segmentation fault (core dumped)

I think I narrowed down the problem to the Utils.is_debug function: using this function causes a segmentation fault.
I made a minimal version of instrument.ml, available in the is_debug branch of my HW4 repository.
Since this issue appears only on the json_parser part and not on the two given examples, I presume something's wrong in the json parser or the is_debug function. Could you clarify my guess?

I want to bring type debug_loc in Utils.ml to take line and column information from return value of debug_location. Can I get any advice or help?

I wonder order x y returns true if x ⊆ y, or returns true if y ⊆ x. Which is true?

When I refer a build_call function from https://llvm.moe/ocaml/Llvm.html ,

website briefs explain what a function does and tells See the method llvm::LLVMBuilder::CreateCall to me.

But how can I find a document or explanation related llvm::LLVMBuilder::CreateCall? I tried to google it and searching from https://llvm.org/docs/GettingStartedTutorials.html , but I have no idea.

We added new example testcases for hw3. (example2 and example3)
Please check the main/master branch of your repository if you started your homework before ~21 hours ago.

[Old]
Coverage (20pt): # covered lines / 500 * 20
[New]
Coverage (20pt): # covered (line, column)s / 800 * 20

The coverege includes cases from both passed inputs and crashed inputs. (-store_passing_input flag will be used)

Also, the reference in Google docs is changed. Please check the HW4 documentation again!

An interesting article that shows why we should study security: https://www.technologyreview.com/2021/02/03/1017242/google-project-zero-day-flaw-security
I recommend you read that for fun.

According to the article:

that it’s far too easy for hackers to keep exploiting insidious zero-days because companies are not doing a good job of permanently shutting down flaws and loopholes.

In the worst case, a couple of zero-days that I discovered were an issue of the vendor fixing something on one line of code and, on literally the next line of code, the exact same type of vulnerability was still present and they didn't bother to fix it.

When I enter 'make' command, the following error occurs.

Error: Library "llvm.irreader" not found.
Hint: try:
dune external-lib-deps --missing src/main.exe
Makefile:8: recipe for target 'all' failed
make: *** [all] Error 1

So I tried to install conf-llvm 10.0.0 and llvm 10.0.0, I failed to install conf-llvm 10.0.0 since it does not have llvm-10-dev.

But I could not install llvm-10-dev by any ways I tried. May I ask how I can solve this problem?

분석 결과를 report할 때 analysis.ml의 check함수를 사용하는데,
check_instr와 check는 이미 구현되어 있는 코드를 사용하여 report를 하였습니다.

하지만 check_instr는 sign analysis와 taint analysis의 구분이 없어 taint analysis를 report할 때
아래 코드로 인해 invalid division by zero report가 발생합니다.
if Memory.Value.order zero v then

이와 같은 경우는 고려하지 않아도 되는 것인지 여쭙고 싶습니다.
감사합니다.

When I tried to use make, error occurred :
PHI nodes not grouped at top of basic block!
%string_length.7 = phi i32 [ %string_length.0, %sw.epilog846 ], [ %string_length.6, %sw.epilog1129 ], !dbg !1364
label %if.end1130
PHI nodes not grouped at top of basic block!
%cond = phi i8* [ %call, %cond.true ], [ %call1, %cond.false ], !dbg !1534
label %cond.end
fatal error: error in backend: Broken module found, compilation aborted!
clang: error: clang frontend command failed with exit code 70 (use -v to see invocation)
Ubuntu clang version 10.0.1-++20210405103842+ef32c611aa21-1exp120210405084441.211
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
clang: note: diagnostic msg:

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/runtime-a8a490.c
clang: note: diagnostic msg: /tmp/runtime-a8a490.sh
clang: note: diagnostic msg:

How should I handle it?
Thank you.

Hi all,

Just to avoid confusion, there will be no class this mid term week. See you next week.

When I check json_parser.c file, there is no heavy time-consuming computation.

However, for me, json_parser's running time is massively slow.

$ time ./json_parser < json_seed/seed_2.json
real    0m5.409s
user    0m0.080s
sys     0m0.835s

$ time ./json_parser < json_seed/seed_2.json
real    0m5.369s
user    0m0.074s
sys     0m0.841s

$ time ./json_parser < json_seed/seed_2.json
real    0m5.478s
user    0m0.109s
sys     0m0.835s

I cannot easily catch the reason. Even if my sanitizer is implement in weird way, json_parser.instrumented.ll may same as others, so it won't be a reason for running time.

Is there anyone who suffers with same thing?

filter function in Semantics.ml returns an abstract memory that satisfies given condition.
According to instruction, filter (x < 10) true mem will return an abstract memory that satisfies condition x < 10.
However, in example1.c,

int main() {
int x = source();
int z;
if (x >= 0) {
z = 10 / x; // error
if (x < 0) {
z = 10 / x; // unreachable
}
} else {
z = 10 / x; // safe
}
z = 10 / x; // error
return 0;
}

Then filter (x>=0) true mem return memory (x->Top), and (x<0) true mem return memory (x->Neg) since x remains Top in the memory. Then the code

  z = 10 / x; // unreachable

becomes reachable. Could you give an advice how I can solve this problem?

I am able to get operands using Llvm.operand, but I cannot get result register from instruction.
I've searched for several times, but I couldn't find it.
What should I do?