静态代码分析-PPT.ppt
《静态代码分析-PPT.ppt》由会员分享,可在线阅读,更多相关《静态代码分析-PPT.ppt(54页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、静态代码分析提纲提纲q动机动机q程序静态分析(概念程序静态分析(概念+实例)实例)q程序缺陷分析(科研工作)程序缺陷分析(科研工作)动机动机q云平台特点云平台特点应用程序直接部署在云端服用程序直接部署在云端服务器上,存在安全器上,存在安全隐患患直接操作破坏服直接操作破坏服务器文件系器文件系统 存在安全漏洞存在安全漏洞时,可提供黑客入口,可提供黑客入口资源共享,源共享,动态分配分配单个个应用的性能低下,会侵占其他用的性能低下,会侵占其他应用的用的资源源q解决方案之一:解决方案之一:在部署在部署应用程序之前,用程序之前,对其其进行静行静态代代码分析:分析:是否存在是否存在违禁禁调用?(非法文件用?
2、(非法文件访问)是否存在低效代是否存在低效代码?(未借助?(未借助StringBuilder对String进行大量行大量拼接)拼接)是否存在安全漏洞?(是否存在安全漏洞?(SQL注入,跨站攻注入,跨站攻击,拒,拒绝服服务)是否存在是否存在恶意病毒?意病毒?提纲提纲q动机动机q程序静态分析(概念程序静态分析(概念+实例)实例)q程序缺陷分析(科研工作)程序缺陷分析(科研工作)静态代码分析静态代码分析q定定义:程序静程序静态分析是在不分析是在不执行程序的情况下行程序的情况下对其其进行分析的技行分析的技术,简称称为静静态分析。分析。q对比:比:程序程序动态分析:需要分析:需要实际执行程序行程序 程序
3、理解:静程序理解:静态分析分析这一一术语一般用来形容自一般用来形容自动化工具的分析,而化工具的分析,而人工分析人工分析则往往叫做程序理解往往叫做程序理解q用途:用途:程序翻程序翻译/编译(编译器),程序器),程序优化重构,化重构,软件缺陷件缺陷检测等等 q过程:程:大多数情况下,静大多数情况下,静态分析的分析的输入都是源程序代入都是源程序代码或者中或者中间码(如(如Java bytecode),只有极少数情况会使用目),只有极少数情况会使用目标代代码;以特定形式;以特定形式输出分析出分析结果果静态代码分析静态代码分析 qBasic BlocksqControl Flow GraphqDataf
4、low AnalysisLive Variable AnalysisReaching Definition AnalysisqLattice Theory Basic BlocksqA basic block is a maximal sequence of consecutive three-address instructions with the following properties:The flow of control can only enter the basic block thru the 1st instr.Control will leave the block wi
5、thout halting or branching,except possibly at the last instr.qBasic blocks become the nodes of a flow graph,with edges indicating the order.大家有疑问的,可以询问和交流大家有疑问的,可以询问和交流可以互相讨论下,但要小声点可以互相讨论下,但要小声点可以互相讨论下,但要小声点可以互相讨论下,但要小声点Bye ByeE EA AB BC CD DF FBasic Block ExampleLeadersqi=1qj=1qt1=10*iqt2=t1+jqt3=8
6、*t2qt4=t3-88qat4=0.0qj=j+1qif j=10 goto(3)qi=i+1qif i=10 goto(2)qi=1qt5=i-1qt6=88*t5qat6=1.0qi=i+1qif i=10 goto(13)Basic BlocksControl-Flow GraphsqControl-flow graph:Node:an instruction or sequence of instructions(a basic block)Two instructions i,j in same basic blockiff execution of i guarantees ex
7、ecution of jDirected edge:potential flow of controlDistinguished start node Entry&ExitFirst&last instruction in programControl-Flow EdgesqBasic blocks=nodesqEdges:Add directed edge between B1 and B2 if:Branch from last statement of B1 to first statement of B2(B2 is a leader),orB2 immediately follows
8、 B1 in program order and B1 does not end with unconditional branch(goto)Definition of predecessor and successorB1 is a predecessor of B2B2 is a successor of B1CFG Example静态代码分析静态代码分析qBasic BlocksqControl Flow GraphqDataflow AnalysisLive Variable AnalysisReaching Definition AnalysisqLattice Theory Da
9、taflow AnalysisqCompile-Time Reasoning AboutRun-Time Values of Variables or ExpressionsqAt Different Program PointsWhich assignment statements produced value of variable at this point?Which variables contain values that are no longer used after this program point?What is the range of possible values
10、 of variable at this program point?Program PointsOne program point before each nodeOne program point after each nodeJoin point point with multiple predecessorsSplit point point with multiple successorsLive Variable AnalysisqA variable v is live at point p if v is used along some path starting at p,a
11、nd no definition of v along the path before the use.qWhen is a variable v dead at point p?No use of v on any path from p to exit node,orIf all paths from p redefine v before using v.What Use is Liveness Information?qRegister allocation.If a variable is dead,can reassign its registerqDead code elimin
12、ation.Eliminate assignments to variables not read later.But must not eliminate last assignment to variable(such as instance variable)visible outside CFG.Can eliminate other dead assignments.Handle by making all externally visible variables live on exit from CFGConceptual Idea of Analysisqstart from
13、exit and go backwards in CFGqCompute liveness information from end to beginning of basic blocksLiveness Example a=x+y;t=a;c=a+x;x=0 b=t+z;c=y+1;qAssume a,b,c visible outside methodqSo are live on exitqAssume x,y,z,t not visibleqRepresent Liveness Using Bit Vectorqorder is abcxyzta b c x y z ta b c x
14、 y z ta b c x y z tFormalizing AnalysisnEach basic block hasnIN-set of variables live at start of blocknOUT-set of variables live at end of blocknUSE-set of variables with upwards exposed uses in block(use prior to definition)nDEF-set of variables defined in block prior to usenUSEx=z;x=x+1;=z (x not
15、 in USE)nDEFx=z;x=x+1;y=1;=x,ynCompiler scans each basic block to derive USE and DEF setsAlgorithmfor all nodes n in N-Exit INn=emptyset;OUTExit=emptyset;INExit=useExit;Changed=N-Exit;while(Changed!=emptyset)choose a node n in Changed;Changed=Changed-n;OUTn=emptyset;for all nodes s in successors(n)O
16、UTn=OUTn U INp;INn=usen U(outn-defn);if(INn changed)for all nodes p in predecessors(n)Changed=Changed U p;静态代码分析静态代码分析 概念概念qBasic BlocksqControl Flow GraphqDataflow AnalysisLive Variable AnalysisReaching Definition AnalysisqLattice Theory Reaching DefinitionsqConcept of definition and usea=x+y is a
17、definition of a is a use of x and yqA definition reaches a use if value written by definition may be read by useReaching Definitions s=0;a=4;i=0;k=0 b=1;b=2;i ns=s+a*b;i=i+1;return sReaching Definitions and Constant PropagationqIs a use of a variable a constant?Check all reaching definitionsIf all a
18、ssign variable to same constantThen use is in fact a constantqCan replace variable with constantIs a Constant in s=s+a*b?s=0;a=4;i=0;k=0 b=1;b=2;i ns=s+a*b;i=i+1;return sYes!On all reaching definitionsa=4 Constant Propagation Transform s=0;a=4;i=0;k=0 b=1;b=2;i ns=s+4*b;i=i+1;return sYes!On all reac
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 静态 代码 分析 PPT
限制150内