Assignment 1

Assignment-1 folder layout

$tree Assignment-1
├── Assignment-1.cpp
├── Assignment-1.h
├── CMakeLists.txt
├── SrcSnk.txt
└── Tests
    ├── CMakeLists.txt
    ├── test.cpp
    └── testcases
        └── icfg
            ├── test1.c
            ├── test1.ll
            ├── test2.c
            └── test2.ll
        └── pta
            ├── test1.c
            ├── test1.ll
            ├── test2.c
            └── test2.ll
            ├── test3.c
            └── test3.ll
            ├── test4.c
            └── test4.ll
        └── taint
            ├── test1.c
            ├── test1.ll
            ├── test2.c
            └── test2.ll

1. Get the latest Assignment-1 code template

* Before coding, please type cd $HOME/Software-Security-Analysis and git pull in your terminal to make sure you always have the latest version of the code template before each assignment.

If git pull fails due to the conflict with your local changes, type git stash to store your current code in a temporal branch and type git pull again. If you want to retrieve your code back, type git stash pop.

2. Assignment 1 coding task

• Implement the following methods of class ICFGTraversal and AndersenPTA in Assignment-1.cpp.

Function	Description	Marks
readSrcSnkFromFile	Identify sources and sinks by parsing APIs in SrcSnk.txt for reachability analysis	20%
reachability	Context-sensitive reachability analysis on the ICFG	30%
solveWorklist	Field-sensitive inclusion-based points-to analysis (Andersen's analysis)	30%
aliasCheck	Check aliases of the two variables at source and sink. Two variables are aliases if their points-to sets have at least one overlapping element.	20%

• Tainted Information Flow: Given a tainted source v1@src (variable v1 at program point src), we say that a sink v2@snk is also tainted if both the following conditions satisfy: (1) src reaches snk on the ICFG via context-sensitive reachability analysis, and (2) pts(v1) ∩ pts(v2) ≠ ∅ inferred by Andersen's field-sensitive analysis. Note that in this assignment, v1 is the return value when calling a source function, and v2 is any argument of the sink function.

• Tips for implementing reachability and solveWorklist. The implementation of reachability differs from the one in Lab-Exercise-1 in that the paths collected need to be feasible in terms of context sensitivity (calls and returns ICFGNodes must match on each program path). The implementation of solveWorklist also differs from the one in Lab-Exercise-1 by following an additional field-sensitive rule, which distinguishes fields of each struct but is array-insensitive (treating all elements of an array as one object). Please refer to this API to obtain a field object (getGepObjVar) given a struct object and a field index.

C-like form	Constraint form	Solving rule	Explaination
p = &o	p <--ADDR-- o	pts(p) = pts(p) ∪ {o}	add o into p's points-to set
q = p	q <--COPY-- p	pts(q) = pts(q) ∪ pts(p)	union p's points-to set into q's one
q = *p	q <--LOAD-- p	for each o ∈ pts(p) : q <--COPY-- o	for each o in p's points-to set, add a COPY edge from o to q (if it is not on the graph)
*q = p	q <--STORE-- p	for each o ∈ pts(q) : o <--COPY-- p	for each o in q's points-to set, add a COPY edge from p to o (if it is not on the graph)
q = &p->fld	q <--GEP, fld-- p	for each o ∈ pts(p) : pts(q) = pts(q) ∪ {o.fld}	for each o in p's points-to set, add o's field object o.fld into q's points-to set

• To test your implementation (sanity checks)

Your implementation	ctest command line
Your reachability analysis	ctest -R ass1-icfg -VV
Your points-to analysis	ctest -R ass1-pta -VV
Your taint analysis	ctest -R ass1-taint -VV
The entire Assignment-1	ctest -R ass1 -VV

• Debugging TIPs for printing out the points-to sets and Constraint Graph. Add -print-pts as an extra option for your ass1 when you try to print the points-to set of each node to validate your MAYALIAS and NOALIAS results. You could also use -print-constraint-graph to print out the constraint graph (edges and nodes) or -dump-constraint-graph to dump it into a dot file to view in VSCode.

• Upload Assignment-1.cpp to UNSW WebCMS for your submission when you are finished with this assignment. Your implementation will be evaluated against our 10 internal tests. You will get the full marks if your code can pass them all. Our internal tests are private. Here, we only provided a handful test cases under Assignment-1/Tests/testcases. You are encouraged to add more test cases by yourself to validate the correctness of your implementation.

*You will be working on Assignment-1.cpp only and there is NO need to modify other files under the Assignment-1 folder

3. Configuration && debugging

3.1 launch.json

To enable debugging and running, switch your executable by setting the program and args fields as described here or follow the below screenshot.

3.2 Debug your code

*If there is an assertion or unexpected output, you will need to debug and find bugs.

Step 1: Set the breakpoint where you want to stop your program and press the 'debug' button

Step 2: 'Step over' /'Step in' / 'Step out'

• 'Step over' to the next step of your program
• 'Step in' to the current line of your program
• 'Step out' to mainstream of your program where you stepped in before

Step 3: During your debugging, you can also watch the value of a variable you are interested in.

---

More information about C++

• https://www.learn-cpp.org
• https://www.w3schools.com/cpp/
• https://www.learncpp.com
• https://www.programiz.com/cpp-programming
• https://www.tutorialspoint.com/cplusplus/