Departmental Papers (CIS)

Date of this Version

6-14-2007

Document Type

Other

Comments

Karl Mazurak and Steve Zdancewic. ABash: Finding Bugs in Bash Scripts. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), June 2007.

doi>10.1145/1255329.1255347

© ACM, 2007. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM SIGPLAN Workshop on Programming Languages and Analysis for Security , {(2007)} http://doi.acm.org/10.1145/1255329.1255347" Email permissions@acm.org

Abstract

This paper describes the design and implementation of ABash, a tool for statically analyzing programs written in the bash scripting language. Although it makes no formal guarantees against missed errors or spurious warnings (largely due to the highly dynamic nature of bash scripts), ABash is useful for detecting certain common program errors that may lead to security vulnerabilities. In experiments with 49 bash scripts taken from popular Internet repositories, ABash was able to identify 20 of them as containing bugs of varying severity while yielding only a reasonable number of spurious warnings on both these scripts and the generally bug-free initialization scripts of the Ubuntu Linux distribution. ABash works by performing abstract interpretation of a bash script via an abstract semantics that accounts for shell variable expansion. The analysis is also parameterized by a collection of signatures that describe external program interfaces (for Unix commands, etc.), yielding an easily configurable and extensible framework for finding bugs in bash scripts.

Share

COinS
 

Date Posted: 18 July 2012