Tracking Non Atomic Data Types

In general, processes do not execute atomically, since the operating system may interrupt processes between essentially any two instructions, allowing other processes to run. If your application's process is not prepared for these interruptions, another process may be able to interfere with it, causing the data structures to end up in inconsistent states if arbitrary code is executed between them.

A non atomic condition is a vulnerability to interference caused by untrusted processes. These are conditions caused by processes running other, different programs, which introduce other actions between steps of the program. These other programs might be invoked by an attacker.

This use case illustrates how to use Ocular to analze for non atomic data types, using the FreeRTOS real-time operating system kernel as the example target application.

Downloading the FreeRTOS Application

Download the FreeRTOS application and unzip the source code into the Ocular subjects directory, for example subjects/FreeRTOS.

Creating the FreeRTOS Application CPG

importCpg("subjects/FreeRTOS")

FreeRTOS's CPG is automatically loaded into memory and your workspace.

Declaring an Array of Primitive Types

val primitiveTypes = List("int", "float", "double", "void", "size_t", "ANY", "void", "char", "short")

Calling a Convenience Function to get LineNumber

def getLineNumber(ln : Option[Integer]) = (ln match { case Some(x) => x ; case None => 0 }).asInstanceOf[Int]

Declaring a Data Structure of User Defined Types

case class UDT(uType : String, uName : String, methodName : String, fileName : String, lineNumber : Integer)

Acquiring all Identifiers into UDT Data Structure

Negative filter on primitive types.

val udtList = cpg.identifier.l.map {
i => UDT(i.typeFullName, i.name, i.start.method.name.l.head, i.start.file.name.l.head, getLineNumber(i.lineNumber))
} filter {
p => !primitiveTypes.exists(e => p.uType.contains(e))
} distinct

Storing Findings in a Multimap Keyed by Identified methodName

import collection.mutable._
val udtMap = new HashMap[String,Set[UDT]] with MultiMap[String,UDT]
udtList.foreach {
item => udtMap.addBinding(item.methodName, item)
}

Storing Findings in a Multimap Keyed by Identified Type

import collection.mutable._
val udtMapByType = new HashMap[String,Set[UDT]] with MultiMap[String,UDT]
udtList.foreach {
item => udtMapByType.addBinding(item.uType, item)
}
implicit def flat[K,V](kv: (K, Option[V])) = kv._2.map(kv._1 -> _).toList

Calling a Convenience Function to get Range Given Start and End

def getRange(start : Int , end : Int) = start to end toList

Giving functionName Return all callOuts within Scope of the Function

def getCallOutDetails(fnName:String) = cpg.method.name(fnName).callOut.l.map(co => (co.name , getLineNumber(co.lineNumber))).sortBy(_._2)

Optimizing Name Replacement

def getCallOutDetails(fnName:String) = cpg.method.name(fnName).callOut.l.par.map(co => (co.name , getLineNumber(co.lineNumber))).toList.sortBy(_._2)

Calling a Convenience Function for Holding Functions with CRITICAL SECTIONS with Ranges

case class WithCriticalSection(fnName : String, fileName : String, csRange : List[(String, Int, Int)])

Specifying Functions to Optimize Ranging

For situations in which multiple critical sections exists in a method (function).

def getBounds(dataTuples : List[(String,Int)]) =
dataTuples.foldLeft((List.empty[(String, Int)], Option.empty[(String, Int)])) {
case ((state, previousSignal), signal) =>
if (previousSignal.exists(_._1.contains("EXIT")) && signal._1.contains("EXIT")) {
(state.dropRight(1) :+ signal, Some(signal))
} else {
(state :+ signal, Some(signal))
}
}
def getRange(enterExits : (List[(String, Int)], Option[(String, Int)])) =
enterExits._1.foldLeft(
(List.empty[(String, Int, Int)], Option.empty[(String, Int, Int)])) {
case ((state, accSignal), signal) =>
if (signal._1.contains("ENTER")) {
(state, Some(("CRITICAL_SECTION_RANGE", signal._2, 0)))
} else {
val enterExt = accSignal.map(elem => elem.copy(_3 = signal._2))
(state :+ enterExt.get, Option.empty)
}
}._1

Getting Entire callOut Trace for Each Method that Encompasses taskENTER_CRITICAL

val callMap = cpg.method.filter(_.callOut.name("taskENTER_CRITICAL")).l map {
s => Map(s.name -> (s.start.file.name.head, getCallOutDetails(s.name.replaceAll("\\*",""))))
} reduce(_ ++ _)

Getting Entire callOut Trace for Each Method that DOES NOT Encompass taskENTER_CRITICAL

val callMapWithoutCS = cpg.method.filterNot(_.callOut.name("taskENTER_CRITICAL")).l map {
s => Map(s.name -> (s.start.file.name.headOption.getOrElse("NOT_IDENTIFIED"), getCallOutDetails(s.name.replaceAll("\\*",""))))
} reduce(_ ++ _)

Optimizing Replacement

def timeTaken[R](block: => R): R = {
val t0 = System.nanoTime()
val result = block // call-by-name
val t1 = System.nanoTime()
println("Elapsed time: " + (t1 - t0) + "ns")
result
}
val mWithoutCS = cpg.method.filterNot(_.callOut.name("taskENTER_CRITICAL")).l
timeTaken {
val callMapWithoutCS = mWithoutCS.map {
s => Map(s.name -> (s.start.file.name.headOption.getOrElse("NOT_IDENTIFIED"), getCallOutDetails(s.name.replaceAll("\\*",""))))
} reduce(_ ++ _)
}

Filtering callMap and Fitting into WithCriticalSection

val callMapFiltered = callMap map {
case(k,v) => k -> (v._1 , getRange(getBounds(v._2.filter(t => t._1.contains("taskENTER_CRITICAL") || t._1.contains("taskEXIT_CRITICAL")))))
} map { case(k,v) => k -> WithCriticalSection(k,v._1,v._2) }

Navigating using an Identifier

For example called xQueueAddToSet. Pick any type from udtMapByType say for instance tfp_format.

"SIZEOF_LONG_LONG" -> Set(
UDT("SIZEOF_LONG_LONG", "lng", "tfp_format", "../../Downloads/dahling-fw/Src/utils/tinystdio.c", 398),
UDT("SIZEOF_LONG_LONG", "lng", "tfp_format", "../../Downloads/dahling-fw/Src/utils/tinystdio.c", 412),
UDT("SIZEOF_LONG_LONG", "lng", "tfp_format", "../../Downloads/dahling-fw/Src/utils/tinystdio.c", 408)
...
val nonAtomicUsedInCS =callMap.getOrElse("tfp_format","NOT_FOUND")
val nonAtomicUsedInNoCS =callMapWithoutCS.getOrElse("tfp_format","NOT_FOUND")

If (nonAtomicUsedInCS.size > 0 && nonAtomicUsedInNoCS.size > 0), this implies that a non atomic data type is used both in guarded context and not in guarded context, possibly leading to deadlock or starvation.

Determining the Location Details of Where the Non Atomic Data type is Used

val udtSet = udtMap("xStreamBufferReset")
val callSiteData = callMapFiltered.get("xStreamBufferReset").get
udtSet.foreach {
udt => callSiteData.csRange.map { item =>
if((udt.lineNumber > item._2) && (udt.lineNumber < item._3)) {
printf("[%s] is bound in critical section at [%d] between [%d] and [%d] in methodName [%s] located at [%s]\n", udt.uName, udt.lineNumber, item._2, item._3, udt.methodName, udt.fileName)
}
}
}