Don’t Miss the End: Preventing Unsafe End-of-File Comparisons
Reading from an InputStream or Reader in Java either returns the read byte/character or \(-1\) if the end-of-file (EOF) has been reached. To support the additional \(-1\) as return value, the read methods return an int. For correct usage, the return value should be compared to \(-1\) before being converted to byte or char. If the conversion was performed before the comparison, it can cause a read-until-EOF-loop to either exit prematurely or be stuck in an infinite loop. The SEI CERT Oracle Coding Standard for Java rule FIO08-J “Distinguish between characters or bytes read from a stream and \(-1\)” describes this issue in detail. This paper presents a type system that prevents unsafe EOF value comparisons statically and is implemented for Java using the Checker Framework. In an evaluation of 35 projects (9 million LOC) it detected 3 defects in production software, 8 bad coding practices, and no false positives. The overall annotation effort is very low. Overrides for the read methods needed to be annotated, requiring a total of 44 annotations. Additionally, 3 annotations for fields and method parameters needed to be added. To the best of our knowledge this is the first open source tool to prevent this security issue.
KeywordsSoftware security Static analysis Java type system CERT rules Practice
We thank the reviewers for their comments, which helped us to improve the paper. We also thank Daniel Caccamo, Jeff Luo, and Sadaf Tajik for feedback on drafts. This work was partially supported by the Natural Sciences and Engineering Research Council of Canada. This material is based upon work supported by the United States Air Force under Contract No. FA8750-15-C-0010. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the United States Air Force and the Defense Advanced Research Projects Agency (DARPA).
- 1.Ayewah, N., Pugh, W., Morgenthaler, J.D., Penix, J., Zhou, Y.: Evaluating static analysis defect warnings on production software. In: ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (2007)Google Scholar
- 2.Dietl, W., Dietzel, S., Ernst, M.D., Muslu, K., Schiller, T.W.: Building and using pluggable type-checkers. In: Software Engineering in Practice Track, International Conference on Software Engineering (ICSE), May 2011Google Scholar
- 3.Distinguish between characters or bytes read from a stream and \(-1\). In: , November 2017. https://wiki.sei.cmu.edu/confluence/display/java/FIO08-J.+Distinguish+between+characters+or+bytes+read+from+a+stream+and+-1. Accessed 25 Nov 2017
- 4.Svoboda, D., Sutherland, D.F., Seacord, R.C., Mohindra, D., Long, F.: The CERT Oracle Secure Coding Standard for Java. Addison-Wesley Professional, Boston (2011)Google Scholar