sqlite with a fine-toothed comb
TRANSCRIPT
![Page 1: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/1.jpg)
SQLitewithaFine-ToothedComb
JohnRegehr
Trust-in-So1/UniversityofUtah
![Page 2: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/2.jpg)
Feasiblestatesforasystemwecareabout
![Page 3: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/3.jpg)
Feasiblestatesforasystemwecareabout
Someexecu<onreachesthisstate
Noexecu<onreachesthisstate
Ini<alstate
![Page 4: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/4.jpg)
Feasiblestates
Figuringoutwhetheranarbitrarystateisfeasibleisvery,veryhard
![Page 5: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/5.jpg)
Feasiblestates
![Page 6: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/6.jpg)
Feasiblestates
Erroneousstates
![Page 7: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/7.jpg)
Feasiblestates
Erroneousstates
BUG!!!
![Page 8: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/8.jpg)
Verifica<on
![Page 9: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/9.jpg)
Verifica<on
![Page 10: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/10.jpg)
Verifica<on
Alarm
Alarm
Alarm
Alarm
Alarm
Alarm
![Page 11: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/11.jpg)
Tes<ng
![Page 12: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/12.jpg)
Tes<ng
![Page 13: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/13.jpg)
Tes<ng
![Page 14: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/14.jpg)
Tes<ng
![Page 15: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/15.jpg)
Tes<ng
AHA!
![Page 16: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/16.jpg)
• Tes8ngisunsa8sfyingbecauseitgivesnoguarantees– Inprac8ce,tes8ngalmostinvariablymissescri8calbugs
– Evenmicroprocessorsandrocketsshipwithnastybugs
![Page 17: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/17.jpg)
However,italwaysmakessensetodotes8ngfirst,verifica8onsecond• Ofcourseweneedtobecon8nuouslytes8ngourso1wareanyway
• Findingbugsduringverifica8onmakesverifica8onmoredifficult– Wewantverifica8ontobeaboutprovingabsenceofbugs,notaboutfindingbugs
• 8s-interpreterletsusdetectawidevarietyofverysubtleundefinedbehaviors(UBs)inCcodeasasideeffectofnormaltes8ng
![Page 18: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/18.jpg)
AnundefinedbehaviorinCandC++(andotherlanguages)isaprogramerrorthat– Isnotcaughtbythecompilerorrun8melibrary– Isassumedtonothappenbythecompiler– InvalidatesallguaranteesmadebythecompilerBasicallyallnon-trivialCandC++programsexecuteundefinedbehaviors– Thus,accordingtothestandards,almostallCandC++programsaremeaningless
– Including,forexample,mostoftheSPECCPU2006benchmarks
![Page 19: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/19.jpg)
• Thisfunc8onexecutesundefinedbehavior: int foo(int x, int y) { return (x + y) >> 32; }
![Page 20: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/20.jpg)
• Thisfunc8onexecutesundefinedbehavior: int foo(int x, int y) { return (x + y) >> 32; }
LatestversionofLLVMemits:foo: retq
![Page 21: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/21.jpg)
• Mostsafety-cri8calandsecuritycri8calso1wareiswriZeninCandC++
• Undefinedbehaviorisahugeproblem– Responsibleforalargefrac8onofmajorsecurityproblemsoverthelast20years
• Thesolu8onistools– Sta8canalysistofindbugsatcompile8me– Dynamicanalysistofindbugsatrun8me
![Page 22: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/22.jpg)
AllUBs
UBsfoundby<s-interpreter
UBsfoundbyASanorValgrind
UBsfoundbyUBSan
varargsbugs
comparisonsofunrelatedpointers
uses(notdereferences)ofinvalidpointers signedinteger
overflowsOOBarrayaccesses
viola<onsofstrictaliasing
infiniteloopsw/osideeffects
doublefrees,usesaRerfree
unsequencedvariableaccesses
![Page 23: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/23.jpg)
We’vebeenapplying8s-interpretertowidelyused,security-cri8calopensourcelibraries• Crypto– PolarSSL,OpenSSL,LibreSSL,s2n
• Fileprocessing– libjpeg,libpng,libwebp,bzip,zlib
• Databases– SQLite
Wheredowegettestcases?• Testsuites• afl-fuzz
![Page 24: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/24.jpg)
SQLite• OpensourceembeddedSQLdatabase• ~113,000linesofC• MostwidelydeployedSQLdatabase(probablybymul8pleordersofmagnitude)
• Oneofthemostwidelydeployedso1warepackagesperiod– Mostphones,webbrowserinstances,smartTVs,settopboxescontainatleastoneinstance
• hZps://www.sqlite.org
![Page 25: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/25.jpg)
SQLiteisextensivelytested• TestcasesarewriZenbyhand– 100%MC/DCcoverage!– Everyentryandexitpointisinvoked– Everydecisiontakeseveryoutcome– Everycondi8oninadecisiontakeseveryoutcome– Everycondi8oninadecisionisshowntoindependentlyaffecttheoutcomeofthedecision
• Testcasesaregeneratedautoma8callybyfuzzers• hZps://www.sqlite.org/tes8ng.html• Execu8onsareexaminedbycheckingtoolssuchasValgrind
ArethereproblemsinSQLitele1forustofind?
![Page 26: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/26.jpg)
Libraryfunc8onssuchasmemcpy()andmemset()assumethattheirpointerargumentsarenon-null• SQLitesome8mescallsthesefunc8onswithnullarguments
void foo(char *p1, char *p2, size_t n) { memcpy(p1, p2, n); if (!p1) error_handler(); }
![Page 27: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/27.jpg)
Libraryfunc8onssuchasmemcpy()andmemset()assumethattheirpointerargumentsarenon-null• SQLitesome8mescallsthesefunc8onswithnullarguments
void foo(char *p1, char *p2, size_t n) { memcpy(p1, p2, n); if (!p1) error_handler(); }
CodegeneratedbyGCC:foo: jmp memcpy
![Page 28: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/28.jpg)
int sqlite3_config(int op, ...) { … var1 = va_arg(ap, void *); var2 = va_arg(ap, void *); … }
OKtocalllikethis? sqlite3_config(CONFIG_LOG, 0, pLog);
![Page 29: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/29.jpg)
int sqlite3_config(int op, ...) { … var1 = va_arg(ap, void *); var2 = va_arg(ap, void *); … }
Correctcall: sqlite3_config(CONFIG_LOG, (void *)0, pLog);
Howcanthiskindofbuggoundetected?
![Page 30: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/30.jpg)
int sqlite3_config(int op, ...) { … var1 = va_arg(ap, void *); var2 = va_arg(ap, void *); … }
Correctcall: sqlite3_config(CONFIG_LOG, (void *)0, pLog);
Howcanthiskindofbuggoundetected?
Onx86:• intandpointerarethesamesize• Integer0andnullpointerhavethesamerepresenta8on
• Noproblem!Onx86-64:• inthassize4andpointerhassize8• Firstsixintegerargumentsarepassedinregisters• Noproblem!Onotherplanorms,memorycorrup8onispossible
![Page 31: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/31.jpg)
• Manyoccurrencesofintegerzerovaluesbeingpassedasnullpointers
• Also,afewotherbugssuchasmoreargumentsbeingpoppedthanpushed
• Arevarargsbugscommon?– Wedon’tknow– Bugsincallstovariadicstandardlibraryfunc8onsarecaughtbycustomcompilerwarnings
– Bugsinuser-wriZenvariadiccodegetnocheckingwhatsoever
![Page 32: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/32.jpg)
Cdoesnotini8alizefunc8on-scopedvariablesValgrindtracksini8aliza8onatbitlevel,allowingdetec8onofaccessestounini8alizedstorage• ButValgrindanalyzescompiledcode• Thecompilercanhideerrors,forexamplebyreusingstackmemorythatwasalreadyini8alized
tis-interpreteralwaysfindsthesebugs– IncludingseveralinSQLite
![Page 33: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/33.jpg)
int dummy; some sort of loop { ... // we don't care about function()’s // return value (but its other // callers might) dummy += function(); ... } // dummy is not used again
![Page 34: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/34.jpg)
ApointerinCbecomesillegaltouseoncethestoragetowhichitpointsisfreed• Wefoundmanyloca8onswhereSQLitefreesmemoryandthencon8nuestousetheinvalidpointers
req1_malloc02_alignment(p, z); sqlite3_realloc(z, 0); th3testCheckTrue(p, z!=0);
![Page 35: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/35.jpg)
Crea8ngapointeraheadoformorethanoneelementpasttheendofablockofstorageisillegalinCint a[10]; int *p1 = &a[-1]; // illegal int *p2 = &a[9]; // pointer to last element int *p3 = &a[10]; // OK (one past the end) int *p4 = &a[11]; // illegal
![Page 36: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/36.jpg)
SQLitecomputedillegalpointers…• Onpurpose:systema8cuseofpointerstoarray[-1]– 1-basedarrayindexingw/owas8ngRAM
• Accidentally,aspartofinputvalida8on– ThiserrorisseeninalmostallCcode
![Page 37: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/37.jpg)
Resultoftes8ngSQLiteusing8s-interpreter:• Manybugsfixed• Developersarenowmoreawareofsubtle8esoftheCstandard– Theyhadbeenwri8ng“1990sCcode”whichignoresmanyundefinedbehaviors
![Page 38: SQLite with a Fine-Toothed Comb](https://reader034.vdocuments.mx/reader034/viewer/2022051709/5878662b1a28ab18098b758f/html5/thumbnails/38.jpg)
• TheClanguageisfullofsubtleundefinedbehaviors– Somearedirectlyharmful– OthersmaZerbecausecompilersassumetheywillnothappen
• 8s-interpretermakestes8ngworkbeZerbyusingexis8ngtestcasestofindthesebugs
• Tes8ngusing8s-interpreterisaveryusefulpreludetoformalverifica8on
• 8s-interpreterisopensource– hZp://trust-in-so1.com/8s-interpreter/