Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Ping Chen

2008-01-01

Abstract:To detect such satety holes in C/C++ programs as memory leak,buffer overflow and invalid pointer reference,a bottom-up global analysis method based on function dependency is studied.And control-flow/data-flow analysis based on safety hole patterns is also studied.A static safety hole analysis framework is proposed and a corresponding tool is developed.By testing,it is shown that the tool can help to detect common safety holes in C/C++ program.In comparison with similar analysis tools,the tool developed supports whole-project analysis,analyzes each function only once and supports customization of safety rules.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Zhenbo Xu,Jian Zhang,Zhongxing Xu,Jiteng Wang

DOI: https://doi.org/10.1145/2610384.2628050

2014-01-01

Abstract:Symbolic analysis is a commonly used approach for static bug finding. It usually performs a precise path-by-path symbolic simulation from program inputs. A major challenge is its scalability and precision on interprocedural analysis. The former limits the application to large programs. The latter may lead to many false alarms. This paper presents a flexible, scalable and practical static bug detection tool, called Canalyze, for C programs. The flexibility is embodied in our modular design that supports different precision-level constraint solvers and interprocedural analyses. Based on these options, one can enable the less precise options to achieve a more scalable analysis or the more time-consuming options to perform a more precise analysis. Our tool is also practical to analyze real-world applications. It has been applied to some industry systems and open source programs like httpd, lighttpd, etc. And hundreds of newly found bugs were confirmed by the maintainers of our benchmarks.

Lin Yi,Shao Beibei

DOI: https://doi.org/10.3969/j.issn.1009-623X.2009.09.022

2009-01-01

Abstract:The C++ programming language is growing in importance and being used for critical systems. This is due largely to the inherent language flexibility,the extensive support and its potential for portability across a wide range of hardwares. However,no programming language can guarantee that the final executable code will behave exactly as the programmer intends. MISRA C++:2008 seeks to promote the safest possible use of C ++ in an embedded application system. This paper provides an introduction to MISRA C++:2008 for embedded application engineers.

Boqin Qin,Yilun Chen,Haopeng Liu,Hua Zhang,Qiaoyan Wen,Linhai Song,Yiying Zhang

DOI: https://doi.org/10.1109/tse.2024.3380393

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Rust is a relatively new programming language designed for systems software development. Its objective is to combine the safety guarantees typically associated with high-level languages with the performance efficiency often found in executable programs implemented in low-level languages. The core design of Rust is a set of strict safety rules enforced through compile-time checks. However, to support more low-level controls, Rust also allows programmers to bypass its compiler checks by writing unsafe code. As the adoption of Rust grows in the development of safety-critical software, it becomes increasingly important to understand what safety issues may elude Rust’s compiler checks and manifest in real Rust programs.In this paper, we conduct a comprehensive, empirical study of Rust safety issues by close, manual inspection of 70 memory bugs, 100 concurrency bugs, and 110 programming errors leading to unexpected execution panics from five open-source Rust projects, five widely-used Rust libraries, and two online security databases. Our study answers three important questions: what memory-safety issues real Rust programs have, what concurrency bugs Rust programmers make, and how unexpected panics in Rust programs are caused. Our study reveals interesting real-world Rust program behaviors and highlights new issues made by Rust programmers. Building upon the findings of our study, we design and implement five static detectors. After being applied to the studied Rust programs and another 12 selected Rust projects, our checkers pinpoint 96 previously unknown bugs and report a negligible number of false positives, confirming their effectiveness and the value of our empirical study.

Deng Fan,Liu Jian

DOI: https://doi.org/10.3969/j.issn.1007-7820.2009.02.007

2009-01-01

Abstract:Safety vulnerabilities related to exception in C++ programs and the consequent resource leak,control flow errors or data flow errors are analyzed.Representations of several familiar vulnerabilities are listed,and their causes and characteristics are analyzed with detailed examples.The corresponding suggestions for safety programming are put forward.

Yu Tan,Dianfu Ma,Lei Qiao

DOI: https://doi.org/10.1155/2021/8352267

2021-01-01

Wireless Communications and Mobile Computing

Abstract:With the rapid increase in the number of wireless terminals and the openness of wireless networks, the security of wireless communication is facing serious challenges. The safety and security of computer communication have always been a research hotspot, especially the wireless communication that still has a more complex architecture which leads to more safety problems in the communication system development. In recent years, more and more wireless communication systems are applied in the safety-critical field which tends to need high safety guarantees. A compiler is an important tool for system development, and its safety and reliability have an important impact on the development of safety-critical software. As the strictest method, formal verification methods have been widely paid attention to in compiler verification, but the current formal verification methods have some problems, such as high proof complexity, weak verification ability, and low algorithm efficiency. In this paper, a compiler formal verification method based on safety C subsets is proposed. By abstracting the concept of C grammar units from safety C subsets, the formal verification of the compiler is transformed into the verification of limited C grammar units. In this paper, an axiom system of first-order logic and special axioms are introduced. On this axiom system, the semantic consistency verification of C grammar unit and target code pattern is completed by means of theorem proving, and the formal verification of the compiler is completed.

YANG Yang,ZHANG Huan-guo,WANG Hou-zhen

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.06.036

2010-01-01

Computer Science

Abstract:Symbolic execution is an effective and automatic bug-finding method.But symbolic execution is limited in practice by the computation cost and path explosion.We presented a tool for full-automatic detection and generating inputs that lead to memory safety violations in C programs,including buffer overflow,buffer overrun and pointer derefe-rence error.In order to reduce the amount of symbol variable,we used the symbol variable to track the length of buf-fer and C string.The use of symbolic buffer length makes it possible to compactly summarize the behavior of standard buffer manipulation functions.While resolving the problem of path explosion,we introduced the dynamic slicing metho-ds to prune the redundant paths.It’s shown by the experiments that our method presented in this paper not only is feasible but also has little cost.

Shiyou Huang,Jianmei Guo,Sanhong Li,Xiang Li,Yumin Qi,Kingsum Chow,Jeff Huang

DOI: https://doi.org/10.1109/ICSE.2019.00095

2019-01-01

Abstract:Java is a safe programming language by providing bytecode verification and enforcing memory protection. For instance, programmers cannot directly access the memory, but have to use object references. Yet, the Java runtime provides an Unsafe API as a backdoor for the developers to access the low-level system code. Whereas the Unsafe API is designed to be used by the Java core library, a growing community of third-party libraries use it to achieve high performance. The Unsafe API is powerful, but dangerous, which leads to data corruption, resource leaks and difficult-to-diagnose JVM crash if used improperly. In this work, we study the Unsafe crash patterns and propose a memory checker to enforce memory safety, thus avoiding the JVM crash caused by the misuse of the Unsafe API at the bytecode level. We evaluate our technique on real crash cases from the openJDK bug system and real-world applications from AJDK. Our tool reduces the efforts from several days to a few minutes for the developers to diagnose the Unsafe related crashes. We also evaluate the runtime overhead of our tool on projects using intensive Unsafe operations, and the result shows that our tool causes a negligible perturbation to the execution of the applications.

胡荣贵,陈意云,郭帆,张昱

2004-01-01

Abstract:The certifying compiler for type-based annotation, which is a key component of the safety infrastructure, can translate programs, written in a type safe subset of the C programming language, into highly optimized Intel x86/linux assembly language programs, and also can produce the assembly language programs with annotation based on type-safety policy. The experiment shows that: (1) it is reliable to translate a type-safe subset of C programming language into annotated Intel x86 assembly language; (2) the certifying compiler is freely able to apply many standard local optimizations; and (3) it can signal a fatal error for the run-time array bound checking. Since the proof system of the safety policy is based on the annotated target code, the certifying compiler thus may be useful in a system for safe mobile code.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

Manuel Rigger,Rene Mayrhofer,Roland Schatz,Matthias Grimmer,Hanspeter Mössenböck

DOI: https://doi.org/10.22152/programming-journal.org/2018/2/4

2017-12-04

Abstract:Context: In C, low-level errors, such as buffer overflow and use-after-free, are a major problem, as they cause security vulnerabilities and hard-to-find bugs. C lacks automatic checks, and programmers cannot apply defensive programming techniques because objects (e.g., arrays or structs) lack run-time information about bounds, lifetime, and types. Inquiry: Current approaches to tackling low-level errors include dynamic tools, such as bounds or type checkers, that check for certain actions during program execution. If they detect an error, they typically abort execution. Although they track run-time information as part of their runtimes, they do not expose this information to programmers. Approach: We devised an introspection interface that allows C programmers to access run-time information and to query object bounds, object lifetimes, object types, and information about variadic arguments. This enables library writers to check for invalid input or program states and thus, for example, to implement custom error handling that maintains system availability and does not terminate on benign errors. As we assume that introspection is used together with a dynamic tool that implements automatic checks, errors that are not handled in the application logic continue to cause the dynamic tool to abort execution. Knowledge: Using the introspection interface, we implemented a more robust, source-compatible version of the C standard library that validates parameters to its functions. The library functions react to otherwise undefined behavior; for example, they can detect lurking flaws, handle unterminated strings, check format string arguments, and set errno when they detect benign usage errors. Grounding: Existing dynamic tools maintain run-time information that can be used to implement the introspection interface, and we demonstrate its implementation in Safe Sulong, an interpreter and dynamic bug-finding tool for C that runs on a Java Virtual Machine and can thus easily expose relevant run-time information. Importance: Using introspection in user code is a novel approach to tackling the long-standing problem of low-level errors in C. As new approaches are lowering the performance overhead of run-time information maintenance, the usage of dynamic runtimes for C could become more common, which could ultimately facilitate a more widespread implementation of such an introspection interface.

Programming Languages

LUO Xiao-Guang,WANG Sheng-Yuan,DONG Yuan,ZHANG Su-Qin

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.02.070

2007-01-01

Computer Science

Abstract:Using certifying compiler for the the safety solution of mobile codes is a new approache in the literature,featured with that a large percentage of the load for checking the safty policy can be transfered from a code consumer to a code producer so that the much run-time load at the code consumer can be reduced.Besides,it is more trustworthy and can support the verification of anonymous codes because the code itself instead of the authority of a code producer is verified.An analysis for such a reasearch is presented in the paper.It can be seen that supporting a higher level safety policy would be one of the potential focused directions in this area to get more widely applications.Our preliminary work on this direction is introduced briefly between the lines,in order to share it with other researchers.

王大伟,张大方,缪力

DOI: https://doi.org/10.3969/j.issn.1007-130x.2010.04.022

2010-01-01

Abstract:Model checking is a formal method for verifying the temporal logic properties of finite state systems. To use the technique,an abstract model is usually constructed by hand,but this approach has some weaknesses,for instance,the cost of modeling is considerably high and the artificial models are error-prone. In this paper,we present a practical method for model checking the ANSI-C programs automatically. We built C2Spin,a model extractor which analyzes the C source code and extracts the PROMELA verification model from the source code,and thereby reduce the expense of modeling significantly. Then SPIN can detect various errors in the applications implemented in C mechanically using C2Spin,such as deadlock. In preliminary experiments,depending upon the models generated by C2Spin,we find a semantic bug in SPIN4.3.0 and similar livelocks in the implementation of two classic mutual exclusion algorithms written by Holzmann. The results show that C2Spin helps people test C programs more effectively and quickly.

Dexi Wang,Chao Zhang,Guang Chen,Ming Gu,Jiaguang Sun

2016-01-01

Abstract:The C programming language is widely used in safety-critical software systems. With its large appliance and increasing complexity, the need of ensuring the correctness of C codes emerged. This paper presents Ceagle , a fully automated program verifier for finding assertion violations in C programs. It is decent in both accuracy and efficiency by using a semantically equivalent program model language that is specifically designed for C program, together with various optimizations that make the satisfiability checking faster and memoryfriendly. More specifically, Ceagle uses LLVM clang as front-end parser, an extended labeled transition system as program model, and Z3 SMT solver as the back-end satisfiability checker. Ceagle is designed to be fully automatic and requires no user interaction as long as the assertions are provided. For evaluation, we compare Ceagle with existing C program verifiers based on open benchmarks. Ceagle outperforms others in terms of accuracy, and time and memory consumption.

Mohan Cui,Suran Sun,Hui Xu,Yangfan Zhou

2023-08-09

Abstract:Rust is an emerging, strongly-typed programming language focusing on efficiency and memory safety. With increasing projects adopting Rust, knowing how to use Unsafe Rust is crucial for Rust security. We observed that the description of safety requirements needs to be unified in Unsafe Rust programming. Current unsafe API documents in the standard library exhibited variations, including inconsistency and insufficiency. To enhance Rust security, we suggest unsafe API documents to list systematic descriptions of safety requirements for users to follow. In this paper, we conducted the first comprehensive empirical study on safety requirements across unsafe boundaries. We studied unsafe API documents in the standard library and defined 19 safety properties (SP). We then completed the data labeling on 416 unsafe APIs while analyzing their correlation to find interpretable results. To validate the practical usability and SP coverage, we categorized existing Rust CVEs until 2023-07-08 and performed a statistical analysis of std unsafe API usage toward the <a class="link-external link-http" href="http://crates.io" rel="external noopener nofollow">this http URL</a> ecosystem. In addition, we conducted a user survey to gain insights into four aspects from experienced Rust programmers. We finally received 50 valid responses and confirmed our classification with statistical significance.

Software Engineering

Xiaohua Yin,Zhiqiu Huang,Shuanglong Kan,Guohua Shen

DOI: https://doi.org/10.3390/electronics13214307

IF: 2.9

2024-11-03

Electronics

Abstract:Rust is a relatively new programming language that aims to provide memory safety at compile time. It introduces a novel ownership system that enforces the automatic deallocation of unused resources without using a garbage collector. In light of Rust's promise of safety, a natural question arises about the possible benefits of exploiting ownership to ensure the memory safety of C programs. In our previous work, we developed a formal ownership checker to verify whether a C program satisfies exclusive ownership constraints. In this paper, we further propose an ownership-based safe memory deallocation approach, named SafeMD, to fix memory leaks in the C programs that satisfy exclusive ownership defined in the prior formal ownership checker. Benefiting from the C programs satisfying exclusive ownership, SafeMD obviates alias and inter-procedural analysis. Also, the patches generated by SafeMD make the input C programs still satisfy exclusive ownership. Usually, a C program that satisfies the exclusive ownership constraints is safer than its normal version. Our evaluation shows that SafeMD is effective in fixing memory leaks of C programs that satisfy exclusive ownership.

engineering, electrical & electronic,computer science, information systems,physics, applied

Nathan Burow,Derrick McKee,Scott A. Carr,Mathias Payer

DOI: https://doi.org/10.1145/3196494.3196540

2017-04-17

Abstract:Memory corruption vulnerabilities in C/C++ applications enable attackers to execute code, change data, and leak information. Current memory sanitizers do no provide comprehensive coverage of a program's data. In particular, existing tools focus primarily on heap allocations with limited support for stack allocations and globals. Additionally, existing tools focus on the main executable with limited support for system libraries. Further, they suffer from both false positives and false negatives. We present Comprehensive User-Space Protection for C/C++, CUP, an LLVM sanitizer that provides complete spatial and probabilistic temporal memory safety for C/C++ program on 64-bit architectures (with a prototype implementation for x86_64). CUP uses a hybrid metadata scheme that supports all program data including globals, heap, or stack and maintains the ABI. Compared to existing approaches with the NIST Juliet test suite, CUP reduces false negatives by 10x (0.1%) compared to the state of the art LLVM sanitizers, and produces no false positives. CUP instruments all user-space code, including libc and other system libraries, removing them from the trusted code base.

Cryptography and Security,Programming Languages