mining debian maintainer scripts
play

Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen - PowerPoint PPT Presentation

Feb 12, 2024 •157 likes •581 views

Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R egis-Gianas IRIF, Universit e Paris-Diderot July 31, 2018

  1. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R´ egis-Gianas IRIF, Universit´ e Paris-Diderot July 31, 2018 Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  2. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Plan 1 Intro 2 A First Step: A Static Parser for Shell Scripts 3 Statistical Analysis of Scripts 4 Findings 5 Conclusion Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  3. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Maintainer Scripts in Debian Maintainer Scripts A .deb package contains two sets of files: 1 a set of files to install on the system when the package is installed, 2 and a set of files that provide additional metadata about the package or which are executed when the package is installed or removed. [ . . . ] Among those files are the package maintainer scripts [ . . . ] (Debian Policy, introduction to ch. 3) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  4. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Maintainer Scripts in Debian Different Maintainer Scripts Roughly: preinst executed before the package is unpacked postinst executed after the package is unpacked prerm executed before the package is removed postrm executed after the package is removed Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  5. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Maintainer Scripts in Debian Breakdown by File Type Sid amd64, as of 2018-05-23: 31.302 total (post | pre)(inst | rm) 10.737 are at least in part written by hand 31.048 POSIX shell 231 Bash 16 perl 5 ASCII (shell scripts without #! line) 2 ELF executables (preinst of bash and dash) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  6. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Maintainer Scripts in Debian What Policy (Section10.4) says Not required to be shell scripts csh and tcsh discouraged Should start on #! Should use set -e Posix standard 1-2017 with some embellishments: echo , when built-in, must support -n test , when built-in, must support -a and -o local scopes arguments to kill and trap We will focus on Posix(+debian)-shell scripts Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  7. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion The CoLiS project Our goal Formal analysis of debian maintainer scripts Formal analysis is not testing: we aim at an assurance of correctness in any possible situation (program verification) Possible outcome: assertion of correctness (in an abstracted model), or detection of possible bugs. This talk: First findings from a syntactical analysis of maintainer scripts. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  8. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Why parsing POSIX shell is hard Designed for parsing and expanding on the fly Requires context-sensitive, and sometimes speculative parsing Words may be keywords according to context Assignment words are recognized depending on the context Here documents Actually undecidable in case of unrestricted use of alias Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  9. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion The Morbig parser for POSIX shell https://github.com/colis-anr/morbig Written in OCaml, uses the Menhir parser generator Speculative parsing and parse state introspection High-level code close to the POSIX specification See our presentation at FOSDEM’18 and minidebconf Hamburg’18 Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  10. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Concrete Syntax Trees produced by Morbig type complete_command = | CompleteCommand_CList_Separator of clist ’ * separator ’ | CompleteCommand_CList of clist ’ | CompleteCommand_Empty and complete_command_list = complete_command list and clist = | CList_CList_SeparatorOp_AndOr of clist ’ * separator_op ’ * and_or ’ | CList_AndOr of and_or ’ and and_or = | AndOr_Pipeline of pipeline ’ | AndOr_AndOr_AndIf_LineBreak_Pipeline of and_or ’ * linebreak ’ * pipeline ’ | AndOr_AndOr_OrIf_LineBreak_Pipeline of and_or ’ * linebreak ’ * pipeline ’ ........ types for concrete syntax trees (parse trees) corresponds directly to the grammar in the POSIX standard ∼ 50 recursive type definitions Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  11. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Visitors Imagine we want to code a tree traversal. 50 different types ⇒ we have to code 50 functions to traverse a syntax tree?? The visitor design pattern comes to the rescue: Visitors (iter, map, reduce, . . . ) are automatically generated thanks to a syntax extension ( libppx-visitors-ocaml-dev ) Late Binding (as opposed to static binding) allows us to override only those of the functions that need to do interesting stuff. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  12. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion A glimpse at the tool: shstats https://github.com/colis-anr/shstats works on the concrete syntax trees produced by morbig expander preprocessor attempts to expand parameters the values of which are statically known (see later). it is easy to add analyzer modules. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  13. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Example: find scripts with ”$” in words (1) let options = [] and name = "dollar" let dollar_scripts = ref ([]: string list) let process_script filename cst = let detect_dollar = object (self) inherit [_] Libmorbig.CST.reduce as super method zero = false method plus = (||) method! visit_word _env word = String.contains (UnQuote.on_string (unWord word )) ’$’ end in if detect_dollar # visit_complete_command_list () cst then dollar_scripts := filename ::! dollar_scripts Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  14. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Example: find scripts with ”$” in words (2) let output_report report = Report.add report "* Number of scripts with $ after expansion: %n\n" (List.length ! scripts_with_dollar ); Report.add report "** Files :\n"; List.iter (function scriptname -> Report.add report " - %s\n" (Report. link_to_source report scriptname )) ! scripts_with_dollar Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  15. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Why tree traversal is useful here Counting occurrences of $ could have been done by grep . . . Except for $ in comments, inside quotes, here documents without expansion, . . . Tree traversal allows us to expand some of the variables More complicated things are possible, i.e. exclude variables of for loops. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  16. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Preprocessing: expand variable definitions when possible 1 x=1 2 if foo; then Static expansion finds: 3 y=2 4 echo $x $y line 4: x=1, y=2 5 else line 7: x=1, y=3 6 y=3 7 echo $x $y line 9: x=1 8 fi 9 echo $x $y Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  17. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion So you think you understand assignments in shell? Which value is printed by a script containing this fragment: x=1 x=2 foo echo $x Possible choices: 1 1 2 2 3 73 4 Syntax error 5 It depends Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

  18. Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion If that was too easy... What does the following script print: x=a x=b y=$x${z:=c} echo $x # $ y# $ z echo $x # $ y# $ z Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e Paris-Diderot Mining Debian Maintainer Scripts

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
D e b c o n f 1 6 LTTng: Kernel and userspace tracing in Debian mjeanson@effjcios.com

D e b c o n f 1 6 LTTng: Kernel and userspace tracing in Debian mjeanson@effjcios.com

D e b c o n f 1 6 LTTng: Kernel and userspace tracing in Debian mjeanson@effjcios.com w h o a mi Michael Jeanson, Software developer @ EffjciOS Debian Maintainer Ubuntu Member Fedora Packager Offjcial and

894 views • 20 slides
Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20

Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20

Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20 000 source packages ~13 architectures 3 kernels The biggest database of FLOSS code (?) The Debile Project January, 19th 2014 Sylvestre Ledru

571 views • 25 slides
The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008 Outline Some bits about me Project goals, design & features Debian and Debian Edu Development model and tools Debian Edu Etch

582 views • 36 slides
Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to

Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to

Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to Debian CI autopkgtest created back in 2006 (!) 2014: Debian CI launches Goal: provide automated testing for the Debian archive (i.e. run

816 views • 68 slides
Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day

Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day

Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day Definitions Distribution a set of OS kernel and supporting software in a defined format with the possibility of some integration by adjusting

134 views • 12 slides
spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian Developer since 2003 Listmaster Alioth Admin Maintainer of packages like iproute, icinga, nagios and a lot of other useless stu ff

219 views • 20 slides
Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell <msp@debian.org> Introduction

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell <msp@debian.org> Introduction

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell <msp@debian.org> Introduction Introduction The Debian KDE Extras Team maintain a portfolio of extra application packages for Debian GNU/Linux outside the KDE core applications

554 views • 18 slides
Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org,

Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org,

Conte udo Como criar um Distribui c ao Personalizada Debian Debian-BR-CDD Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org, enrico@debian.org Congreso Internacional de Software Livre - 2 Edi

532 views • 25 slides
Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

apoikos@debian.org Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos DebConf16 - Cape Town 2016-07-04 Outline Introduction Installation Configuration management Package management People 2/26

697 views • 27 slides
Debian Derivatives P r e s e n t a t i o n / B o F D e b C o n f 1 6 , C

Debian Derivatives P r e s e n t a t i o n / B o F D e b C o n f 1 6 , C

Debian Derivatives P r e s e n t a t i o n / B o F D e b C o n f 1 6 , C a p e T o w n Debian Derivatives Hctor Orn Martnez <hector.oron@collabora.co.uk> <zumbi@debian.org> Works for Collabora

511 views • 15 slides
Secret Debian Internals Enrico Zini enrico@debian.org 25 February 2007 Enrico Zini

Secret Debian Internals Enrico Zini enrico@debian.org 25 February 2007 Enrico Zini

Secret Debian Internals Enrico Zini enrico@debian.org 25 February 2007 Enrico Zini enrico@debian.org Secret Debian Internals BTS Where to find it Source code: bzr branch http://bugs.debian.org/debbugs-source/mainline/ Data on merkel at

370 views • 16 slides
The Ultimate Debian Database Consolidating Bazaar Metadata for Quality Assurance and Data Mining

The Ultimate Debian Database Consolidating Bazaar Metadata for Quality Assurance and Data Mining

The Ultimate Debian Database Consolidating Bazaar Metadata for Quality Assurance and Data Mining Lucas Nussbaum and Stefano Zacchiroli LORIA, University of Nancy, France Universit Paris Diderot, PPS, France Lucas Nussbaum and

401 views • 21 slides
Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

298 views • 15 slides
Debian 8.0 AKA jessie Michael Prokop Facts 1/3 Debian 8, codename jessie 2 years

Debian 8.0 AKA jessie Michael Prokop Facts 1/3 Debian 8, codename jessie 2 years

Debian 8.0 AKA jessie Michael Prokop Facts 1/3 Debian 8, codename jessie 2 years after Debian 7, codename wheezy (2013-05-04) Release Date: 2015-04-25 [party!] 75 supported languages 4.841 new source packages

587 views • 19 slides
Experiences made with the DebConf video-team or the making of http://debian-meetings.debian.net

Experiences made with the DebConf video-team or the making of http://debian-meetings.debian.net

Experiences made with the DebConf video-team or the making of http://debian-meetings.debian.net /pub/debian-meetings/ by Holger Levsen Sydney Linux User Group, January 22 nd 2007 Outline whoami project aims and features software

472 views • 19 slides
INTRODUCING OSSEC host-based IDS Saturday 21 st November, 2015 Theresa Meiksner BSidesVienna

INTRODUCING OSSEC host-based IDS Saturday 21 st November, 2015 Theresa Meiksner BSidesVienna

INTRODUCING OSSEC host-based IDS Saturday 21 st November, 2015 Theresa Meiksner BSidesVienna 0x7DF (2015) Overview 1. What is OSSEC? 2. Architectural overview 3. Why do we need log analysis? 4. How to detect a rootkit with OSSEC? 5. ELK

651 views • 20 slides
Welcome to the Routing wg at RIPE 74 Joo Damas, Paolo Moroni Agenda A. Welcome. 5

Welcome to the Routing wg at RIPE 74 Joo Damas, Paolo Moroni Agenda A. Welcome. 5

Welcome to the Routing wg at RIPE 74 Joo Damas, Paolo Moroni Agenda A. Welcome. 5 Thanks to the scribe, jabber scribe and stenographer. Microphone etiquette. Minutes from RIPE 73. B. IRR Filtering at IXP Route Servers. 30 Erik

264 views • 4 slides
Distributed ephemeral log service Log entries are replicated,dispersed See Ivy,

Distributed ephemeral log service Log entries are replicated,dispersed See Ivy,

Distributed ephemeral log service Log entries are replicated,dispersed See Ivy, Palimpsest papers. Nodes can append to their own log Can read any log Nodes implement FIFO queue of log entries Old entries fall off the

435 views • 5 slides
ELEC / COMP 177 Fall 2015 Some slides from Kurose

ELEC / COMP 177 Fall 2015 Some slides from Kurose

ELEC / COMP 177 Fall 2015 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Project 2 Python HTTP Server v2 Starts

426 views • 26 slides
Polish NGI: PL-Grid www.plgrid.pl/en Marcin Radecki EGI-InSPIRE SA1 Kickoff Meeting 1

Polish NGI: PL-Grid www.plgrid.pl/en Marcin Radecki EGI-InSPIRE SA1 Kickoff Meeting 1

Polish NGI: PL-Grid www.plgrid.pl/en Marcin Radecki EGI-InSPIRE SA1 Kickoff Meeting 1 PL-Grid Project Establish and manage Polish e-Infrastructure for supporting Computational Science in European Research Space, 2009- 2011, 20M

212 views • 19 slides
Mining Patterns and Building Classifiers From Software Data: Addressing Soft. Maintenance &

Mining Patterns and Building Classifiers From Software Data: Addressing Soft. Maintenance &

Mining Patterns and Building Classifiers From Software Data: Addressing Soft. Maintenance & Reliability Issues David Lo School of Information Systems Singapore Management University Presentation at UIUC July 31, 2009 1 Motivation:

693 views • 58 slides
M33TFINDER: DIsclosINg coRpoRaTE sEcRETs VIa VIDEocoNFERENcEs Ing. Yamila Levalle @ylevalle Ing.

M33TFINDER: DIsclosINg coRpoRaTE sEcRETs VIa VIDEocoNFERENcEs Ing. Yamila Levalle @ylevalle Ing.

M33TFINDER: DIsclosINg coRpoRaTE sEcRETs VIa VIDEocoNFERENcEs Ing. Yamila Levalle @ylevalle Ing. Yamila Levalle @ylevalle

400 views • 16 slides
Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 1, 2011 Announcements Midterm next Tuesday March 8th Scope is course

820 views • 78 slides

More recommend