Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Longming Dong,Wei Dong,Liqian Chen

DOI: https://doi.org/10.1109/SERE-C.2012.30

2012-01-01

Abstract:Invalid pointer dereferences, such as null pointer dereferences, dangling pointer dereferences and double frees, are a prevalent source of software bugs in CPS software, due to flexible dereferencing pointers along various pointer fields. Existing tools have high overhead or are incomplete, thereby limiting their efficiency in checking the kind of CPS software with shared and mutable memory. In this paper, we present a novel extended pointer structure for detecting all invalid pointer dereferences in this kind of CPS software. We propose an invalid pointer dereferences detection algorithm based on the uniform transformation of abstract heap states. Experimental evaluation about a set of large C benchmark programs shows that the proposed approach is sufficiently efficient in detecting invalid pointer dereferences of CPS software with shared and mutable memory.

Zhe Chen,Rui Yan,Yingzi Ma,Yulei Sui,Jingling Xue

DOI: https://doi.org/10.1145/3637227

IF: 3.685

2023-12-11

ACM Transactions on Software Engineering and Methodology

Abstract:C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks. We propose a new monitoring algorithm, namely Smatus , short for smart status , that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind. We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).

computer science, software engineering

GAO Hai-chang,FENG Bo-qin,HE Hang-jun,ZHU Li

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.09.011

2006-01-01

Abstract:Usage of pointer in C/C++ language makes program source code flexible and convenient,but the memory usage errors(memory leak,write overflow,wild pointer and so on.) occur in the process is very difficult to analyze and eliminate.Aimed at errors of dynamic memory management,a dynamic memory detection method based on source file extraction and source code instrumentation on Linux Platform was developed,and a dynamic memory detection module was designed.The module can detect memory leak,write overflow,free wild pointer and mismatch using of memory functions to source code.Finally,an instance to test write overflow was carried to validate the effectiveness of our method and module.

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Jingfeng Xue,Changzhen Hu,Hongyu Ren,Rui Ma,Jian Li

DOI: https://doi.org/10.1109/NLPKE.2011.6138200

2011-01-01

Abstract:Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows and dangling pointers. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. Aiming at the problem, PSC, a new probabilistic safeguard C, is proposed in this paper. At the basis of Diehard, memory allocating strategy is improved in PSC. PSC can avoid memory errors in all probability during software executing by combing random memory allocating algorithm and virtual memory. Physical memory consumption is decreased by building hot object space working set and compressing non frequently used objects. Experiments show PSC is better than Diehard for memory errors prevention and physical memory consumption. So it is a valid memory errors prevention technology based on probability. © 2011 IEEE.

Weizhong Qiang,Weifeng Li,Hai Jin,Jayachander Surbiryala

DOI: https://doi.org/10.1109/access.2019.2908022

IF: 3.9

2019-01-01

IEEE Access

Abstract:Highly efficient languages, such as C/C++, have low-level control over memory. Due to the lack of validity detection for pointers and garbage collection for memory, developers are responsible for dynamic memory management by explicitly allocating and deallocating memory. However, explicit memory management brings a large number of memory safety-related vulnerabilities, such as use-after-free. The threat of use-after-free vulnerabilities has become more and more serious due to their high level of the severity and quick emergence of the number. In this paper, a dynamic defense system is proposed against use-after-free exploits by introducing an approach based on multi-level pointers that insert intermediate pointers between a heap object and its related pointers. First, the relationship between a heap object to be protected, and the related pointers pointing to it, is established by combing with intermediate pointers. Then, all of the accesses to this object via its related pointers can only be achieved through these intermediate pointers. Finally, to prevent the dangling pointers from being dereferenced to this object, all the intermediate pointers related to this object are invalidated when it is freed so that any access to a freed object can be prevented due to the invalidated intermediate pointers. The prototype system MPChecker is implemented, which can prevent use-after-free exploits for C/C++ multi-threaded programs. Compared with the related methods, MPChecker can protect pointers that are copied in a type-unsafe way from being de-referenced to freed objects. In addition, it can also defend against dangling pointers located on the whole memory, including the stack, the heap, and global memory, rather than the heap only. The defense capability is proved by protecting against two exploits to a real-world program, comparing the support of type-unsafe copy with a self-written program. The performance evaluation of MPChecker with some benchmarks, multi-threaded programs, and real-world programs, shows its comparable efficiency.

Jingfeng Xue,Changzhen Hu,Hongyu Ren,Rui Ma,Jian Li

DOI: https://doi.org/10.1109/nlpke.2011.6138200

2011-01-01

Abstract:Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows and dangling pointers. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. Aiming at the problem, PSC, a new probabilistic safeguard C, is proposed in this paper. At the basis of Diehard, memory allocating strategy is improved in PSC. PSC can avoid memory errors in all probability during software executing by combing random memory allocating algorithm and virtual memory. Physical memory consumption is decreased by building hot object space working set and compressing non frequently used objects. Experiments show PSC is better than Diehard for memory errors prevention and physical memory consumption. So it is a valid memory errors prevention technology based on probability.

Xiao Qixue,Chen Yu,Xu Yongjian,Mao Junjie,Guo Shize,Wang Zhenjiang,Shi Yuanchun

DOI: https://doi.org/10.1109/compsac.2015.20

2015-01-01

Abstract:Memory errors have been one of the main causes for software vulnerability. This paper discusses an issue called controlled memory allocation (CMA) which occurs when key elements of memory allocation are affected by elaborately designed input data. This paper proposes a renovated approach of CMA detection, utilizing static analysis, and optimizing symbolic execution system with path-guided technologies. Combining these technologies with the state-of-the-art symbolic execution engine, KLEE, we present a prototype CMA detection tool, SCAD. SCAD was tested on commonly used applications like Coreutils and Texinfo, where it found 14 CMA related bugs including 5 unknown previously ones. SCAD's path guided searcher could reach an assigned target faster and with more paths than other path searchers which are provided by KLEE. Two memory allocation sites in Coreutils could not be reached by 8 path searchers provided by KLEE in five minutes, but SCAD's path guided searcher could reach them in 24 seconds and 17 seconds respectively. For memory allocation related code, SCAD executes faster with higher coverage than conventional symbolic execution engines.

Daliang Xu,Dongwei Chen,Chun Yang,KangSun,Xu Cheng,Dong Tong

2020-01-01

Abstract:Use-After-Free vulnerabilities, allowing the attacker to access unintended memory via dangling pointers, are more threatening. However, most detection schemes can only detect dangling pointers and invalid them, but not provide a tolerance mechanism to repair the errors at runtime. Also, these techniques obtain and manage the metadata inefficiently with complex structures and too much scan (sweep). The goal of this paper is to use compiler instrumentation to eliminate dangling pointers automatically and efficiently. In this paper, we observe that most techniques lack accurate efficient pointer graph metadata maintaining methods, so they need to scan the log to reduce the redundancy and sweep the whole address space to find dangling pointers. Also, they lack a direct, efficiently obtaining metadata approach. The key insight of this paper is that a unique identifier can be used as a key to a hash or direct-map algorithm. Thus, this paper maintains the same implicit identifier with each memory object and its corresponding referent. Associating the unique ID with metadata for memory objects, obtaining and managing the pointer graph metadata can be efficiently. Therefore, with the delayed free technique adopted into C/C++, we present the DangKiller as a novel and lightweight dangling pointer elimination solution. We first demonstrate the MinFat Pointer, which can calculate unique implicit ID for each object and pointer quickly, and use hash algorithm to obtain metadata. Secondly, we propose the Log Cache and Log Compression mechanism based on the ID to decrease the redundancy of dangling pointer candidates. Coupled with the Address Tagging architecture on an ARM64 system, our experiments show that the DangKiller can eliminate use-after-free vulnerabilities at only 11% and 3% runtime overheads for the SPEC CPU2006 and 2017 benchmarks respectively, except for unique cases.

Yuexing Wang,Guang Chen,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ASE.2019.00129

2019-01-01

Abstract:ABSTRACTPrecise pointer analysis is desired since it is a core technique to find memory defects. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. For static analysis tools utilizing pointer analysis, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents TsmartGP, a static analysis tool for finding memory defects in C programs with a precise and efficient pointer analysis. The pointer analysis algorithm is flow, context, field, and quasi path sensitive. Control flow automatons are the key structures for our analysis to be flow sensitive. Function summaries are applied to get context information and elements of aggregate structures are handled to improve precision. Path conditions are used to filter unreachable paths. For efficiency, a multi-entry mechanism is proposed. Utilizing the pointer analysis algorithm, we implement a checker in TsmartGP to find uninitialized pointer errors in 13 real-world applications. Cppcheck and Clang Static Analyzer are chosen for comparison. The experimental results show that TsmartGP can find more errors while its accuracy is also higher than Cppcheck and Clang Static Analyzer. The demo video is available at https://youtu.be/IQlshemk6OA.

Bin Yu,Cong Tian,Nan Zhang,Zhenhua Duan,Hongwei Du

DOI: https://doi.org/10.1007/s10878-019-00398-x

2019-01-01

Journal of Combinatorial Optimization

Abstract:This paper presents a dynamic approach to detecting, eliminating and fixing memory leaks. With our approach, a program to be analyzed is instrumented before its execution. Dynamic symbolic execution is employed so as to expose memory leaks occurring in all execution paths. During the program execution, information about each allocated memory area is updated when corresponding statements are executed. Based on this information, a back-end leak checker records the changes of variables pointing to each memory area, detects memory leaks and deallocates leaked memory areas. After the program execution, a fixed program containing deallocation statements is generated. We have implemented our approach in a tool called DEF_LEAK based on Low Level Virtual Machine compiler infrastructure. Experiments show that DEF_LEAK can detect more leaks than the existing dynamic detection tools for programs with user inputs. Moreover, DEF_LEAK is more effective for helping programmers understand and fix memory leaks than other detection tools.

Rulin Xu,Xiaoguang Mao,Luohui Chen,Yue Yu

DOI: https://doi.org/10.1109/jcc59055.2023.00014

2023-01-01

Abstract:Memory vulnerability detection aims to identify software defects that can compromise memory safety. However, existing methods often struggle to achieve both high precision and efficiency. This paper presents a high-precision memory vulnerability detection approach based on value flow analysis and parallel computing. We first construct a static semantic representation called SVFG to enable precise detection of memory vulnerabilities such as null pointer dereference and use-after-free. We then perform dependency-aware path feasibility analysis using an SMT solver to reduce false positives. Finally, we develop a task-level parallel framework to accelerate the constraint solving process and improve efficiency.We evaluate our approach on the Juliet test set of over 2,000 test cases and 7 open-source projects. Experimental results show that our dependency-aware analysis can achieve 0.5%-2.05% false positive rates, outperforming traditional approaches and existing tools. Our task-level parallel framework can achieve up to 3.25x speedup with 4 computing nodes.Our study demonstrates that combining value flow analysis and parallel computing is a promising way to enable highly precise and efficient detection of memory vulnerabilities. For future work, we plan to integrate pointer analysis to support more complex codes, and optimize the granularity of parallelism to improve scalability. Overall, this paper presents a static analysis based method to address the inherent trade-off between precision and efficiency in memory vulnerability detection.

Xutong Ma,Jiwei Yan,Wei Wang,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/ase51524.2021.9678836

2021-01-01

Abstract:The smart pointer mechanism, which is improved in the continuous versions of the C++ standards over the last decade, is designed to prevent memory-leak bugs by automatically deallocating the managed memory blocks. However, not all kinds of memory errors can be immunized by adopting this mechanism. For example, dereferencing a null smart pointer will lead to a software failure. Due to the lack of specialized support for smart pointers, the off-the-shelf C++ static analyzers cannot effectively reveal these bugs. In this paper, we propose a static approach to detecting memory-related bugs by tracking the heap memory management of smart pointers. The behaviors of smart pointers are modeled during their lifetime to trace the state transitions of managed memory blocks. And the specially designed checkers are used to check the state changes according to five collected bug patterns. To evaluate the effectiveness of our approach, we implement it on the top of the Clang Static Analyzer. A set of handmade code snippets, as well as nine popular open-source C++ projects, are used to compare our tool against four other analyzers. The results show that our approach can successfully discover nearly all the built-in bugs. And 442 out of 648 reports generated from the open-source projects are true positives after manual reviewing, where the bugs of dereferencing null smart pointers are most frequently reported. To further confirm our reports, we design patches for Aria2, Restbed, MySQL and LLVM, in which seven pull requests covering 76 bug reports have been merged by the developers up to now. The results indicate that pointers should always be carefully used even after migrated to smart pointers and static analysis upon specialized models can effectively detect such bugs.

Xiaohui Sun,Sihan Xu,Chenkai Guo,Jing Xu,Naipeng Dong,Xiujuan Ji,Sen Zhang

DOI: https://doi.org/10.1109/compsac.2018.10271

2018-01-01

Abstract:One of the major software safety issues is memory leak. Moreover, detecting memory leak vulnerabilities is challenging in static analysis. Existing static detection tools find bugs by collecting programs' information in the process of scanning source code. However, the current detection tools are weak in efficiency and accuracy, especially when the targeted program contains complex branches. This paper proposes a projection-based approach to detect memory leaks in C source code with complex control flows. According to the features of memory allocation and deallocation in C source code, this approach projects the original control flow graph of a program to a simpler one, and it reduces the analysis complexity. Besides, this paper implements a memory-leak detection tool—PML_Checker, and evaluates the tool by comparing with three open-source static detection tools on both public benchmarks and study test cases. The experimental results show that PML_Checker reports the most memory leak vulnerabilities among the four existing tools with complex control flows and complex data types, and PML_Checker obtains higher efficiency and accuracy on public benchmarks.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

Hongfa Xue,Yurong Chen,Fan Yao,Yongbo Li,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1007/978-3-319-58469-0_28

2017-01-01

Abstract:Unsafe memory accesses in programs written using popular programming languages like C and C++ have been among the leading causes of software vulnerability. Memory safety checkers, such as Soft bound, enforce memory spatial safety by checking if accesses to array elements are within the corresponding array bounds. However, such checks often result in high execution time overhead due to the cost of executing the instructions associated with the bound checks. To mitigate this problem, techniques to eliminate redundant bound checks are needed. In this paper, we propose a novel framework, SIMBER, to eliminate redundant memory bound checks via statistical inference. In contrast to the existing techniques that primarily rely on static code analysis, our solution leverages a simple, model-based inference to identify redundant bound checks based on runtime statistics from past program executions. We construct a knowledge base containing sufficient conditions using variables inside functions, which are then applied adaptively to avoid future redundant checks at a function-level granularity. Our experimental results on real world applications show that SIMBER achieves zero false positives. Also, our approach reduces the performance overhead by up to 86.94% over Softbound, and incurs a modest 1.7% code size increase on average to circumvent the redundant bound checks inserted by Softbound.