Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/1255329.1255347acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
Article

ABASH: finding bugs in bash scripts

Published: 14 June 2007 Publication History

Abstract

This paper describes the design and implementation of ABASH, a tool for statically analyzing programs written in the bash scripting language. Although it makes no formal guarantees against missed errors or spurious warnings (largely due to the highly dynamic nature of bash scripts), ABASHis useful for detecting certain common program errors that may lead to security vulnerabilities. In experiments with 49 bash scripts taken from popular Internet repositories, ABASH was able to identify 20 of them as containing bugs of varying severity while yielding only a reasonable number of spurious warnings on both these scripts and the generally bug-free initialization scripts of the Ubuntu Linux distribution. ABASH works by performing abstract interpretation of a bash script via an abstract semantics that accounts for shell variable expansion. The analysis is also parameterized by a collection of signatures that describe external program interfaces (for Unix commands, etc.), yielding an easily configurable and extensible framework for finding bugs in bash scripts

References

[1]
T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis. In POPL ¿02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 1--3, New York, NY, USA, 2002. ACM Press.
[2]
H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In CCS ¿02: Proceedings of the 9th ACM conference on Computer and communications security, pages 235--244, New York, NY, USA, 2002. ACM Press.
[3]
P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 238--252, Los Angeles, California, 1977. ACM Press, New York, NY.
[4]
D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976.
[5]
D. E. Denning and P. J. Denning. Certification of Programs for Secure Information Flow. Comm. of the ACM, 20(7):504--513, July 1977.
[6]
C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In PLDI -02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pages 234-245, New York, NY, USA, 2002. ACM Press.
[7]
J. S. Foster, R. Johnson, J. Kodumal, and A. Aiken. Flow-insensitive type qualifiers. ACM Trans. Program. Lang. Syst., 28(6):1035--1087, 2006.
[8]
V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271--286, Aug. 2005.
[9]
A. C. Myers. JFlow: Practical mostly-static information flow control. In Proc. 26th ACM Symp. on Principles of Programming Languages (POPL), pages 228--241, San Antonio, TX, Jan. 1999.
[10]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, Jan. 2003.
[11]
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In POPL ¿06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 372--382, New York, NY, USA, 2006. ACM Press.
[12]
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, July 2006.

Cited By

View all
  • (2023) DRIVE: Dockerfile Rule Mining and Violation DetectionACM Transactions on Software Engineering and Methodology10.1145/361717333:2(1-23)Online publication date: 21-Aug-2023
  • (2023)Bash in the Wild: Language Usage, Code Smells, and BugsACM Transactions on Software Engineering and Methodology10.1145/351719332:1(1-22)Online publication date: 13-Feb-2023
  • (2022)The CoLiS platform for the analysis of maintainer scripts in Debian software packagesInternational Journal on Software Tools for Technology Transfer10.1007/s10009-022-00671-124:5(717-733)Online publication date: 23-Sep-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security
June 2007
122 pages
ISBN:9781595937117
DOI:10.1145/1255329
  • General Chair:
  • Michael Hicks
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2007

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. abstract interpretation
  2. bash
  3. scripting languages

Qualifiers

  • Article

Conference

PLAS07
Sponsor:

Acceptance Rates

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)40
  • Downloads (Last 6 weeks)1
Reflects downloads up to 21 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2023) DRIVE: Dockerfile Rule Mining and Violation DetectionACM Transactions on Software Engineering and Methodology10.1145/361717333:2(1-23)Online publication date: 21-Aug-2023
  • (2023)Bash in the Wild: Language Usage, Code Smells, and BugsACM Transactions on Software Engineering and Methodology10.1145/351719332:1(1-22)Online publication date: 13-Feb-2023
  • (2022)The CoLiS platform for the analysis of maintainer scripts in Debian software packagesInternational Journal on Software Tools for Technology Transfer10.1007/s10009-022-00671-124:5(717-733)Online publication date: 23-Sep-2022
  • (2020)Automatically detecting risky scripts in infrastructure codeProceedings of the 11th ACM Symposium on Cloud Computing10.1145/3419111.3421303(358-371)Online publication date: 12-Oct-2020
  • (2020)Morbig: A Static parser for POSIX shellJournal of Computer Languages10.1016/j.cola.2020.10094457(100944)Online publication date: Apr-2020
  • (2020)Analysing installation scenarios of Debian packagesTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-030-45237-7_14(235-253)Online publication date: 17-Apr-2020
  • (2019)Executable formal semantics for the POSIX shellProceedings of the ACM on Programming Languages10.1145/33711114:POPL(1-30)Online publication date: 20-Dec-2019
  • (2018)Morbig: a static parser for POSIX shellProceedings of the 11th ACM SIGPLAN International Conference on Software Language Engineering10.1145/3276604.3276615(29-41)Online publication date: 24-Oct-2018
  • (2018)Word expansion supports POSIX shell interactivityCompanion Proceedings of the 2nd International Conference on the Art, Science, and Engineering of Programming10.1145/3191697.3214336(153-160)Online publication date: 9-Apr-2018
  • (2017)Tortoise: interactive system configuration repairProceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering10.5555/3155562.3155641(625-636)Online publication date: 30-Oct-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media