Qian Wang,Dahai Jin,Yunzhan Gong

DOI: https://doi.org/10.1109/APSEC.2013.80

2013-01-01

Abstract:Null dereferences are commonly occurring bugs in programming languages such as C. In this paper, we present a novel approach that performs a backward dataflow analysis to detect null-dereference bugs. The technical innovation of our approach is that owing to aliasing predicates, it can perform strong updates in the presence of aliasing, thus eliminating false positives. The aliasing predicates are introduced on the premise of a canonical representation for the program being analyzed. Moreover, the other features of our approach also contribute to improve accuracy. We have implemented this approach, and give an evaluation of it on a set of open source benchmarks. The experimental results prove the effectiveness of our approach, and show that it is suitable for exploring large real programs with reasonable accuracy.

Yu FU,Yi DENG,Xiao-Shan SUN,Liang CHENG,Yang ZHANG,Deng-Guo FENG

DOI: https://doi.org/10.11897/SP.J.1016.2018.00574

2018-01-01

Chinese Journal of Computers

Abstract:Null pointer dereference,which may allow attackers to bypass security logic or reveal sensitive information in operating system,is a common programming bug in C/C++ programs and therefore has been an important research subject in computer security.Many (automatic) analysis tools have been proposed to detect this bug.However,all these tools run on the source code.Many commercial softwares come with no source code,and these tools running on the source code cannot detect null pointer dereferences in them.Some null pointer dereference defects are introduced by the compiling configurations or the compiler's optimizations and the tools running on the source code cannot detect them as well.So it is necessary to develop tools that can detect null pointer dereference directly on the binaries.One advantage of null pointer dereference detection on the binaries is that the library code will be included in the analysis and the source code based detections usually use crafted summaries for the library function which may lower the precision and recall.In this paper,we present and implement NPtrChecker,the first analysis tool for null pointer dereferences detection,which accepts binary programs as inputs,outputs the location where null pointers come from,where dereferences occur and the corresponding path conditions.One difficulty of null pointer dereferences detection on the binaries is that the information about pointer type and structure type is missing in binaries.Without these information,the detection can have bad performance on accuracy.However,it is hard to recover the data structure definitions from the binaries.We propose a memory model to differentiate different fields of data structures without restoring the data structures and type information.This memory model is the basis of our field sensitive pointer analysis for null pointer dereference analysis.We continue to design a context sensitive dataflow analysis algorithm based on the function summary techniques,and the algorithm improves the precision of the analysis.To reduce false positives as many as possible,we also leverage weakest precondition to filter out the unreachable paths reported by dataflow analysis.The report will be removed if the path conditions from source to the sink that dereferences the pointer cannot be satisfied.We apply NPtrChecker to 11 programs in the SPEC2000 benchmark and 37 suspicious null pointer dereference defects are reported.Among them 22 reports are proved to be true defects by manual examinations.In contrast,the tool Saturn reports 92 defects and only 13 are true positive and LUKE reports 3 defects and only 2 are true positive.This shows that our method can detects more null pointer dereferences and keep the false positive at low level.

Xiaodong Ma,Ji Wang,Wei Dong

DOI: https://doi.org/10.1007/978-3-540-88479-8_18

2008-01-01

Abstract:This paper presents a novel algorithm to detect null pointer dereference errors. The algorithm utilizes both of the must and may alias information in a compact way to improve the precision of the detection. Using may alias information obtained by a fast flow- and context- insensitive analysis algorithm, we compute the must alias generated by the assignment statements and the must alias information is also used to improve the precision of the may alias. We can strong update more expressions using the must alias information, which will reduce the false positives of the detection for null pointer dereference. We have implemented our algorithm in the SUIF2 compiler infrastructure and the experiments results are as expected.

Yang Bai,Yuping Wang

DOI: https://doi.org/10.3969/j.issn.2095-2783.2014.10.009

2014-01-01

Abstract:Null pointer dereference error is a common bug,which is hard to detect and avoid.A flow-sensitive,path-sensitive and context-sensitive static analysis method is proposed,combined traditional static analysis methods and symbolic execution.Global pointers,local pointers and pointers as function parameters are modeled to simplify the positions of pointers.Pointer states are passed among functions.Constraint solving method is used to determine the path reachability.When completing analyzing a func-tion,pointer states are merged.Furthermore,manual bug trigger conditions annotation is used to improve the efficiency.Experi-ments show that the method is feasible and efficient for all kinds of null pointer dereference errors.

Sen Ma,MingYang Jiao,ShiKun Zhang,Wen Zhao,Dong Wei Wang

DOI: https://doi.org/10.1109/issrew.2015.7392049

2015-01-01

Abstract:This paper proposes a practical static analysis tool named LUKE, for detecting null pointer dereferences (NPD) in C programs. LUKE first uses a guarded value-dependence graph (VDG) to track the dependence relations of values, and then detects NPD by solving the graph reachability problem on its VDG. To improve accuracy as well as scalability, the detection algorithm leverages heuristic inference algorithms and the results of control dependences analysis. We evaluated LUKE on 10 large-scale open source projects, and the results show that LUKE has a false positive rate of only 4.3%, which is much lower than Clang, Saturn and Calysto. The analysis speed is also 4.6X, 15.5X and 17.9X faster, respectively. On the evaluated benchmarks, LUKE succeeds in finding a superset of the bugs reported by the published tools we investigated. We also show that LUKE scales to 416,500 lines of code, the largest benchmark we had.

Dongfang Xie,Bihuan Chen,Kaifeng Huang,Yu Wang,Linghao Pan,Zhicheng Chen,Xin Peng

DOI: https://doi.org/10.1109/saner60148.2024.00093

2024-01-01

Abstract:Null pointer dereference raises Null Pointer Exceptions (NPEs). There are two groups of approaches to detect NPEs. Type-based approaches carry out strict type-based null safety checking. They heavily rely on annotations, and thus produce many false positives. Dataflow-based approaches leverage static forward and/or backward dataflow analysis. They mostly have a limited capability in tracking fields and interprocedural analysis, and introduce false positives and false negatives. To address these drawbacks, we propose Wheeljack to detect NPEs for Java. It does not rely on annotations, and hence can work effectively under a lack of annotations. It leverages our novel abstraction of nullness status to enhance field tracking, and our novel invocation analysis (capturing change to return value and side effect of an invocation) to enhance interprocedural analysis. Our evaluation on 28 Java projects has demonstrated that Wheeljack can mostly outperform the four state-of-the-art NPE detectors in recall without sacrificing precision. 5 and 2 new NPEs have been confirmed and fixed by developers after we submit 8 issues.

Sam Estep,Jenna Wise,Jonathan Aldrich,Éric Tanter,Johannes Bader,Joshua Sunshine

DOI: https://doi.org/10.48550/arXiv.2105.06081

2021-07-15

Abstract:Static analysis tools typically address the problem of excessive false positives by requiring programmers to explicitly annotate their code. However, when faced with incomplete annotations, many analysis tools are either too conservative, yielding false positives, or too optimistic, resulting in unsound analysis results. In order to flexibly and soundly deal with partially-annotated programs, we propose to build upon and adapt the gradual typing approach to abstract-interpretation-based program analyses. Specifically, we focus on null-pointer analysis and demonstrate that a gradual null-pointer analysis hits a sweet spot, by gracefully applying static analysis where possible and relying on dynamic checks where necessary for soundness. In addition to formalizing a gradual null-pointer analysis for a core imperative language, we build a prototype using the Infer static analysis framework, and present preliminary evidence that the gradual null-pointer analysis reduces false positives compared to two existing null-pointer checkers for Infer. Further, we discuss ways in which the gradualization approach used to derive the gradual analysis from its static counterpart can be extended to support more domains. This work thus provides a basis for future analysis tools that can smoothly navigate the tradeoff between human effort and run-time overhead to reduce the number of reported false positives.

Programming Languages

Longming Dong,Wei Dong,Liqian Chen

DOI: https://doi.org/10.1109/SERE-C.2012.30

2012-01-01

Abstract:Invalid pointer dereferences, such as null pointer dereferences, dangling pointer dereferences and double frees, are a prevalent source of software bugs in CPS software, due to flexible dereferencing pointers along various pointer fields. Existing tools have high overhead or are incomplete, thereby limiting their efficiency in checking the kind of CPS software with shared and mutable memory. In this paper, we present a novel extended pointer structure for detecting all invalid pointer dereferences in this kind of CPS software. We propose an invalid pointer dereferences detection algorithm based on the uniform transformation of abstract heap states. Experimental evaluation about a set of large C benchmark programs shows that the proposed approach is sufficiently efficient in detecting invalid pointer dereferences of CPS software with shared and mutable memory.

Shujuan Jiang,Wei Li,Haiyang Li,Yanmei Zhang,Hongchang Zhang,Yingqi Liu

DOI: https://doi.org/10.1109/qsic.2012.36

2012-01-01

Abstract:Null pointer exception is a commonly occurring error in Java programs, and many static analysis tools can identify such errors. However, most of existing tools are pure static analysis and suffer from the common problems of the pure static approaches. In this paper, we present a new approach for identifying null dereferences by combining the dynamically generated information (from the stack trace) with the static analysis. Starting at a dereference statement, where the null pointer exception occurred, our approach performs a backward program slicing guided by the stack trace. Then it performs the null identifying analysis and alias analysis on the sliced program. The approach also visualizes the analysis results and the related source codes. Finally, the paper also presents an implementation of the null pointer exception analysis. The results show the advantage of our approach for locating null pointer exception.

Ankush Das,Akash Lal

DOI: https://doi.org/10.48550/arXiv.1702.05807

2017-02-20

Abstract:Precise analysis of pointer information plays an important role in many static analysis techniques and tools today. The precision, however, must be balanced against the scalability of the analysis. This paper focusses on improving the precision of standard context and flow insensitive alias analysis algorithms at a low scalability cost. In particular, we present a semantics-preserving program transformation that drastically improves the precision of existing analyses when deciding if a pointer can alias NULL. Our program transformation is based on Global Value Numbering, a scheme inspired from compiler optimizations literature. It allows even a flow-insensitive analysis to make use of branch conditions such as checking if a pointer is NULL and gain precision. We perform experiments on real-world code to measure the overhead in performing the transformation and the improvement in the precision of the analysis. We show that the precision improves from 86.56% to 98.05%, while the overhead is insignificant.

Programming Languages

Yu-kun DONG,Yun-zhan GONG,Da-hai JIN

DOI: https://doi.org/10.3969/j.issn.0372-2112.2014.09.013

2014-01-01

Abstract:In order to fully detect null pointer dereference for C procedures ,this paper introduces a method based on region-based memory model .Firstly ,region-based symbolic three-valued logic (RSTVL ) is proposed ,which can describe shape of data structures ,all kinds of memory states and relations of addressable expressions .Then ,an approach to fully recognizing pointer deref-erences based on abstract syntax tree and procedure summary is introduced .Furthermore ,this paper introduces a null pointer derefer-ence detection method ,which translates pointer dereference detection into region detection applying the result of data flow analysis based on RSTVL ,and detects interprocedural null pointer dereference based on procedure summary .Experiment results show that compared with DTSC-STVL and Klocwork9 ,the proposed method could dramatically reduce null pointer dereference false negative on the precondition of guarantee the detection precision .

Rulin Xu,Luohui Chen,Ruyi Zhang,Yuanliang Zhang,Wei Xiao,Haifang Zhou,Xiaoguang Mao

DOI: https://doi.org/10.1145/3671016.3671385

2024-01-01

Abstract:High-precision static analysis can effectively detect Null Pointer Dereference (NPD) vulnerabilities in C language, but the performance overhead is significant. In recent years, researchers have attempted to enhance the efficiency of static analysis by leveraging multicore resources. However, due to complex dependencies in the analysis process, the parallelization of static value-flow NPD analysis for large-scale software still faces significant challenges. It is difficult to achieve a good balance between detection efficiency and accuracy, which impacts its application.This paper presents PANDA, the first parallel detector for high-precision static value-flow NPD analyzer in the C language. The core idea of PANDA is to utilize dependency analysis to ensure high precision while decoupling the strong dependencies between static value-flow analysis steps. This transforms the traditionally challenging-to-parallelize NPD analysis into two parallelizable algorithms: function summarization and combined query-based vulnerability analysis. PANDA introduces a task-level parallel framework and enhances it with a dynamic scheduling method to parallel schedule the above two key steps, significantly improving the performance and scalability of memory vulnerability detection.Fully implemented within the LLVM framework (version 15.0.7), PANDA demonstrates a significant advantage in balancing accuracy and efficiency compared to current popular open-source detection tools. In precision-targeted benchmark tests, PANDA maintains a false positive rate within 3.17% and a false negative rate within 5.16%; in historical CVE detection rate tests, its recall rate far exceeds that of comparative open-source tools. In performance evaluations, compared to its serial version, PANDA achieves up to an 11.23-fold speedup on a 16-node server, exhibiting outstanding scalability.

Christopher L. Conway,Kedar S. Namjoshi,Dennis Dams,Stephen A. Edwards

DOI: https://doi.org/10.1007/11513988_45

2005-01-01

Abstract:Automaton-based static program analysis has proved to be an effective tool for bug finding. Current tools generally re-analyze a program from scratch in response to a change in the code, which can result in much duplicated effort. We present an inter-procedural algorithm that analyzes incrementally in response to program changes and present experiments for a null-pointer dereference analysis. It shows a substantial speed-up over re-analysis from scratch, with a manageable amount of disk space used to store information between analysis runs.

Dongliang Mu,Wenbo Guo,Alejandro Cuevas,Yueqi Chen,Jinxuan Gai,Xinyu Xing,Bing Mao,Chengyu Song

DOI: https://doi.org/10.1109/ase.2019.00090

2019-01-01

Abstract:Reverse execution and coredump analysis have long been used to diagnose the root cause of software crashes. Each of these techniques, however, face inherent challenges, such as insufficient capability when handling memory aliases. Recent works have used hypothesis testing to address this drawback, albeit with high computational complexity, making them impractical for real world applications. To address this issue, we propose a new deep neural architecture, which could significantly improve memory alias resolution. At the high level, our approach employs a recurrent neural network (RNN) to learn the binary code pattern pertaining to memory accesses. It then infers the memory region accessed by memory references. Since memory references to different regions naturally indicate a non-alias relationship, our neural architecture can greatly reduce the burden of doing hypothesis testing to track down non-alias relation in binary code. Different from previous researches that have utilized deep learning for other binary analysis tasks, the neural network proposed in this work is fundamentally novel. Instead of simply using off-the-shelf neural networks, we designed a new recurrent neural architecture that could capture the data dependency between machine code segments. To demonstrate the utility of our deep neural architecture, we implement it as RENN, a neural network-assisted reverse execution system. We utilize this tool to analyze software crashes corresponding to 40 memory corruption vulnerabilities from the real world. Our experiments show that RENN can significantly improve the efficiency of locating the root cause for the crashes. Compared to a state-of-the-art technique, RENN has 36.25% faster execution time on average, detects an average of 21.35% more non-alias pairs, and successfully identified the root cause of 12.5% more cases.

Md. Fahim Sultan,Tasmin Karim,Md. Shazzad Hossain Shaon,Mohammad Wardat,Mst Shapna Akter

2024-11-30

Abstract:Software security is crucial in any field where breaches can exploit sensitive data, and lead to financial losses. As a result, vulnerability detection becomes an essential part of the software development process. One of the key steps in maintaining software integrity is identifying vulnerabilities in the source code before deployment. A security breach like CWE-476, which stands for NULL pointer dereferences (NPD), is crucial because it can cause software crashes, unpredictable behavior, and security vulnerabilities. In this scientific era, there are several vulnerability checkers, where, previous tools often fall short in analyzing specific feature connections of the source code, which weakens the tools in real-world scenarios. In this study, we propose another novel approach using a fine-tuned Large Language Model (LLM) termed "DeLLNeuN". This model leverages the advantage of various layers to reduce both overfitting and non-linearity, enhancing its performance and reliability. Additionally, this method provides dropout and dimensionality reduction to help streamline the model, making it faster and more efficient. Our model showed 87% accuracy with 88% precision using the Draper VDISC dataset. As software becomes more complex and cyber threats continuously evolve, the need for proactive security measures will keep growing. In this particular case, the proposed model looks promising to use as an early vulnerability checker in software development.

Software Engineering

Rulin Xu,Xiaoguang Mao,Luohui Chen,Yue Yu

DOI: https://doi.org/10.1109/jcc59055.2023.00014

2023-01-01

Abstract:Memory vulnerability detection aims to identify software defects that can compromise memory safety. However, existing methods often struggle to achieve both high precision and efficiency. This paper presents a high-precision memory vulnerability detection approach based on value flow analysis and parallel computing. We first construct a static semantic representation called SVFG to enable precise detection of memory vulnerabilities such as null pointer dereference and use-after-free. We then perform dependency-aware path feasibility analysis using an SMT solver to reduce false positives. Finally, we develop a task-level parallel framework to accelerate the constraint solving process and improve efficiency.We evaluate our approach on the Juliet test set of over 2,000 test cases and 7 open-source projects. Experimental results show that our dependency-aware analysis can achieve 0.5%-2.05% false positive rates, outperforming traditional approaches and existing tools. Our task-level parallel framework can achieve up to 3.25x speedup with 4 computing nodes.Our study demonstrates that combining value flow analysis and parallel computing is a promising way to enable highly precise and efficient detection of memory vulnerabilities. For future work, we plan to integrate pointer analysis to support more complex codes, and optimize the granularity of parallelism to improve scalability. Overall, this paper presents a static analysis based method to address the inherent trade-off between precision and efficiency in memory vulnerability detection.

Xi Wang,Nickolai Zeldovich,M. Frans Kaashoek,Armando Solar-Lezama

DOI: https://doi.org/10.1145/2699678

2015-03-11

ACM Transactions on Computer Systems

Abstract:This article studies undefined behavior arising in systems programming languages such as C/C++. Undefined behavior bugs lead to unpredictable and subtle systems behavior, and their effects can be further amplified by compiler optimizations. Undefined behavior bugs are present in many systems, including the Linux kernel and the Postgres database. The consequences range from incorrect functionality to missing security checks. This article proposes a formal and practical approach that finds undefined behavior bugs by finding “unstable code” in terms of optimizations that leverage undefined behavior. Using this approach, we introduce a new static checker called S tack that precisely identifies undefined behavior bugs. Applying S tack to widely used systems has uncovered 161 new bugs that have been confirmed and fixed by developers.

computer science, theory & methods

Mohamed A. El-Zawawy

DOI: https://doi.org/10.48550/arXiv.1112.3756

2011-12-16

Programming Languages

Abstract:The use of pointers and data-structures based on pointers results in circular memory references that are interpreted by a vital compiler analysis, namely pointer analysis. For a pair of memory references at a program point, a typical pointer analysis specifies if the points-to relation between them may exist, definitely does not exist, or definitely exists. The "may be" case, which describes the points-to relation for most of the pairs, cannot be dealt with by most compiler optimizations. This is so to guarantee the soundness of these optimizations. However, the "may be" case can be capitalized by the modern class of speculative optimizations if the probability that two memory references alias can be measured. Focusing on multithreading, a prevailing technique of programming, this paper presents a new flow-sensitive technique for probabilistic pointer analysis of multithreaded programs. The proposed technique has the form of a type system and calculates the probability of every points-to relation at each program point. The key to our approach is to calculate the points-to information via a post-type derivation. The use of type systems has the advantage of associating each analysis results with a justification (proof) for the correctness of the results. This justification has the form of a type derivation and is very much required in applications like certified code.

Sun Tao,Gong Yunzhan,Jin Dahai

2010-01-01

Journal of Computer Research and Development

Abstract:Dangling pointer in computer programming is pointer that does not point to any valid object,and it may cause unpredictable behavior which is difficult to find the reason.In this paper,an analysis and a model of dangling pointer fault in C/C+ + are proposed.Design and implementation of detecting dangling pointer fault are made based on static analysis.Using method summary,the detection of intra-procedural and inter-procedural dangling pointer faults is implemented.The experiment shows that the method has good performance.And it has been used in defect testing systems.

Huang Bo,Zang Binyu,Li Jing,Zhu Chuanqi

DOI: https://doi.org/10.1007/bf02943202

2001-01-01

Abstract:Pointer analysis is a technique to identify at compile-time the potential values of the pointer expressions in a program, which promises significant benefits for optimizing and parallelizing compilers. In this paper, a new approach to pointer analysis for assignments is presented. In this approach, assignments are classified into three categories: pointer assignments, structure (union) assignments and normal assignments which don’t affect the point-to information. Pointer analyses for these three kinds of assignments respectively make up the integrated algorithm. When analyzing a pointer assignment, a new method called expression expansion is used to calculate both the left targets and the right targets. The integration of recursive data structure analysis into pointer analysis is a significant originality of this paper, which uniforms the pointer analysis for heap variables and the pointer analysis for stack variables. This algorithm is implemented in Agassiz, an analyzing tool for C programs developed by Institute of Parallel Processing, Fudan University Its accuracy and effectiveness are illustrated by experimental data.