LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LCA: The Trinity fuzz tester

LCA: The Trinity fuzz tester

Posted Feb 6, 2013 22:06 UTC (Wed) by mmeehan (subscriber, #72524)
Parent article: LCA: The Trinity fuzz tester

It'd be really interesting (and likely equally challenging) to use the Trinity annotations and sanitise code to perform static analysis on userspace programs. With all the effort that must go into generating a formal definitiion around system calls there must be other ways of exposing/using that data usefully.

(Log in to post comments)

Code annotations for static analysis in user-space

Posted Feb 7, 2013 1:43 UTC (Thu) by michaelr (subscriber, #73025) [Link]

Annotating source code to do static analysis is not new to practical user-space programs. Microsoft has long used and advocated its Static Annotation Language (http://msdn.microsoft.com/en-us/library/ms182032.aspx), which captures many of the same concepts as Trinity's annotation system.

SAL annotates the function prototypes directly; the nearest equivalent to the madvise() Trinity annotation above would be something like: 
int madvise(
  _In_reads_bytes_(length) void *addr,
  _In_ size_t length,
  _In_ _In_range_(MADV_NORMAL, MADV_UNMERGEABLE) int advice
);
The _In_reads_bytes_(length) tag on addr captures the Trinity annotations for both addr and length. I've assumed that MADV_NORMAL is the numerically lowest advice value and MADV_UNMERGEABLE is the highest, as SAL doesn't deal well with enumeration constants that aren't defined in an enum type.

Microsoft requires use of SAL in all its C and C++ code as part of its Security Development Lifecycle (http://msdn.microsoft.com/en-us/library/windows/desktop/cc307398.aspx), and advocates its uses by third-party application and driver developers on Windows. I don't know whether they use it for fuzzing guidance as Trinity does, but I do know that they have at least two static analyzers that understand it (one of which ships with recent versions of their compiler) and they feel it to have helped tremendously in writing more secure code.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds