Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Guang Chen,Min Zhou,Jiaguang Sun,Xiaoyu Song

DOI: https://doi.org/10.1109/APSEC.2018.00044

2018-01-01

Abstract:Static analysis is an effective way of checking memory safety issues in program. Usually, multiple analysis algorithms usually run together to achieve a precise analysis result. In this paper, a novel analysis frame work over access path is presented for incorporating analysis algorithms. A pointer analysis based on access path works as a base layer, alias and pointer information are automatically handled. An summary based checking algorithm is designed for checking real world project. Moreover, the framework is fully extensible and various analysis can be added as plugins. Experimental results show that our method has good precision on Juliet Test Suite and scales to large software.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

JIANG Shu-Juan,XU Bao-Wen,SHI Liang,XIAO Yang

DOI: https://doi.org/10.3969/j.issn.1002-137x.2006.04.082

2006-01-01

Computer Science

Abstract:Exception handling in modern programming languages is a mechanism that can improve software robustness. Since the signature of an C~(++) function may not specify the set of exceptions that the function can propagate,it is neces- sary to figure out the exceptions that may be raised during executing program,the origins of the exceptions and their exception propagation paths.Unfortunately,in large programs,this exceptional information can be difficult,if not im- possible,to determine.Firstly,the paper presents a model that can describe the exception handling information for C~(++) exception handling mechanism,and applies the model to recursive functions.Then describes CETool,a static a- nalysis tool we have developed to provide exception-flow information for C~(+1) systems based on this model.The CETool provides the information related to the explicit exceptions.The information is helpful to support the improvements to the exception handling structure of a system and structure testing of a program.It also presents the implementation of CETool and its application.

Hao Zhang,Ji Luo,Mengze Hu,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/icse48619.2023.00098

2023-01-01

Abstract:Exception handling is a mechanism in modern programming languages. Studies have shown that the exception handling code is error-prone. However, there is still limited research on detecting exception handling bugs, especially for C++ programs. To tackle the issue, we try to precisely represent the exception control flow in C++ programs and propose an analysis method that makes use of the control flow to detect such bugs. More specifically, we first extend control flow graph by introducing the concepts of five different kinds of basic blocks, and then modify the classic symbolic execution framework by extending the program state to a quadruple and properly processing try, throw and catch statements. Based on the above techniques, we develop a static analysis tool on the top of Clang Static Analyzer to detect exception handling bugs. We run our tool on projects with high stars from GitHub and find 36 exception handling bugs in 8 projects, with a precision of 84%. We compare our tool with four state-of-the-art static analysis tools (Cppcheck, Clang Static Analyzer, Facebook Infer and IKOS) on projects from GitHub and handmade benchmarks. On the GitHub projects, other tools are not able to detect any exception handling bugs found by our tool. On the handmade benchmarks, our tool has a significant higher recall.

LI Xiao,ZHOU Yan,LI Meng-Chen,CHEN Yuan-Jun,XU Guo-Qing,WANG Lin-Zhang,LI Xuan-Dong

DOI: https://doi.org/10.13328/j.cnki.jos.005189

2017-01-01

Abstract:Memory leak,which has perplexed software developers for a long time because of imperceptibility,is a very common bug for C/C++ programs and can do serious harm especially for long-running program or system software.Aiming at this problem,both static and dynamic program analysis techniques have been attempted.Dynamic program analysis technique detects memory leak by running the program,which has huge overhead and depends on the quality of test cases.Static analysis technology and automatic tools are widely used in the work of detecting memory leaks among academic community and industrial community.Since it uses conservative algorithm,Static analysis is able to detect a lot of defects but at the sometime increases the false positives,which needs manual confirmation.As manual confirmation is time-consuming and error prone,it limits the practicability of the technology.In this paper,a novel method to automatically validate static memory leak warnings is proposed based on concolic testing.First,drawing on the memory leak warnings given by static analysis report,the control flow of the target program is analyzed and the reachability of the target path is calculated.Then the path information is used to guide the concolic testing and execute program in the particular path.Finally,the static warnings is validated by tracking memory object during execution.Experimental results show that this method can effectively classify static warnings and significantly reduce the workload of manual validation.

Cheng Yong,Yang Ling,Jin Wenjia,Yang Wenzhong,Wang Wei,Wang Feng,Zhou Yong

DOI: https://doi.org/10.4028/www.scientific.net/amr.403-408.2981

2011-01-01

Advanced Materials Research

Abstract:This paper proposed a method and a prototype using static analysis to detect security of computer software. There are many buffer overflow vulnerabilities in released software. It uses the static object code analysis technology to detect buffer overflow, and analysis some unsafe function to determine whether the software has some default. It compares the different results of the proposed tool and traditional buffer overflow detecting tools, the false alarm rate is less than others, false negative rate is same as others.

Deng Fan,Liu Jian

DOI: https://doi.org/10.3969/j.issn.1007-7820.2009.02.007

2009-01-01

Abstract:Safety vulnerabilities related to exception in C++ programs and the consequent resource leak,control flow errors or data flow errors are analyzed.Representations of several familiar vulnerabilities are listed,and their causes and characteristics are analyzed with detailed examples.The corresponding suggestions for safety programming are put forward.

Vlad-Alexandru Teodorescu,Dorel Lucanu

DOI: https://doi.org/10.4204/EPTCS.410.7

2024-10-31

Abstract:Pointers are a powerful, but dangerous feature provided by the C and C++ programming languages, and incorrect use of pointers is a common source of bugs and security vulnerabilities. Making secure software is crucial, as vulnerabilities exploited by malicious actors not only lead to monetary losses, but possibly loss of human lives. Fixing these vulnerabilities is costly if they are found at the end of development, and the cost will be even higher if found after deployment. That is why it is desirable to find the bugs as early in the development process as possible. We propose a framework that can statically find use-after-free bugs at compile-time and report the errors to the users. It works by tracking the lifetime of objects and memory locations pointers might point to and, using this information, a possibly invalid dereferencing of a pointer can be detected. The framework was tested on over 100 handwritten small tests, as well as 5 real-world projects, and has shown good results detecting errors, while at the same time highlighting some scenarios where false positive reports may occur. Based on the results, it was concluded that our framework achieved its goals, as it is able to detect multiple patterns of use-after-free bugs, and correctly report the errors to the programmer.

Formal Languages and Automata Theory

ZHANG Yan-chun,LIU Jian

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.27.027

2006-01-01

Computer Engineering and Applications Journal

Abstract:As an exception handling mechanism of C++ Language,exception has provided much advantage in C++ programming.Proper use of exception can improve robustness of program;otherwise it may lead to worse executing efficiency and even corrupt the program.This paper analyzes exception representation in C++ program and gives the classification of exception holes,in terms of which exception safety rules are constructed,and presents an approach of interprocedural bottom-up communicating of info and intraprocedural syntax-directed translation,which accomplishes statically detecting of C++ exception safety.

Zhenbo Xu,Jian Zhang,Zhongxing Xu,Jiteng Wang

DOI: https://doi.org/10.1145/2610384.2628050

2014-01-01

Abstract:Symbolic analysis is a commonly used approach for static bug finding. It usually performs a precise path-by-path symbolic simulation from program inputs. A major challenge is its scalability and precision on interprocedural analysis. The former limits the application to large programs. The latter may lead to many false alarms. This paper presents a flexible, scalable and practical static bug detection tool, called Canalyze, for C programs. The flexibility is embodied in our modular design that supports different precision-level constraint solvers and interprocedural analyses. Based on these options, one can enable the less precise options to achieve a more scalable analysis or the more time-consuming options to perform a more precise analysis. Our tool is also practical to analyze real-world applications. It has been applied to some industry systems and open source programs like httpd, lighttpd, etc. And hundreds of newly found bugs were confirmed by the maintainers of our benchmarks.

Rui Ma,Yiming Yan,Long Wang,Changzhen Hu,Jingfeng Xue

2016-01-01

Abstract:Buffer overflow vulnerability is currently one of the most serious software security vulnerabilities. Taking effective methods to detect buffer overflow vulnerabilities is of great significance to improve the robustness and security of software. After analyzing the principle of buffer overflow and various buffer overflow vulnerabilities, as well as comparing static with dynamic detection techniques, this paper presents a static detection method for buffer overflow based on abstract syntax tree, especially for vulnerabilities caused by string accessing of C source code. The proposed method first generates an abstract syntax tree for the source code by using the GCC compiler, and collects the characteristics of vulnerability by analyzing AST nodes. For the nodes associated with the buffer overflow, the method further gives a formal description of that characteristic so as to generate security attributed and constraint rules. By traversing the abstract syntax tree, the proposed method finally determines whether buffer overflow vulnerability exists in the source code. Experiments with 12 C programs were carried out on the Windows platform, and each program has been discovered at least one typical buffer overflow vulnerability. The experimental results highlight the feasibility and effectiveness of the proposed method, especially in the detecting out of range for a pointer, an array, and a structure object, as well as the buffer overflow vulnerability caused by some C library function calls.

Xiaohui Sun,Sihan Xu,Chenkai Guo,Jing Xu,Naipeng Dong,Xiujuan Ji,Sen Zhang

DOI: https://doi.org/10.1109/compsac.2018.10271

2018-01-01

Abstract:One of the major software safety issues is memory leak. Moreover, detecting memory leak vulnerabilities is challenging in static analysis. Existing static detection tools find bugs by collecting programs' information in the process of scanning source code. However, the current detection tools are weak in efficiency and accuracy, especially when the targeted program contains complex branches. This paper proposes a projection-based approach to detect memory leaks in C source code with complex control flows. According to the features of memory allocation and deallocation in C source code, this approach projects the original control flow graph of a program to a simpler one, and it reduces the analysis complexity. Besides, this paper implements a memory-leak detection tool—PML_Checker, and evaluates the tool by comparing with three open-source static detection tools on both public benchmarks and study test cases. The experimental results show that PML_Checker reports the most memory leak vulnerabilities among the four existing tools with complex control flows and complex data types, and PML_Checker obtains higher efficiency and accuracy on public benchmarks.

LI Xiao-nan,FAN Ming-yu,WANG Guang-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.08.054

2011-01-01

Abstract:To cope with the problem of high false negatives and false positives in source code static analysis methods with a static test tool,this paper presented a static analysis detection method for safety defects detection based on several static test tools.This method made statistical analysis on the outcome of different static test tools,which greatly decreased the false negatives and false positives.It designed and implemented a scalable source code static analysis tool platform,and it was proved by experiment that this platform has a better performance with lower false negatives and false positives compared with one single static test tool.

Yang Bai,Yuping Wang

DOI: https://doi.org/10.3969/j.issn.2095-2783.2014.10.009

2014-01-01

Abstract:Null pointer dereference error is a common bug,which is hard to detect and avoid.A flow-sensitive,path-sensitive and context-sensitive static analysis method is proposed,combined traditional static analysis methods and symbolic execution.Global pointers,local pointers and pointers as function parameters are modeled to simplify the positions of pointers.Pointer states are passed among functions.Constraint solving method is used to determine the path reachability.When completing analyzing a func-tion,pointer states are merged.Furthermore,manual bug trigger conditions annotation is used to improve the efficiency.Experi-ments show that the method is feasible and efficient for all kinds of null pointer dereference errors.

Shijin ZHANG,Zhaowei SHANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1304-0138

2015-01-01

Abstract:The C/C++ program which is compiled well does not always guarantee that there are no defects in the code. There may still contain defects relativing to securities, design and code style, therefore it may result in memory leak or misuse of pointers so that it is difficult to accomplish the expected goal of software requirements. Aiming to software defection tool of Cppcheck’s insufficiency for open software defect, this paper mainly analyses the Cppcheck architecture, defect pattern representation and implementation, as well as on the basis of summarizing 350 defect patterns to improve Cppcheck. It makes two relevant experiments to verify the effectiveness of improved Cppcheck.

GU Ke,LIU Chao,JIN Mao-zhong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.05.008

2009-01-01

Abstract:The C++ program which is all right in compiling process does not always insure there are no defects in the code.For the reason that there may be defects relative to securities,design and code style,it may result in memory leak,misuse of pointers or make the program code unclearly and unreadable.The defects will place bad impact on the normal running and the maintain ability of the software.This paper introduced a good technology of defect-extendable automated C++ code defect detection,including two methods to detect the defects,a description of defect rules based on XPath technology and an introduction of the C++ defect automation detector.Furthermore,analyzed the detector in stability,credibility and easy-to-use by experiment.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.