Multiplier finds more bugs faster

Multiplier provides precise and comprehensive code understanding capabilities. It does so by saving build artifacts into a database, and then making them persistently accessible using a C++ or Python API.

Multiplier emphasizes the ability to uniquely identify all entities in a build process, including individual tokens, AST nodes, and intermediate representations. With Multiplier, an analyst can identify code patterns of interest over one of the representations, and then accurately relay results back to humans in a readable form, or to follow-on scripts via entity IDs.

Multiplier's APIs are extensive, and often provide as-good or better-than compiler-level quality information, but linked at a whole-program granularity. We like to say that with its APIs, you can get everywhere from anywhere.

• About
  • How do other indexers work, and why the normal way of indexing code is insufficient for C/C++
  • Why Multiplier? What analysis challenges does Multiplier solve?
• Usage
  • Getting and building the code
  • Installing a pre-built release
  • How to index a codebase
• Writeups
  • regreSSHion OpenSSH variant analysis
  • PHP variant analysis
• Included Python tools
  • Web-based code browser for browsing code from a database
  • Group functions by type
• Included C++ tools
  • Find function calls inside macro argument lists
  • Find possible divergent representations
  • Find uses of copy_to_user in the Linux kernel that overwrite flexible array members
  • Find data structures containing self-referential pointers, such as linked lists and trees
  • Find "sketchy" casts flowing to function arguments and to return sites
  • Extract an entity, e.g. a function, and all of its dependencies into a file
  • Highlight a specific entity within its surrounding code
  • Highlight all references to an entity
  • Print a call graph
  • Print the reference graph
  • Print a graph relating source code, macros, parsed tokens, and AST nodes
  • Print the taint graph given a taint source, and treating memory dereferences as taint sinks
• Included utilities
  • Find entities in the database given a symbol name
  • List all indexed files
  • List all indexed functions
  • List all indexed macros
  • List all redeclarations of a given entity
  • List all indexed structures/unions/classes/enums
  • List all indexed variables
  • Search the code with regular expressions

License

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

Distribution Statement "A" (Approved for Public Release, Distribution Unlimited).