ZHANG Jun-xian,LI Zhou-jun

DOI: https://doi.org/10.13190/j.jbupt.2016.s.012

2016-01-01

Abstract:Buffer overflow is a source of many security problems in C programs. A new tool named Path-Checker to detect buffer overflows in C codes using dynamic symbolic execution method is proposed. PathChecker uses quantifier-free predicate formulas to describe the safety properties of buffer access oper-ations and check these properties using a SMT solver. Experimental results show the effectiveness of this tool which is very easy to extend to check other safety properties.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Tieyun BAO,Fengjuan GAO,Yan ZHOU,You LI,Linzhang WANG,Xuandong LI

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.005

2016-01-01

Abstract:Buffer overflow vulnerability is a kind of serious security defect. Currently there are dynamic and static ap-proaches to detect buffer overflow. The effectiveness of Dynamic tools depends on design of test case, and they often in-troduce execution overhead. Static program analysis techniques have been widely used in buffer overflow detection, which often report a large number of false warnings. Manual validating the results of static analysis is time consuming and er-ror-prone, which severely limits the usefulness of static analysis tools. Symbolic execution is a promising software testing and analysis technology, which systematically explore execution space of test program and generates test cases with high coverage. In this paper we propose a novel approach for automatic buffer overflow warnings validating based on symbolic execution.Our approach is consist of three steps:firstly detect the reachability of statements in static analysis path segment in inter procedural control flow graph and map the static path segment sets to complete path sets which are used to be val-idated;secondly guide the symbolic execution so that we only focus on the execution paths that cover the buffer overflow warnings generated by static program analysis through pruning useless path; finally construct warning path constraints according to buffer overflow vulnerability models at suspicios statements and classify results depend on the output of con-straint solver. Based on the proposed technique we implemented a prototype tool BOVTool and our experimental results on real open source programs show that the percentage of false warnings which do not need to be manually validated is 59.9%on average.

Sara Baradaran,Mahdi Heidari,Ali Kamali,Maryam Mouzarani

DOI: https://doi.org/10.1007/s10207-023-00691-1

2022-12-23

Abstract:Memory corruption is a serious class of software vulnerabilities, which requires careful attention to be detected and removed from applications before getting exploited and harming the system users. Symbolic execution is a well-known method for analyzing programs and detecting various vulnerabilities, e.g., memory corruption. Although this method is sound and complete in theory, it faces some challenges, such as path explosion, when applied to real-world complex programs. In this paper, we present a method for improving the efficiency of symbolic execution and detecting four classes of memory corruption vulnerabilities in executable codes, i.e., heap-based buffer overflow, stack-based buffer overflow, use-after-free, and double-free. We perform symbolic execution only on test units rather than the whole program to avoid path explosion. In our method, test units are considered parts of the program's code, which might contain vulnerable statements and are statically identified based on the specifications of memory corruption vulnerabilities. Then, each test unit is symbolically executed to calculate path and vulnerability constraints of each statement of the unit, which determine the conditions on unit input data for executing that statement or activating vulnerabilities in it, respectively. Solving these constraints gives us input values for the test unit, which execute the desired statements and reveal vulnerabilities in them. Finally, we use machine learning to approximate the correlation between system and unit input data. Thereby, we generate system inputs that enter the program, reach vulnerable instructions in the desired test unit, and reveal vulnerabilities in them. This method is implemented as a plugin for angr framework and evaluated using a group of benchmark programs. The experiments show its superiority over similar tools in accuracy and performance.

Cryptography and Security,Software Engineering

Zhe Chen,Rui Yan,Yingzi Ma,Yulei Sui,Jingling Xue

DOI: https://doi.org/10.1145/3637227

IF: 3.685

2023-12-11

ACM Transactions on Software Engineering and Methodology

Abstract:C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks. We propose a new monitoring algorithm, namely Smatus , short for smart status , that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind. We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).

computer science, software engineering

Haoxin Tu,Lingxiao Jiang,Jiaqi Hong,Xuhua Ding,He Jiang

DOI: https://doi.org/10.1109/tse.2024.3395412

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free) can have catastrophic consequences. Symbolic execution-based approaches have been used to detect such memory errors, benefiting from their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines still suffer from fundamental limitations in modeling dynamic memory layouts; they either represent the locations of memory objects as concrete addresses and thus limit their analyses only to specific address layouts and miss errors that may only occur when the objects are located at special addresses, or represent the locations as simple symbolic variables without sufficient constraints and thus suffer from memory state explosion when they execute read/write operations involving symbolic addresses. Such limitations hinder the existing symbolic execution engines from effectively detecting certain memory errors. In this study, we propose SYMLOC, a symbolic execution-based approach that uses concretely mapped symbolic memory locations to alleviate the limitations mentioned above. Specifically, a new integration of three techniques is designed in SYMLOC: (1) the symbolization of addresses and encoding of symbolic addresses into path constraints, (2) the symbolic memory read/write operations using a symbolic-concrete memory map, and (3) the automatic tracking of the uses of symbolic memory locations. We build SYMLOC on top of the well-known symbolic execution engine KLEE and demonstrate its benefits in terms of memory error detection and code coverage capabilities. Our evaluation results show that: for address-specific spatial memory errors, SYMLOC can detect 23 more errors in GNU Coreutils , Make , and m4 programs that are difficult for other approaches to detect, and cover 15% and 48% more unique lines of code in the programs than two baseline approaches; for temporal memory errors, SYMLOC can detect 8%-64% more errors in the Juliet Test Suite than various existing state-of-the-art memory error detectors. We also present two case studies to show sample memory errors detected by SYMLOC along with their root causes and implications.

Bo Wu,Yufeng Ma,Qian Zhang,Fengchen Qian

DOI: https://doi.org/10.23977/meet.2019.93720

2019-01-01

Abstract:Buffer overflows in C and C++ programs are among the most common and serious classes of software vulnerabilities for two decades. To mitigate and to eradicate this security threat, many detection approaches based on static and dynamic analysis techniques have been proposed. This paper aims to provide an alternative and multipath solution to existing symbolic execution approaches by catching the red-zones in memory, rather than the strict memory object bounds, which are absolute vulnerable to buffer overflows. From the observations of buffer overflow attacks that are commonly overwrite a special position to exploit the vulnerabilities, in this paper, we propose a multipath dynamic buffer overflow detecting approach (symbolic-execution-based), relying on catching the red-zones in the stack and heap memory. We examine every memory store operation both in concrete addresses and symbolic pointers, whose writing size should never overlap or cross a red-zone position. We implement a practical dynamic checking tool called MACBin based on S2E platform. We apply it to test several real world software, the results show that MACBin is useful and effective at detecting buffer overflow vulnerabilities.

Siran Fu,Baojiang Cui,Tao Guo,Xuyan Song

DOI: https://doi.org/10.1007/978-3-319-75928-9_59

2018-01-01

Abstract:C++ language has the characteristics of flexible programming, high execution efficiency, but there are also a large number of undefined behavior, which is easy to cause security risks. In this paper, focus on the memory-use error in C++ program, designed and implemented a memory check tools named MemDetect, based on dynamic instrumentation platform, which is platform-cross, efficiency and accuracy. MemDetect can detect memory leaks, cross-border access memory and memory does not match the release problems effectively, the validity and efficiency of MemDetect are proved by comparing with other detection tools.

Weizhong Qiang,Yuehua Liao,Guozhong Sun,Laurence T. Yang,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/access.2017.2676161

IF: 3.9

2017-01-01

IEEE Access

Abstract:During the lifecycle of a software system, software patches are committed to software repositories to fix discovered bugs or append new features. Unfortunately, the patches may bring new bugs or vulnerabilities, which could break the stability and security of the software system. A study shows that more than 15% of software patches are erroneous due to poor testing. In this paper, we present a novel approach for automatically determining whether a patch brings new vulnerabilities. Our approach combines symbolic execution with data flow analysis and static analysis, which allows a quick check of patch-related codes. We focus on typical memory-related vulnerabilities, including buffer overflows, memory leaks, uninitialized data, and dangling pointers. We have implemented our approach as a tool called KPSec, which we used to test a set of real-world software patches. Our experimental results show that our approach can effectively identify typical memory-related vulnerabilities introduced by the patches and improve the security of the updated software.

蒋剑琴,黄达明,曾庆凯

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.03.013

2009-01-01

Abstract:To dectect memory access errors by combining the efficiency of program analysis technologies and the powerful mathematical foundation of program validation technologies,Cmad,a static C memory errors Detector based on semantics abstraction was proposed.By sound approximation to concrete states,accurate verification of the related constraint variable operation and information collection during the traversal of CFG,Cmad detected inter-procedural memory bound overflow errors without any annotation.Prototype implementation proves the validity.

HUANG Hui,LU Yu-liang,XIA Yang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2013.09.064

2013-01-01

Abstract:Aiming towards automatic defect detection for binary programs,based on software virtual machine's dynamic binary translation and taint propagation,this paper studied mechanisms necessary for symbolic execution including program's run-time semantics' extraction,intermediate language based symbolic calculation,enhanced the path-scheduling mechanism in traditional dynamic symbolic execution,analyzed symbolic asserts' expressions for common program defects,with an online dynamic symbolic execution system built up detecting defects in binary programs.Experiments prove the method's effectiveness in defect detection for real binary programs.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue,Xiaolin Zhao

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Sun Ding,Hee Beng Kuan Tan,Kaiping Liu,Mahinthan Chandramohan,Hongyu Zhang

DOI: https://doi.org/10.1109/COMPSACW.2012.103

2012-01-01

Abstract:Buffer overflow vulnerability is one of the major security threats for applications written in C/C++. Among the existing approaches for detecting buffer overflow vulnerability, though flow sensitive based approaches offer higher precision but they are limited by heavy overhead and the fact that many constraints are unsolvable. We propose a novel method to efficiently detect vulnerable buffer overflows in any given control flow graph through recognizing two patterns. The proposed approach first uses syntax analysis to filter away those branches that cannot possibly comply with any of the two patterns before applying a limited symbolic evaluation for a precise matching against the patterns. The proposed approach only needs to evaluate a limited set of selected branch predicates according to the patterns and avoids the need to deal with a large number of general branch predicates. This significantly improves the scalability while not sacrificing the detection precision. Our experiments demonstrate the scalability and efficiency of the proposed method, which demonstrates its applicability.

Chun Shan,Shiyou Sun,Jingfeng Xue,Changzhen Hu,Hongjin Zhu

DOI: https://doi.org/10.1007/978-3-319-64701-2_27

2017-01-01

Abstract:Array bounds is the most commonly fault in java programs design, it often leads to wrong results even system crash. To solve these problems, this paper proposed a detecting array bounds method based on symbolic execution. The method generated the abstract syntax tree from the source code, and then created a control flow graph according to the abstract syntax tree. It adopted flaw detectors to detect defects of array bound. Finally, using the standard function to test the ability of this method in detecting array bounds. The results indicated that this method can detect array bounds defects of crossing process indirectly, array bounds defects within process and array bounds defects of crossing process directly very well and it is better than some existing Java methods of detecting array bounds defects.

Qing Gao,Yingfei Xiong,Yaqing Mi,Lu Zhang,Weikun Yang,Zhaoping Zhou,Bing Xie,Hong Mei

DOI: https://doi.org/10.1109/icse.2015.64

2015-01-01

Abstract:Automatic bug fixing has become a promising direction for reducing manual effort in debugging. However, general approaches to automatic bug fixing may face some fundamental difficulties. In this paper, we argue that automatic fixing of specific types of bugs can be a useful complement. This paper reports our first attempt towards automatically fixing memory leaks in C programs. Our approach generates only safe fixes, which are guaranteed not to interrupt normal execution of the program. To design such an approach, we have to deal with several challenging problems such as inter-procedural leaks, global variables, loops, and leaks from multiple allocations. We propose solutions to all the problems and integrate the solutions into a coherent approach. We implemented our inter-procedural memory leak fixing into a tool named Leak Fix and evaluated Leak Fix on 15 programs with 522k lines of code. Our evaluation shows that Leak Fix is able to successfully fix a substantial number of memory leaks, and Leak Fix is scalable for large applications.

Zhiqiang Liu,Bo Xu,Dong Liang,Chang Liu,Zejun Jiang,Chenglie Du

DOI: https://doi.org/10.1109/fskd.2015.7382308

2015-01-01

Abstract:Memory leak detection for C programs is a significant while difficult research field. Based on executable formal semantics of C programming language, a new method is proposed in this paper for memory leak detection. By extending and modifying state Configuration and rules of memory manipulation and pointer manipulation in semantics, this method can employ the powerful expression and executive capacity of rewriting logic to describe both behaviors of memory operation such as malloc, free, pointer and unit of scope, and memory leak pattern of C programs in executable semantics. Because the modified state Configuration and rules are executable, the memory leak flaws can be matched and detected automatically by execution. Three typical memory leak flaws, namely unreleased allocated-memory, pointer reassigning and inconsistency between allocated space and released space, are tested with some code segments containing them to verify the method. The results and testing time show that the semantics-based method can detect memory leak flaws in C programs effectively.

Xiao Qixue,Chen Yu,Xu Yongjian,Mao Junjie,Guo Shize,Wang Zhenjiang,Shi Yuanchun

DOI: https://doi.org/10.1109/compsac.2015.20

2015-01-01

Abstract:Memory errors have been one of the main causes for software vulnerability. This paper discusses an issue called controlled memory allocation (CMA) which occurs when key elements of memory allocation are affected by elaborately designed input data. This paper proposes a renovated approach of CMA detection, utilizing static analysis, and optimizing symbolic execution system with path-guided technologies. Combining these technologies with the state-of-the-art symbolic execution engine, KLEE, we present a prototype CMA detection tool, SCAD. SCAD was tested on commonly used applications like Coreutils and Texinfo, where it found 14 CMA related bugs including 5 unknown previously ones. SCAD's path guided searcher could reach an assigned target faster and with more paths than other path searchers which are provided by KLEE. Two memory allocation sites in Coreutils could not be reached by 8 path searchers provided by KLEE in five minutes, but SCAD's path guided searcher could reach them in 24 seconds and 17 seconds respectively. For memory allocation related code, SCAD executes faster with higher coverage than conventional symbolic execution engines.