a type system for format strings
play

A Type System for Format Strings Konstantin Weitz weitzkon@uw.edu - PowerPoint PPT Presentation

Sep 25, 2022 •195 likes •791 views

A Type System for Format Strings Konstantin Weitz weitzkon@uw.edu Gene Kim genelkim@uw.edu Siwakorn Srisakaokul ping128@uw.edu Michael D. Ernst mernst@uw.edu 1 Format String APIs printf(name: %s age: %d, Konstantin, 25);

  1. A Type System for Format Strings Konstantin Weitz weitzkon@uw.edu Gene Kim genelkim@uw.edu Siwakorn Srisakaokul ping128@uw.edu Michael D. Ernst mernst@uw.edu 1

  2. Format String APIs printf(“name: %s age: %d”, “Konstantin”, 25); “name: Konstantin age: 25” 2

  3. Format String APIs printf(“name: %s age: %d”, “Konstantin”, 25); “name: Konstantin age: 25” Problem: easy to misuse 3

  4. Implications of Misuse ● Unintelligible Output printf(“cannot open %s”); > cannot open �oN� 4

  5. Implications of Misuse ● Unintelligible Output ● Program Crash printf(“%d”, “str”); 5

  6. Implications of Misuse ● Unintelligible Output ● Program Crash ● Security Vulnerability printf(“%.*d%n”, attack_code, 0, return_addr); 6

  7. Root Causes of Misuse ● Invalid Format String Syntax printf(“%y”); 7

  8. Root Causes of Misuse ● Invalid Format String Syntax ● Wrong Number of Arguments printf(“%d %s”, 42); 8

  9. Root Causes of Misuse ● Invalid Format String Syntax ● Wrong Number of Arguments ● Wrong Type of Arguments printf(“%d”, 7.0); 9

  10. Goal Statically guarantee that format methods are not misused 10

  11. Goal Statically guarantee that format methods are not misused ● Verify Format String Syntax 11

  12. Goal Statically guarantee that format methods are not misused ● Verify Format String Syntax ● Verify Number of Arguments 12

  13. Goal Statically guarantee that format methods are not misused ● Verify Format String Syntax ● Verify Number of Arguments ● Verify Type of Arguments 13

  14. Goal Statically guarantee that format methods are not misused ● Verify Format String Syntax ● Verify Number of Arguments ● Verify Type of Arguments ● Ease of Use 14

  15. Types Prevent Errors var fs; printf(fs, 5); 15

  16. Types Prevent Errors var fs; fs = 42; fs = “%y”; fs = “%d %c”; fs = “%f”; fs = “%d”; printf(fs, 5); 16

  17. Types Prevent Errors var fs; fs = 42; fs = “%y”; // invalid syntax fs = “%d %c”; // invalid number of args fs = “%f”; // invalid type of args fs = “%d”; printf(fs, 5); 17

  18. Types Prevent Errors String fs; fs = 42; fs = “%y”; // invalid syntax fs = “%d %c”; // invalid number of args fs = “%f”; // invalid type of args fs = “%d”; printf(fs, 5); 18

  19. Types Prevent Errors @Format String fs; fs = 42; fs = “%y”; // invalid syntax fs = “%d %c”; // invalid number of args fs = “%f”; // invalid type of args fs = “%d”; printf(fs, 5); 19

  20. Types Prevent Errors @Format(INT) String fs; fs = 42; fs = “%y”; // invalid syntax fs = “%d %c”; // invalid number of args fs = “%f”; // invalid type of args fs = “%d”; printf(fs, 5); 20

  21. Types Prevent Errors Conversion Category @Format(INT) String fs; fs = 42; fs = “%y”; // invalid syntax fs = “%d %c”; // invalid number of args fs = “%f”; // invalid type of args fs = “%d”; printf(fs, 5); 21

  22. Java Conversion Categories printf (“%d”, (T)v ); T ∈ = {Byte, Short, Integer, Long} 22

  23. Java Conversion Categories printf (“%f”, (T)v ); T ∈ = = {Byte, Short, Integer, Long} {Float, Double} 23

  24. Java Conversion Categories printf (“%s”, (T)v ); T ∈ = {Object, ...} = = {Byte, Short, Integer, Long} {Float, Double} 24

  25. Java Conversion Categories = {Object, ...} = = {Byte, Short, Integer, Long} {Float, Double} 25

  26. Java Conversion Categories = {Object, ...} = = {Byte, Short, Integer, Long} {Float, Double} 26

  27. Java Conversion Categories 27

  28. Subtyping @Format(FLOAT) String fs; printf (fs, 3.14); 28

  29. Subtyping @Format(FLOAT) String fs; fs = “%f” // ok fs = “%s” // ok: %s weaker than %f fs = “ ” // ok: argument ignored printf (fs, 3.14); 29

  30. Subtyping @Format(FLOAT) String fs; fs = “%f” // ok fs = “%s” // ok: %s weaker than %f fs = “ ” // ok: argument ignored printf (fs, 3.14); 30

  31. Subtyping @Format(FLOAT) String fs; fs = “%f” // ok fs = “%s” // ok: %s weaker than %f fs = “ ” // ok: argument ignored printf (fs, 3.14); 31

  32. Polymorphism void log(String fs, Object... args) { printf(fs, args); } log(“%f”, 3.14); log(“%d”, 1337); 32

  33. Polymorphism void log(@FormatFor(“args”) String fs, Object... args) { printf(fs, args); } log(“%f”, 3.14); log(“%d”, 1337); 33

  34. Complex Format Strings @Format(FLOAT,GENERAL) String fs = “%2$s = %1$+10.4f”; printf(fs, 3.14, “pi”); 34

  35. Type System Instantiation ● C's printf API “%s” ● Go's fmt module “%[1]s” ● Java's i18n API “{0}” ● Java's Formatter API “%1$s” 35

  36. Goal Statically guarantee that format methods are not misused ● Verify Format String Syntax ● Verify Number of Arguments ● Verify Type of Arguments ● Ease of Use 36

  37. Goal Statically guarantee that format methods are not misused ✔ Verify Format String Syntax ● Verify Number of Arguments ● Verify Type of Arguments ● Ease of Use 37

  38. Goal Statically guarantee that format methods are not misused ✔ Verify Format String Syntax ✔ Verify Number of Arguments ✔ Verify Type of Arguments ● Ease of Use 38

  39. Goal Statically guarantee that format methods are not misused ✔ Verify Format String Syntax ✔ Verify Number of Arguments ✔ Verify Type of Arguments ● Ease of Use ? 39

  40. Evaluation Project LoC Bugs Submit Fixed Hadoop 678k 3 2 Hive 538k 1 0 Lucene 664k 0 0 HBase 569k 2 2 Daikon 205k 95 95 FindBugs 122k 3 3 Total 2777k 104 102 Total 40

  41. Evaluation - Usage Efgort Project Format Type Annotations False Positives Bugs Calls @Format @FormatFor @Suppress Warnings Hadoop 332 20 6 22 3 Hive 213 0 1 7 1 Lucene 148 2 0 0 0 HBase 96 0 0 1 2 Daikon 1583 0 30 7 95 FindBugs 133 7 1 3 3 Total 2505 29 38 40 104 Total 41

  42. Evaluation - Usage Efgort Project Format Type Annotations False Positives Bugs Calls @Format @FormatFor @Suppress Warnings Hadoop 332 20 6 22 3 Hive 213 0 1 7 1 Lucene 148 2 0 0 0 HBase 96 0 0 1 2 Daikon 1583 0 30 7 95 FindBugs 133 7 1 3 3 Total 2505 29 38 40 104 Total Annotation Burden 107 42

  43. Evaluation - Usage Efgort Project Format Type Annotations False Positives Bugs Calls @Format @FormatFor @Suppress Warnings Hadoop 332 20 6 22 3 Hive 213 0 1 7 1 Lucene 148 2 0 0 0 HBase 96 0 0 1 2 Daikon 1583 0 30 7 95 FindBugs 133 7 1 3 3 Total 2505 29 38 40 104 Total Annotation Burden 107 Bugs Revealed 104 43

  44. Evaluation - Usage Efgort Project Format Type Annotations False Positives Bugs Calls @Format @FormatFor @Suppress Warnings Hadoop 332 20 6 22 3 Hive 213 0 1 7 1 Lucene 148 2 0 0 0 HBase 96 0 0 1 2 Daikon 1583 0 30 7 95 FindBugs 133 7 1 3 3 Total 2505 29 38 40 104 Total Annotation Burden 107 = = 1.0 Bugs Revealed 104 44

  45. Evaluation - Usage Efgort Project Format Type Annotations False Positives Bugs Calls @Format @FormatFor @Suppress Warnings Hadoop 332 20 6 22 3 Hive 213 0 1 7 1 Lucene 148 2 0 0 0 HBase 96 0 0 1 2 Daikon 1583 0 30 7 95 FindBugs 133 7 1 3 3 Total 2505 29 38 40 104 Total 45

  46. Evaluation – False Positives Project Constant Dynamic Exception Misc Propagation Width Handled Hadoop 10 6 0 6 Hive 3 2 1 1 Lucene 2 0 0 0 HBase 0 0 0 1 Daikon 0 6 0 1 FindBugs 0 0 3 0 Total 13 14 4 9 Total 46

  47. Evaluation – False Positives Project Constant Dynamic Exception Misc Propagation Width Handled Hadoop 10 6 0 6 Hive 3 2 1 1 Lucene 2 0 0 0 HBase 0 0 0 1 Daikon 0 6 0 1 FindBugs 0 0 3 0 Total 13 14 4 9 Total printf(“%”+“d”, 42); 47

  48. Evaluation – False Positives Project Constant Dynamic Exception Misc Propagation Width Handled Hadoop 10 6 0 6 Hive 3 2 1 1 Lucene 2 0 0 0 HBase 0 0 0 1 Daikon 0 6 0 1 FindBugs 0 0 3 0 Total 13 14 4 9 Total String fs = “%” + width + “d”; printf(fs, 42); 48

  49. Evaluation – False Positives Project Constant Dynamic Exception Misc Propagation Width Handled Hadoop 10 6 0 6 Hive 3 2 1 1 Lucene 2 0 0 0 HBase 0 0 0 1 Daikon 0 6 0 1 FindBugs 0 0 3 0 Total 13 14 4 9 Total try { printf(userInput, 4.12); } catch (FormatExp e) { /*error handling*/ } 49

  50. Evaluation – False Positives Project Constant Dynamic Exception Misc Propagation Width Handled Hadoop 10 6 0 6 Hive 3 2 1 1 Lucene 2 0 0 0 HBase 0 0 0 1 Daikon 0 6 0 1 FindBugs 0 0 3 0 Total 13 14 4 9 Total <T> void f(String fs, Iterator<T> iter) { System.out.format(fs, iter.next()); } 50

  51. Goal Statically guarantee that format methods are not misused ✔ Verify Format String Syntax ✔ Verify Number of Arguments ✔ Verify Type of Arguments ● Ease of Use 51

  52. Goal Statically guarantee that format methods are not misused ✔ Verify Format String Syntax ✔ Verify Number of Arguments ✔ Verify Type of Arguments ✔ Ease of Use 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 9 Strings 1 C-Strings vs C++ Strings T wo string types: C-strings Array

Chapter 9 Strings 1 C-Strings vs C++ Strings T wo string types: C-strings Array

Chapter 9 Strings 1 C-Strings vs C++ Strings T wo string types: C-strings Array with base type char End of string marked with null, \0 Older method inherited from C C++ strings Objects of string class 2

469 views • 18 slides
HANDOUT 1 Strings STRINGS Weve already introduced the string data type a few lectures ago.

HANDOUT 1 Strings STRINGS Weve already introduced the string data type a few lectures ago.

HANDOUT 1 Strings STRINGS Weve already introduced the string data type a few lectures ago. Strings are subtypes of the sequence data type. Strings are written with either single or double quotes encasing a sequence of characters. s1 =

470 views • 25 slides
A first look at string processing Python Strings Basic data type in Python Strings are

A first look at string processing Python Strings Basic data type in Python Strings are

A first look at string processing Python Strings Basic data type in Python Strings are immutable, meaning they cannot be shared Why? Its complicated, but string literals are very frequent. If strings cannot be changed, then

500 views • 22 slides
Strings &amp; Branching Strings and input We talked about basic types.... what type can store

Strings &amp; Branching Strings and input We talked about basic types.... what type can store

Strings &amp; Branching Strings and input We talked about basic types.... what type can store letters? What about words? Input and output Strings and input char can only hold a single letter/number, but one way to hold multiple is a string

574 views • 22 slides
61A Extra Lecture 4 Announcements Encoding Strings Representing Strings: UTF-8 Encoding 4

61A Extra Lecture 4 Announcements Encoding Strings Representing Strings: UTF-8 Encoding 4

61A Extra Lecture 4 Announcements Encoding Strings Representing Strings: UTF-8 Encoding 4 Representing Strings: UTF-8 Encoding UTF (UCS (Universal Character Set) Transformation Format) 4 Representing Strings: UTF-8 Encoding UTF (UCS

1.62k views • 99 slides
with f-Strings Format Stings in Python Building up str values via concatenation can involve a

with f-Strings Format Stings in Python Building up str values via concatenation can involve a

String Interpolation with f-Strings Format Stings in Python Building up str values via concatenation can involve a lot of syntax (and work)! Especially when you're concatenating non-str types and must construct str values Python has a

264 views • 4 slides
Morteza Noferesti No explicit type, instead strings are maintained as arrays of characters

Morteza Noferesti No explicit type, instead strings are maintained as arrays of characters

Morteza Noferesti No explicit type, instead strings are maintained as arrays of characters Representing strings in C stored in arrays of characters array can be of any length end of string is indicated by a delimiter , the zero

690 views • 43 slides
Arrays (and strings) Ch 7 Highlights - arrays - string functions string We have been using

Arrays (and strings) Ch 7 Highlights - arrays - string functions string We have been using

Arrays (and strings) Ch 7 Highlights - arrays - string functions string We have been using strings to store words or sentences for a while now However, when we type string x it does not turn blue, as it is not a fundamental type

543 views • 19 slides
V3 1/3/2015 Programming in C 1 Strings Hello is string Weve used strings literal

V3 1/3/2015 Programming in C 1 Strings Hello is string Weve used strings literal

V3 1/3/2015 Programming in C 1 Strings Hello is string Weve used strings literal constant Array with base type char One character per element One extra character: '\0' Called null character End marker

344 views • 8 slides
Lists more versatile sequences l Lists are another sequential data type l But unlike strings,

Lists more versatile sequences l Lists are another sequential data type l But unlike strings,

Starting chapter 4 Lists more versatile sequences l Lists are another sequential data type l But unlike strings, lists can hold any type of data (not just characters) are mutable legal to change list elements l Use square

532 views • 19 slides
Introduction to C Programming Characters and Strings Waseda University Todays Topics

Introduction to C Programming Characters and Strings Waseda University Todays Topics

Introduction to C Programming Characters and Strings Waseda University Todays Topics Characters and Strings ASCII (American Standard Code for Information Interchange) Type of char Strings (special character Y0 or \ 0)

711 views • 13 slides
Sequences Motivation for this Video Series Strings are a very, very useful type But they

Sequences Motivation for this Video Series Strings are a very, very useful type But they

Module 15 Sequences Motivation for this Video Series Strings are a very, very useful type But they are also very limited Break everything into individual letters What if we want to work with numbers? Or if want to work with

602 views • 35 slides
C PROGRAMMING Characters and Strings File Processing Exercise CHARACTERS AND STRINGS

C PROGRAMMING Characters and Strings File Processing Exercise CHARACTERS AND STRINGS

C PROGRAMMING Characters and Strings File Processing Exercise CHARACTERS AND STRINGS A single character defined using the char variable type Character constant is an int value enclosed by single quotes E.g. a

654 views • 27 slides
Intro to Strings Lecture 7 COP 3252 Summer 2017 May 23, 2017 Strings in Java In Java, a

Intro to Strings Lecture 7 COP 3252 Summer 2017 May 23, 2017 Strings in Java In Java, a

Intro to Strings Lecture 7 COP 3252 Summer 2017 May 23, 2017 Strings in Java In Java, a string is an object. It is not a primitive type. The String class is used to create and store immutable strings. Immutable objects are objects

465 views • 20 slides
Strings String: Text as a Value String are quoted characters Type : str 'abc d' (Python

Strings String: Text as a Value String are quoted characters Type : str 'abc d' (Python

Mini-Lecture 5 Strings String: Text as a Value String are quoted characters Type : str 'abc d' (Python prefers) &quot;abc d&quot; (most languages) How to write quotes in quotes? Char Meaning \' single quote Delineate with

449 views • 9 slides
Strings Testing for equality with strings. Lexicographic ordering of strings. Other

Strings Testing for equality with strings. Lexicographic ordering of strings. Other

Strings Testing for equality with strings. Lexicographic ordering of strings. Other string methods. 1 Strings and Testing for Equality The == operator is also not appropriate for determining if two objects , such as strings, have

380 views • 13 slides
Using Functional Load for Optimizing DPGMM based Zero Resource Sub-word Unit Discovery Bin Wu 1 ,

Using Functional Load for Optimizing DPGMM based Zero Resource Sub-word Unit Discovery Bin Wu 1 ,

Using Functional Load for Optimizing DPGMM based Zero Resource Sub-word Unit Discovery Bin Wu 1 , Sakriani Sakti 1,2 , Jinsong Zhang 3 and Satoshi Nakamura 1,2 {wu.bin.vq9,ssakti,s-nakamura}@is.naist.jp, jinsong.zhang@blcu.edu.cn 1. Nara

429 views • 23 slides
AlsaModularSynth An instrument for the electrified virtuoso Matthias Nagorni, SUSE Linux AG,

AlsaModularSynth An instrument for the electrified virtuoso Matthias Nagorni, SUSE Linux AG,

AlsaModularSynth An instrument for the electrified virtuoso Matthias Nagorni, SUSE Linux AG, Nrnberg, Germany 30. April 2004 Surprisingly, it was already in the early days of electronic music that its most expressive exponent was invented:

872 views • 17 slides
Waveform Generation From phones, durations, F0 to waveforms 11-752, LTI, Carnegie Mellon Types

Waveform Generation From phones, durations, F0 to waveforms 11-752, LTI, Carnegie Mellon Types

Waveform Generation From phones, durations, F0 to waveforms 11-752, LTI, Carnegie Mellon Types of synthesis Articulartory: model the human vocal tract Formant: model the voice signal Concatenative: diphones, unit selection

297 views • 18 slides
Perceiving Prosody in Sinewave Speech A Sine of the Times Yasmine Sukola and Lissette

Perceiving Prosody in Sinewave Speech A Sine of the Times Yasmine Sukola and Lissette

Perceiving Prosody in Sinewave Speech A Sine of the Times Yasmine Sukola and Lissette Vizcarrondo Mentor: J. Nissenbaum Ph.D. NSF Grant No. 1659607 Formants. What are they and why are they so important? Formants are vocal tract resonances that

356 views • 24 slides
Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Integer overflows and sign errors Adding,

756 views • 42 slides
CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and

426 views • 29 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

1.25k views • 78 slides

More recommend