| In modern software engineering,code security has become a problem that people can not ignore.To ensure code security,a series of code analysis methods are proposed.But there are still many shortcomings in the interprocedure analysis,and now interprocedure analysis is divided into two kinds,one is summary-based interprocedure analysis,one is inline-based interprocedure analysis.Traditional summary-based interprocedure analysis in order to achieve context-sensitive features,it takes a lot of memory to store state information and can only extract the corresponding function information for a particular vulnerability.Compared with the traditional summary-based interprocedure analysis,the symbolic summary-based interprocedure analysis only collects a symbolic function summary for each function,the memory cost is relatively low,but the existing symbolic summary-based interprocedure analysis does not have the path-sensitive features,and does not have good scalability.Based on the traditional symbolic summary-based interprocedure analysis model and the symbol execution,this paper presents a state-based path sensitive symbolic summary-based interprocedure analysis algorithm.The algorithm uses the symbolic program state as the summary information of the function.The program state stores the path condition that the program state needs to satisfy.The path condition uses a set of propositional logic formulas to represent the branches and their corresponding path condition information.The algorithm is divided into three parts: the creation of function summary,the instantiation of function summary and the application of function summary.The process of creating function summary is a process of intraprocedure analysis,and the symbolic program state is collected as a summary of the function at the end of a path analysis.During the process of analysis,the bug information that can not be determined due to the contextual environment information is recorded and the error is reported when the function summary is applied.For the instantiation of the function summary,the function summary is instantiated using the context information at the callsite,and the valid program state is selected as an effective function summary based on the instantiated path condition.For the application of function summaries,the corresponding side effects of the valid function summary are applied to the context of the corresponding callsite.And according to the specific circumstances for error reporting.In addition,this paper presents a cross translation unit analysis algorithm based on abstract syntax tree(AST)serialized storage.The algorithm first compiles the compilation unit and collects the AST of each compilation unit and stores it in sequence.In the process of intraprocedure analysis,when an external function call is encountered,the AST corresponding to the function is reverse-serialized,and then the control flow graph(CFG)corresponding to the called function is created to complete the subsequent interprocedure analysis.Finally,based on the clang static analyzer,this paper implements the state-based path sensitive symbolic summary-based interprocedure analysis algorithm and the cross translation unit analysis algorithm based on abstract syntax tree(AST)serialized storage.Experiments show that the state-based path sensitive symbolic summary-based interprocedure analysis algorithm and the cross translation unit analysis algorithm based on AST serialized storage have certain advantages. |
PDF Full Text Request