Xutong Ma,Jiwei Yan,Wei Wang,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/ase51524.2021.9678836

2021-01-01

Abstract:The smart pointer mechanism, which is improved in the continuous versions of the C++ standards over the last decade, is designed to prevent memory-leak bugs by automatically deallocating the managed memory blocks. However, not all kinds of memory errors can be immunized by adopting this mechanism. For example, dereferencing a null smart pointer will lead to a software failure. Due to the lack of specialized support for smart pointers, the off-the-shelf C++ static analyzers cannot effectively reveal these bugs. In this paper, we propose a static approach to detecting memory-related bugs by tracking the heap memory management of smart pointers. The behaviors of smart pointers are modeled during their lifetime to trace the state transitions of managed memory blocks. And the specially designed checkers are used to check the state changes according to five collected bug patterns. To evaluate the effectiveness of our approach, we implement it on the top of the Clang Static Analyzer. A set of handmade code snippets, as well as nine popular open-source C++ projects, are used to compare our tool against four other analyzers. The results show that our approach can successfully discover nearly all the built-in bugs. And 442 out of 648 reports generated from the open-source projects are true positives after manual reviewing, where the bugs of dereferencing null smart pointers are most frequently reported. To further confirm our reports, we design patches for Aria2, Restbed, MySQL and LLVM, in which seven pull requests covering 76 bug reports have been merged by the developers up to now. The results indicate that pointers should always be carefully used even after migrated to smart pointers and static analysis upon specialized models can effectively detect such bugs.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Weizhong Qiang,Weifeng Li,Hai Jin,Jayachander Surbiryala

DOI: https://doi.org/10.1109/access.2019.2908022

IF: 3.9

2019-01-01

IEEE Access

Abstract:Highly efficient languages, such as C/C++, have low-level control over memory. Due to the lack of validity detection for pointers and garbage collection for memory, developers are responsible for dynamic memory management by explicitly allocating and deallocating memory. However, explicit memory management brings a large number of memory safety-related vulnerabilities, such as use-after-free. The threat of use-after-free vulnerabilities has become more and more serious due to their high level of the severity and quick emergence of the number. In this paper, a dynamic defense system is proposed against use-after-free exploits by introducing an approach based on multi-level pointers that insert intermediate pointers between a heap object and its related pointers. First, the relationship between a heap object to be protected, and the related pointers pointing to it, is established by combing with intermediate pointers. Then, all of the accesses to this object via its related pointers can only be achieved through these intermediate pointers. Finally, to prevent the dangling pointers from being dereferenced to this object, all the intermediate pointers related to this object are invalidated when it is freed so that any access to a freed object can be prevented due to the invalidated intermediate pointers. The prototype system MPChecker is implemented, which can prevent use-after-free exploits for C/C++ multi-threaded programs. Compared with the related methods, MPChecker can protect pointers that are copied in a type-unsafe way from being de-referenced to freed objects. In addition, it can also defend against dangling pointers located on the whole memory, including the stack, the heap, and global memory, rather than the heap only. The defense capability is proved by protecting against two exploits to a real-world program, comparing the support of type-unsafe copy with a self-written program. The performance evaluation of MPChecker with some benchmarks, multi-threaded programs, and real-world programs, shows its comparable efficiency.

Jiayi Ye,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1145/2660267.2662394

2014-01-01

Abstract:Use-after-free vulnerabilities are gaining more and more attentions in recent years, since they are commonly exploited in applications like browsers, and exposed in abundant security updates, e.g., from Microsoft., Google or Mozilla. This kind of vulnerabilities are triggered by dereferencing a dangling pointer, and may introduce high risks into the system once they are exploited.In this paper, we propose a comprehensive solution called UAFChecker to detect use-after-free vulnerabilities in source code. Our solution utilizes classical static analysis techniques, including taint analysis and symbolic execution, to make an inter-procedural analysis to find as many use-afterfree vulnerabilities as possible, with a low false negative rate and a low false positive rate.We implement a prototype of UAFChecker based on the compiler framework LLVM. We then use the Juliet Test Suite to evaluate LTA FChecker's capability of detecting useafter-free vulnerabilities. Results show that. UAFChecker is able to identify most use-after-free vulnerabilities in the Juliet lest Suite. We also test UAFChecker against two open source applications, and successfully find out all known use-after-free vulnerabilities in them.

Ping Chen

2008-01-01

Abstract:To detect such satety holes in C/C++ programs as memory leak,buffer overflow and invalid pointer reference,a bottom-up global analysis method based on function dependency is studied.And control-flow/data-flow analysis based on safety hole patterns is also studied.A static safety hole analysis framework is proposed and a corresponding tool is developed.By testing,it is shown that the tool can help to detect common safety holes in C/C++ program.In comparison with similar analysis tools,the tool developed supports whole-project analysis,analyzes each function only once and supports customization of safety rules.

Guangquan Xu,Miao Li,Xiaotong Li,Kai Chen,Ran Wang,Wei Wang,Kaitai Liang,Qiang Tang,Shaoying Liu

DOI: https://doi.org/10.1007/978-3-030-67537-0_35

2020-01-01

Abstract:Existing approaches to defending Use-After-Free (UAF) exploits are usually done using static or dynamic analysis. However, both static and dynamic analysis suffer from intrinsic deficiencies. The existing static analysis is limited in handling loops, optimization of memory representation. The existing dynamic analysis, which is characterized by lacking the maintenance of pointer information, may lead to flaws that the relationships between pointers and memory cannot be precisely identified.

Longming Dong,Wei Dong,Liqian Chen

DOI: https://doi.org/10.1109/SERE-C.2012.30

2012-01-01

Abstract:Invalid pointer dereferences, such as null pointer dereferences, dangling pointer dereferences and double frees, are a prevalent source of software bugs in CPS software, due to flexible dereferencing pointers along various pointer fields. Existing tools have high overhead or are incomplete, thereby limiting their efficiency in checking the kind of CPS software with shared and mutable memory. In this paper, we present a novel extended pointer structure for detecting all invalid pointer dereferences in this kind of CPS software. We propose an invalid pointer dereferences detection algorithm based on the uniform transformation of abstract heap states. Experimental evaluation about a set of large C benchmark programs shows that the proposed approach is sufficiently efficient in detecting invalid pointer dereferences of CPS software with shared and mutable memory.

Liang He,Hong Hu,Purui Su,Yan Cai,Zhenkai Liang

2022-01-01

Abstract:Memory-safety issues in operating systems and popular applications are still top security threats. As one widely exploited vulnerability, Use After Free (UAF) resulted in hundreds of new incidents every year. Existing bug diagnosis techniques report the locations that allocate or deallocate the vulnerable object, but cannot provide sufficient information for developers to reason about a bug or synthesize a correct patch. In this work, we identified incorrect reference counting as one common root cause of UAF bugs: if the developer forgets to increase the counter for a newly created reference, the program may prematurely free the actively used object, rendering other references dangling pointers. We call this problem reference miscounting. By proposing an omission-aware counting model, we developed an automatic method, FREEWILL, to diagnose UAF bugs. FREEWILL first reproduces a UAF bug and collects related execution trace. Then, it identifies the UAF object and related references. Finally, FREEWILL compares reference operations with our model to detect reference miscounting. We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. FREEWILL also identified five null-pointer dereference bugs and failed to analyze five bugs. FREEWILL can complete its analysis within 15 minutes on average, showing its practicality for diagnosing UAF bugs.

Binfa Gui,Wei Song,Jeff Huang

DOI: https://doi.org/10.1145/3460319.3464835

2021-01-01

Abstract:Use-After-Free (UAF) vulnerabilities constitute severe threats to software security. In contrast to other memory errors, UAFs are more difficult to detect through manual or static analysis due to pointer aliases and complicated relationships between pointers and objects. Existing evidence-based dynamic detection approaches only track either pointers or objects to record the availability of objects, which become invalid when the memory that stored the freed object is reallocated. To this end, we propose an approach UAFSan dedicated to comprehensively detecting UAFs at runtime. Specifically, we assign a unique identifier to each newly-allocated object and its pointers; when a pointer dereferences a memory object, we determine whether a UAF occurs by checking the consistency of their identifiers. We implement UAFSan in an open-source tool and evaluate it on a large collection of popular benchmarks and real-world programs. The experiment results demonstrate that UAFSan successfully detect all UAFs with reasonable overhead, whereas existing publicly-available dynamic detectors all miss certain UAFs.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Yu FU,Yi DENG,Xiao-Shan SUN,Liang CHENG,Yang ZHANG,Deng-Guo FENG

DOI: https://doi.org/10.11897/SP.J.1016.2018.00574

2018-01-01

Chinese Journal of Computers

Abstract:Null pointer dereference,which may allow attackers to bypass security logic or reveal sensitive information in operating system,is a common programming bug in C/C++ programs and therefore has been an important research subject in computer security.Many (automatic) analysis tools have been proposed to detect this bug.However,all these tools run on the source code.Many commercial softwares come with no source code,and these tools running on the source code cannot detect null pointer dereferences in them.Some null pointer dereference defects are introduced by the compiling configurations or the compiler's optimizations and the tools running on the source code cannot detect them as well.So it is necessary to develop tools that can detect null pointer dereference directly on the binaries.One advantage of null pointer dereference detection on the binaries is that the library code will be included in the analysis and the source code based detections usually use crafted summaries for the library function which may lower the precision and recall.In this paper,we present and implement NPtrChecker,the first analysis tool for null pointer dereferences detection,which accepts binary programs as inputs,outputs the location where null pointers come from,where dereferences occur and the corresponding path conditions.One difficulty of null pointer dereferences detection on the binaries is that the information about pointer type and structure type is missing in binaries.Without these information,the detection can have bad performance on accuracy.However,it is hard to recover the data structure definitions from the binaries.We propose a memory model to differentiate different fields of data structures without restoring the data structures and type information.This memory model is the basis of our field sensitive pointer analysis for null pointer dereference analysis.We continue to design a context sensitive dataflow analysis algorithm based on the function summary techniques,and the algorithm improves the precision of the analysis.To reduce false positives as many as possible,we also leverage weakest precondition to filter out the unreachable paths reported by dataflow analysis.The report will be removed if the path conditions from source to the sink that dereferences the pointer cannot be satisfied.We apply NPtrChecker to 11 programs in the SPEC2000 benchmark and 37 suspicious null pointer dereference defects are reported.Among them 22 reports are proved to be true defects by manual examinations.In contrast,the tool Saturn reports 92 defects and only 13 are true positive and LUKE reports 3 defects and only 2 are true positive.This shows that our method can detects more null pointer dereferences and keep the false positive at low level.

Daliang Xu,Dongwei Chen,Chun Yang,KangSun,Xu Cheng,Dong Tong

2020-01-01

Abstract:Use-After-Free vulnerabilities, allowing the attacker to access unintended memory via dangling pointers, are more threatening. However, most detection schemes can only detect dangling pointers and invalid them, but not provide a tolerance mechanism to repair the errors at runtime. Also, these techniques obtain and manage the metadata inefficiently with complex structures and too much scan (sweep). The goal of this paper is to use compiler instrumentation to eliminate dangling pointers automatically and efficiently. In this paper, we observe that most techniques lack accurate efficient pointer graph metadata maintaining methods, so they need to scan the log to reduce the redundancy and sweep the whole address space to find dangling pointers. Also, they lack a direct, efficiently obtaining metadata approach. The key insight of this paper is that a unique identifier can be used as a key to a hash or direct-map algorithm. Thus, this paper maintains the same implicit identifier with each memory object and its corresponding referent. Associating the unique ID with metadata for memory objects, obtaining and managing the pointer graph metadata can be efficiently. Therefore, with the delayed free technique adopted into C/C++, we present the DangKiller as a novel and lightweight dangling pointer elimination solution. We first demonstrate the MinFat Pointer, which can calculate unique implicit ID for each object and pointer quickly, and use hash algorithm to obtain metadata. Secondly, we propose the Log Cache and Log Compression mechanism based on the ID to decrease the redundancy of dangling pointer candidates. Coupled with the Address Tagging architecture on an ARM64 system, our experiments show that the DangKiller can eliminate use-after-free vulnerabilities at only 11% and 3% runtime overheads for the SPEC CPU2006 and 2017 benchmarks respectively, except for unique cases.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue,Xiaolin Zhao

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Sun Tao,Gong Yunzhan,Jin Dahai

2010-01-01

Journal of Computer Research and Development

Abstract:Dangling pointer in computer programming is pointer that does not point to any valid object,and it may cause unpredictable behavior which is difficult to find the reason.In this paper,an analysis and a model of dangling pointer fault in C/C+ + are proposed.Design and implementation of detecting dangling pointer fault are made based on static analysis.Using method summary,the detection of intra-procedural and inter-procedural dangling pointer faults is implemented.The experiment shows that the method has good performance.And it has been used in defect testing systems.

Yuexing Wang,Guang Chen,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ASE.2019.00129

2019-01-01

Abstract:ABSTRACTPrecise pointer analysis is desired since it is a core technique to find memory defects. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. For static analysis tools utilizing pointer analysis, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents TsmartGP, a static analysis tool for finding memory defects in C programs with a precise and efficient pointer analysis. The pointer analysis algorithm is flow, context, field, and quasi path sensitive. Control flow automatons are the key structures for our analysis to be flow sensitive. Function summaries are applied to get context information and elements of aggregate structures are handled to improve precision. Path conditions are used to filter unreachable paths. For efficiency, a multi-entry mechanism is proposed. Utilizing the pointer analysis algorithm, we implement a checker in TsmartGP to find uninitialized pointer errors in 13 real-world applications. Cppcheck and Clang Static Analyzer are chosen for comparison. The experimental results show that TsmartGP can find more errors while its accuracy is also higher than Cppcheck and Clang Static Analyzer. The demo video is available at https://youtu.be/IQlshemk6OA.

Yang Bai,Yuping Wang

DOI: https://doi.org/10.3969/j.issn.2095-2783.2014.10.009

2014-01-01

Abstract:Null pointer dereference error is a common bug,which is hard to detect and avoid.A flow-sensitive,path-sensitive and context-sensitive static analysis method is proposed,combined traditional static analysis methods and symbolic execution.Global pointers,local pointers and pointers as function parameters are modeled to simplify the positions of pointers.Pointer states are passed among functions.Constraint solving method is used to determine the path reachability.When completing analyzing a func-tion,pointer states are merged.Furthermore,manual bug trigger conditions annotation is used to improve the efficiency.Experi-ments show that the method is feasible and efficient for all kinds of null pointer dereference errors.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

Hao Zhang,Ji Luo,Mengze Hu,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/icse48619.2023.00098

2023-01-01

Abstract:Exception handling is a mechanism in modern programming languages. Studies have shown that the exception handling code is error-prone. However, there is still limited research on detecting exception handling bugs, especially for C++ programs. To tackle the issue, we try to precisely represent the exception control flow in C++ programs and propose an analysis method that makes use of the control flow to detect such bugs. More specifically, we first extend control flow graph by introducing the concepts of five different kinds of basic blocks, and then modify the classic symbolic execution framework by extending the program state to a quadruple and properly processing try, throw and catch statements. Based on the above techniques, we develop a static analysis tool on the top of Clang Static Analyzer to detect exception handling bugs. We run our tool on projects with high stars from GitHub and find 36 exception handling bugs in 8 projects, with a precision of 84%. We compare our tool with four state-of-the-art static analysis tools (Cppcheck, Clang Static Analyzer, Facebook Infer and IKOS) on projects from GitHub and handmade benchmarks. On the GitHub projects, other tools are not able to detect any exception handling bugs found by our tool. On the handmade benchmarks, our tool has a significant higher recall.

Xun An

2024-10-09

Abstract:The widespread presence of Use-After-Free (UAF) vulnerabilities poses a serious threat to software security, with dangling pointers being considered the primary cause of these vulnerabilities. However, existing methods for defending against UAF vulnerabilities by eliminating dangling pointers need to interrupt the program's execution when encountering pointer assignment operations in order to store the memory addresses of the pointers in a specific data structure. This makes these methods not lightweight. To overcome this drawback, we propose a novel approach called LightDE. This method does not require storing the memory addresses of pointers during program execution. LightDE uses our proposed structure-sensitive pointer analysis method to determine which objects pointers point to and stores the pointing relationships in the program's data segment during program compilation. Since LightDE only needs to verify if pointers identified by the pointer analysis point to released objects when eliminating dangling pointers, it is very lightweight. Our experimental results show that LightDE can effectively defend against UAF vulnerabilities and the performance overhead it introduces is very low.

Cryptography and Security

Zhijian Huang,Yong Jun Wang,Jing Liu

DOI: https://doi.org/10.1587/transinf.2018edl8040

2018-01-01

IEICE Transactions on Information and Systems

Abstract:The rising systems programming language Rust is fast, efficient and memory safe. However, improperly dereferencing raw pointers in Rust causes new safety problems. In this paper, we present a detailed analysis into these problems and propose a practical hybrid approach to detecting unsafe raw pointer dereferencing behaviors. Our approach employs pattern matching to identify functions that can be used to generate illegal multiple mutable references (We define them as thief function) and instruments the dereferencing operation in order to perform dynamic checking at runtime. We implement a tool named UnsafeFencer and has successfully identified 52 thief functions in 28 real-world crates*, of which 13 public functions are verified to generate multiple mutable references.