论文信息 - ABASH: finding bugs in bash scripts

ABASH: finding bugs in bash scripts

This paper describes the design and implementation of ABASH, a tool for statically analyzing programs written in the bash scripting language. Although it makes no formal guarantees against missed errors or spurious warnings (largely due to the highly dynamic nature of bash scripts), ABASHis useful for detecting certain common program errors that may lead to security vulnerabilities. In experiments with 49 bash scripts taken from popular Internet repositories, ABASH was able to identify 20 of them as containing bugs of varying severity while yielding only a reasonable number of spurious warnings on both these scripts and the generally bug-free initialization scripts of the Ubuntu Linux distribution. ABASH works by performing abstract interpretation of a bash script via an abstract semantics that accounts for shell variable expansion. The analysis is also parameterized by a collection of signatures that describe external program interfaces (for Unix commands, etc.), yielding an easily configurable and extensible framework for finding bugs in bash scripts

Steve Zdancewic | Karl Mazurak | S. Zdancewic | K. Mazurak

[1] Greg Nelson,et al. Extended static checking for Java , 2002, PLDI '02.

[2] Peter J. Denning,et al. Certification of programs for secure information flow , 1977, CACM.

[3] Patrick Cousot,et al. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[4] Benjamin Livshits,et al. Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[5] Sriram K. Rajamani,et al. The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[6] Andrew C. Myers,et al. Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7] Alexander Aiken,et al. Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[8] Dorothy E. Denning,et al. A lattice model of secure information flow , 1976, CACM.

[9] Zhendong Su,et al. The essence of command injection attacks in web applications , 2006, POPL '06.

[10] Jeffrey S. Foster,et al. Flow-insensitive type qualifiers , 2006, TOPL.

[11] Andrew C. Myers,et al. JFlow: practical mostly-static information flow control , 1999, POPL '99.

[12] David A. Wagner,et al. MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.