Ensign
Ensign
4825 views

C++ Custom Alias Rules for Memory Allocation and Deallocation

I am trying to create alias rule for our custom memory allocator and deallocator. Please see the attached file for full details.

Thanks,

Labels (1)
0 Likes
3 Replies
Absent Member.
Absent Member.

My understanding of your question is:

"My custom method customNewInt() is capable of handling necessary memory allocation. Whenever I need to use [void* operator new (std::size_t count), I'd like to map to  customNewInt()".

I think the Alias Rule is being misused here:

  • Alias Rule Definition:
    • A pair of functions or mapping between functions that are semantically equivalent, indicating that rules matching the functions defined in 'To' also match functions defined in 'From'.
    • Your From method customNewInt() and To method new() look like defined differently, not just semantically different.
  • Namespace:
    • Matches on the package or namespace in which the function occurs. If not provided the identifier will match only the default namespace.
    • Your regular expression (std?) means namespace contains zero or one occurrences of string "std". Is this your true intention?
  • Class:
    • Matches on the function's enclosing class.  If not provided only non-member functions will be matched.
    • Your regular expression (.*) dot means matching any character, but at least have one, and * means follow by one or more characters. Is this your true intention?

I believe what you should do is

(1) In your source code, replace all operator new() with customNewInt()

(2) In the FPR, select Group By="Category Analyzer" and see which inspection engine reported the issue (i.e. Data Flow or Buffer Engine).

BO.png

(3) If detected by the Data Flow Analyzer, then there will be an accompany TAINT FLAG. you need to created a custom rule (attached) to created a TAINT FLAG  <TaintFlags>+VALIDATED_BUFFER_OVERFLOW</TaintFlags>. When the existing "Buffer Overflow" sink rule seeing the +VALIDATED_ , it will assume that customNewInt() eliminated the Overflow risk, and will not report the issue. something like

TAINT.png

attachment note1: the format version (16.10) of  line <DataflowCleanseRule formatVersion="16.10" language="cpp"> must match your soureanalyzer version or the rule may not fire.

attachment note2: must use Fortify provided rule editor to create this rule or may not fire due to your text editor's BO setting is different.

0 Likes
Ensign
Ensign

Ms. Gray,

Trying to use an alias rule put me on the wrong track. When "Group By:" was set to "Category Analyzer",  it revealed that the Control Flow engine detected the memory leak. I then used the Custom Rules editor to create a Control Flow rules file (I am omitting XML closing tags for brevity):

<RuleDefinitions>

     <ControlflowTransition formatVersion="16.10" language="cpp">

          <RuleID> ...

          <ParentRuleID>...

          <FunctionIdentifier id="custom_allocation">

               <FunctionName>

                    <Pattern>customNewInt</Pattern>

           <DefinitionLanguage>controlFlow</DefinitionLanguage>

          <Definition><![CDATA[ start -> allocate { m = $custom_allocation(...) }]]></Definition>

     </ControlflowTransition>

and a similar XML block for the customDeleteInt function with the <Deninition> tag:

     <Definition><![CDATA[allocated -> safe { $custom_deallocation(...,m,...) }]]</Definition>

This did not work either. Any ideas as to what I am doing wrong?

Thanks,

0 Likes
Absent Member.
Absent Member.

Fortify Control Flow Analyzer reports the issue because certain STATE in the customNewInt() code does not close(). You should address these issues by remediate code, not by a rule.

STATE.png

The "ControlflowTransition" Rule is not proper solution here (see sample below). Your rule is saying "detect and report <RuleID> (yellow) if found <FunctionName>=newInstance in the path of <ParentRuleID> (pink).

TRAINSITION.png

Chapter 4 of Custom Rule Guide explains this well, but my bible of all rules detail is in rules.xsd (what parameters can be used in a rule and other undocumented advanced funtions). You can find this file at ~/Core/config/schema.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.