Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

Jiaqi Li,Ke Wang,Yaoguang Chen,Yajin Zhou,Lei Wu,Jiashui Wang

2023-01-01

Abstract:DBMS bugs can cause serious consequences, posing severe security and privacy concerns. This paper works towards the detection of memory bugs and logic bugs in DBMSs, and aims to solve the two innate challenges, including how to generate semantically correct SQL queries in a test case, and how to propose effective oracles to capture logic bugs. To this end, our system proposes two key techniques. The first key technique is called context-sensitive instantiation, which considers all static semantic requirements (including but not limited to the identifier type used by existing systems) to generate semantically valid SQL queries. The second key technique is called multi-plan execution, which can effectively capture logic bugs. Given a test case, multi-plan execution makes the DBMS execute all query plans instead of the default optimal one, and compares the results. A logic bug is detected if a difference is found among the execution results of the executed query plans. We have implemented a prototype system called Kangaroo and applied it to three widely used and well-tested DBMSs, including SQLite, PostgreSQL, and MySQL. Our system successfully detected 50 new bugs. The comparison between our system with the state-of-the-art systems shows that our system outperforms them in terms of the number of generated semantically valid SQL queries, the explored code paths during testing, and the detected bugs.

Sen Ma,MingYang Jiao,ShiKun Zhang,Wen Zhao,Dong Wei Wang

DOI: https://doi.org/10.1109/issrew.2015.7392049

2015-01-01

Abstract:This paper proposes a practical static analysis tool named LUKE, for detecting null pointer dereferences (NPD) in C programs. LUKE first uses a guarded value-dependence graph (VDG) to track the dependence relations of values, and then detects NPD by solving the graph reachability problem on its VDG. To improve accuracy as well as scalability, the detection algorithm leverages heuristic inference algorithms and the results of control dependences analysis. We evaluated LUKE on 10 large-scale open source projects, and the results show that LUKE has a false positive rate of only 4.3%, which is much lower than Clang, Saturn and Calysto. The analysis speed is also 4.6X, 15.5X and 17.9X faster, respectively. On the evaluated benchmarks, LUKE succeeds in finding a superset of the bugs reported by the published tools we investigated. We also show that LUKE scales to 416,500 lines of code, the largest benchmark we had.

Xutong Ma,Jiwei Yan,Wei Wang,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/ase51524.2021.9678836

2021-01-01

Abstract:The smart pointer mechanism, which is improved in the continuous versions of the C++ standards over the last decade, is designed to prevent memory-leak bugs by automatically deallocating the managed memory blocks. However, not all kinds of memory errors can be immunized by adopting this mechanism. For example, dereferencing a null smart pointer will lead to a software failure. Due to the lack of specialized support for smart pointers, the off-the-shelf C++ static analyzers cannot effectively reveal these bugs. In this paper, we propose a static approach to detecting memory-related bugs by tracking the heap memory management of smart pointers. The behaviors of smart pointers are modeled during their lifetime to trace the state transitions of managed memory blocks. And the specially designed checkers are used to check the state changes according to five collected bug patterns. To evaluate the effectiveness of our approach, we implement it on the top of the Clang Static Analyzer. A set of handmade code snippets, as well as nine popular open-source C++ projects, are used to compare our tool against four other analyzers. The results show that our approach can successfully discover nearly all the built-in bugs. And 442 out of 648 reports generated from the open-source projects are true positives after manual reviewing, where the bugs of dereferencing null smart pointers are most frequently reported. To further confirm our reports, we design patches for Aria2, Restbed, MySQL and LLVM, in which seven pull requests covering 76 bug reports have been merged by the developers up to now. The results indicate that pointers should always be carefully used even after migrated to smart pointers and static analysis upon specialized models can effectively detect such bugs.

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Dongfang Xie,Bihuan Chen,Kaifeng Huang,Yu Wang,Linghao Pan,Zhicheng Chen,Xin Peng

DOI: https://doi.org/10.1109/saner60148.2024.00093

2024-01-01

Abstract:Null pointer dereference raises Null Pointer Exceptions (NPEs). There are two groups of approaches to detect NPEs. Type-based approaches carry out strict type-based null safety checking. They heavily rely on annotations, and thus produce many false positives. Dataflow-based approaches leverage static forward and/or backward dataflow analysis. They mostly have a limited capability in tracking fields and interprocedural analysis, and introduce false positives and false negatives. To address these drawbacks, we propose Wheeljack to detect NPEs for Java. It does not rely on annotations, and hence can work effectively under a lack of annotations. It leverages our novel abstraction of nullness status to enhance field tracking, and our novel invocation analysis (capturing change to return value and side effect of an invocation) to enhance interprocedural analysis. Our evaluation on 28 Java projects has demonstrated that Wheeljack can mostly outperform the four state-of-the-art NPE detectors in recall without sacrificing precision. 5 and 2 new NPEs have been confirmed and fixed by developers after we submit 8 issues.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Vlad-Alexandru Teodorescu,Dorel Lucanu

DOI: https://doi.org/10.4204/EPTCS.410.7

2024-10-31

Abstract:Pointers are a powerful, but dangerous feature provided by the C and C++ programming languages, and incorrect use of pointers is a common source of bugs and security vulnerabilities. Making secure software is crucial, as vulnerabilities exploited by malicious actors not only lead to monetary losses, but possibly loss of human lives. Fixing these vulnerabilities is costly if they are found at the end of development, and the cost will be even higher if found after deployment. That is why it is desirable to find the bugs as early in the development process as possible. We propose a framework that can statically find use-after-free bugs at compile-time and report the errors to the users. It works by tracking the lifetime of objects and memory locations pointers might point to and, using this information, a possibly invalid dereferencing of a pointer can be detected. The framework was tested on over 100 handwritten small tests, as well as 5 real-world projects, and has shown good results detecting errors, while at the same time highlighting some scenarios where false positive reports may occur. Based on the results, it was concluded that our framework achieved its goals, as it is able to detect multiple patterns of use-after-free bugs, and correctly report the errors to the programmer.

Formal Languages and Automata Theory

Yuexing Wang,Guang Chen,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ASE.2019.00129

2019-01-01

Abstract:ABSTRACTPrecise pointer analysis is desired since it is a core technique to find memory defects. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. For static analysis tools utilizing pointer analysis, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents TsmartGP, a static analysis tool for finding memory defects in C programs with a precise and efficient pointer analysis. The pointer analysis algorithm is flow, context, field, and quasi path sensitive. Control flow automatons are the key structures for our analysis to be flow sensitive. Function summaries are applied to get context information and elements of aggregate structures are handled to improve precision. Path conditions are used to filter unreachable paths. For efficiency, a multi-entry mechanism is proposed. Utilizing the pointer analysis algorithm, we implement a checker in TsmartGP to find uninitialized pointer errors in 13 real-world applications. Cppcheck and Clang Static Analyzer are chosen for comparison. The experimental results show that TsmartGP can find more errors while its accuracy is also higher than Cppcheck and Clang Static Analyzer. The demo video is available at https://youtu.be/IQlshemk6OA.

Ping CHEN,Hao HAN,Xiao-bing SHEN,Xin-chun YIN,Bing MAO,Li XIE

2010-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:In recent years, Integer bugs have been rising sharply and become a potential threat as it is often hidden behind other bugs. In this paper, we propose a tool which can automatically detect Integer bugs. We implement the tool based on static and dynamic program analysis. In the static phase, the tool decompiles a binary and creates the suspect instruction set. In the dynamic phase, it monitors the instructions in the suspect set and generates the test cases to further detect which instructions are real Integer bugs. Our tool has two advantages. First, it provides more accurate and sufficient type information. Second, static analysis reduces the instructions which are monitored at runtime. Experimental results shows that our tool can efficiently detect the Integer bugs in several real-world programs. In addition, our tool has no false negatives and low false positives.

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3276511

2018-01-01

Proceedings of the ACM on Programming Languages

Abstract:Context sensitivity is an essential technique for ensuring high precision in Java pointer analyses. It has been observed that applying context sensitivity partially, only on a select subset of the methods, can improve the balance between analysis precision and speed. However, existing techniques are based on heuristics that do not provide much insight into what characterizes this method subset. In this work, we present a more principled approach for identifying precision-critical methods, based on general patterns of value flows that explain where most of the imprecision arises in context-insensitive pointer analysis. Accordingly, we provide an efficient algorithm to recognize these flow patterns in a given program and exploit them to yield good tradeoffs between analysis precision and speed. Our experimental results on standard benchmark and real-world programs show that a pointer analysis that applies context sensitivity partially, only on the identified precision-critical methods, preserves effectively all (98.8%) of the precision of a highly-precise conventional context-sensitive pointer analysis (2-object-sensitive with a context-sensitive heap), with a substantial speedup (on average 3.4X, and up to 9.2X).

Yu Wang,Fengjuan Gao,Linzhang Wang,Ke Wang

DOI: https://doi.org/10.48550/arXiv.1907.05579

2019-07-12

Software Engineering

Abstract:We present an alternative approach to creating static bug finders. Instead of relying on human expertise, we utilize deep neural networks to train static analyzers directly from data. In particular, we frame the problem of bug finding as a classification task and train a classifier to differentiate the buggy from non-buggy programs using Graph Neural Network (GNN). Crucially, we propose a novel interval-based propagation mechanism that leads to a significantly more efficient, accurate and scalable generalization of GNN. We have realized our approach into a framework, NeurSA, and extensively evaluated it. In a cross-project prediction task, three neural bug detectors we instantiate from NeurSA are effective in catching null pointer dereference, array index out of bound and class cast bugs in unseen code. We compare NeurSA against several static analyzers (e.g. Facebook Infer and Pinpoint) on a set of null pointer dereference bugs. Results show that NeurSA is more precise in catching the real bugs and suppressing the spurious warnings. We also apply NeurSA to several popular Java projects on GitHub and discover 50 new bugs, among which 9 have been fixed, and 3 have been confirmed.

Guang Chen,Min Zhou,Jiaguang Sun,Xiaoyu Song

DOI: https://doi.org/10.1109/APSEC.2018.00044

2018-01-01

Abstract:Static analysis is an effective way of checking memory safety issues in program. Usually, multiple analysis algorithms usually run together to achieve a precise analysis result. In this paper, a novel analysis frame work over access path is presented for incorporating analysis algorithms. A pointer analysis based on access path works as a base layer, alias and pointer information are automatically handled. An summary based checking algorithm is designed for checking real world project. Moreover, the framework is fully extensible and various analysis can be added as plugins. Experimental results show that our method has good precision on Juliet Test Suite and scales to large software.

Mohan Cui,Chengjun Chen,Hui Xu,Yangfan Zhou

DOI: https://doi.org/10.1145/3542948

IF: 3.685

2022-06-21

ACM Transactions on Software Engineering and Methodology

Abstract:Rust is an emerging programming language that aims to prevent memory-safety bugs. However, the current design of Rust also brings side effects, which may increase the risk of memory-safety issues. In particular, it employs OBRM (ownership-based resource management) and enforces automatic deallocation of unused resources without using the garbage collector. It may therefore falsely deallocate reclaimed memory and lead to use-after-free or double-free issues. In this paper, we study the problem of invalid memory deallocation and propose SafeDrop , a static path-sensitive data-flow analysis approach to detect such bugs. Our approach analyzes each function of a Rust crate iteratively in a flow-sensitive and field-sensitive way. It leverages a modified Tarjan algorithm to achieve scalable path-sensitive analysis and a cache-based strategy for efficient inter-procedural analysis. We have implemented our approach and integrated it into the Rust compiler. Experiment results show that the approach can successfully detect all such bugs in our experiments with a limited number of false positives and incurs a very small overhead compared to the original compilation time.

computer science, software engineering

Pingyan Wang,Shaoying Liu

DOI: https://doi.org/10.1142/s0218194024500013

IF: 1.007

2024-02-23

International Journal of Software Engineering and Knowledge Engineering

Abstract:International Journal of Software Engineering and Knowledge Engineering, Ahead of Print. Pointer analysis is the underlying technique of many static analysis tools for vulnerability discovery. It has proved to be effective in identifying a variety of vulnerabilities, such as buffer overflow vulnerabilities and injection vulnerabilities. However, most existing pointer analysis approaches require whole-program availability, i.e. the program to be analyzed should be complete, which may hinder a timely analysis during the coding phase. In this paper, we present two approaches, exhaustive and demand-driven pointer analyses, both of which are applied to a paradigm known as Human–Machine Pair Programming. The ideas enable us to discover security flaws as early as in the coding phase. In this paper, we describe in detail how our approaches maintain flow sensitivity and propagate points-to and taint information in an incremental fashion. We conduct an evaluation of our approaches on SecuriBench Micro and show that the approaches can capture all the potential vulnerabilities in the test cases, though several false alarms are reported.

computer science, artificial intelligence,engineering, electrical & electronic, software engineering

Hao Zhang,Ji Luo,Mengze Hu,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/icse48619.2023.00098

2023-01-01

Abstract:Exception handling is a mechanism in modern programming languages. Studies have shown that the exception handling code is error-prone. However, there is still limited research on detecting exception handling bugs, especially for C++ programs. To tackle the issue, we try to precisely represent the exception control flow in C++ programs and propose an analysis method that makes use of the control flow to detect such bugs. More specifically, we first extend control flow graph by introducing the concepts of five different kinds of basic blocks, and then modify the classic symbolic execution framework by extending the program state to a quadruple and properly processing try, throw and catch statements. Based on the above techniques, we develop a static analysis tool on the top of Clang Static Analyzer to detect exception handling bugs. We run our tool on projects with high stars from GitHub and find 36 exception handling bugs in 8 projects, with a precision of 84%. We compare our tool with four state-of-the-art static analysis tools (Cppcheck, Clang Static Analyzer, Facebook Infer and IKOS) on projects from GitHub and handmade benchmarks. On the GitHub projects, other tools are not able to detect any exception handling bugs found by our tool. On the handmade benchmarks, our tool has a significant higher recall.

Ankush Das,Akash Lal

DOI: https://doi.org/10.48550/arXiv.1702.05807

2017-02-20

Abstract:Precise analysis of pointer information plays an important role in many static analysis techniques and tools today. The precision, however, must be balanced against the scalability of the analysis. This paper focusses on improving the precision of standard context and flow insensitive alias analysis algorithms at a low scalability cost. In particular, we present a semantics-preserving program transformation that drastically improves the precision of existing analyses when deciding if a pointer can alias NULL. Our program transformation is based on Global Value Numbering, a scheme inspired from compiler optimizations literature. It allows even a flow-insensitive analysis to make use of branch conditions such as checking if a pointer is NULL and gain precision. We perform experiments on real-world code to measure the overhead in performing the transformation and the improvement in the precision of the analysis. We show that the precision improves from 86.56% to 98.05%, while the overhead is insignificant.

Programming Languages

Yu Wang,Fengjuan Gao,Lingyun Situ,Lingzhang Wang,Bihuan Chen,Yang Liu,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/3275219.3275231

2018-01-01

Abstract:Dangling pointers have become an important class of software bugs that can lead to use-after-free and double-free vulnerabilities. So far, only a few approaches have been proposed to protect against dangling pointers, while most of them suffer from high overhead. In this paper, we propose a lightweight approach, named DangDone, to eliminate dangling pointers at compile time. Built upon the root cause of a dangling pointer, i.e., a pointer and its aliases are not nullified but the memory area they point to is deallocated, DangDone realizes the protection by inserting an intermediate pointer between the pointers (i.e., a pointer and its aliases) and the memory area they point to. Hence, nullifying the intermediate pointer will nullify the pointer and its aliases, which mitigates the vulnerabilities caused by dangling pointers. Experimental results have demonstrated that DangDone can protect target programs (i.e., the SPEC CPU benchmarks and the programs with known CVEs) with negligible runtime overhead (i.e., around 1% on average).

Mohamed A. El-Zawawy

DOI: https://doi.org/10.48550/arXiv.1112.3756

2011-12-16

Programming Languages

Abstract:The use of pointers and data-structures based on pointers results in circular memory references that are interpreted by a vital compiler analysis, namely pointer analysis. For a pair of memory references at a program point, a typical pointer analysis specifies if the points-to relation between them may exist, definitely does not exist, or definitely exists. The "may be" case, which describes the points-to relation for most of the pairs, cannot be dealt with by most compiler optimizations. This is so to guarantee the soundness of these optimizations. However, the "may be" case can be capitalized by the modern class of speculative optimizations if the probability that two memory references alias can be measured. Focusing on multithreading, a prevailing technique of programming, this paper presents a new flow-sensitive technique for probabilistic pointer analysis of multithreaded programs. The proposed technique has the form of a type system and calculates the probability of every points-to relation at each program point. The key to our approach is to calculate the points-to information via a post-type derivation. The use of type systems has the advantage of associating each analysis results with a justification (proof) for the correctness of the results. This justification has the form of a type derivation and is very much required in applications like certified code.

Tuo Li,Jia-Ju Bai,Yulei Sui,Shi-Min Hu

DOI: https://doi.org/10.1145/3503222.3507770

2024-01-01

ACM Transactions on Computer Systems

Abstract:Operating system (OS) is the cornerstone for modern computer systems. It manages devices and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve reliability and security of computer systems. Static typestate analysis is a common technique for detecting different types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking and path-feasibility validation. In this paper, we present PATA, a novel path-sensitive and alias-aware typestate analysis framework to detect OS bugs. To improve the precision of identifying alias relationships in OS code, PATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, PATA reduces the costs of typestate tracking and path-feasibility validation, to boost the efficiency of path-sensitive typestate analysis for bug detection. We have evaluated PATA on the Linux kernel and three popular IoT OSes (Zephyr, RIOT and TencentOS-tiny) to detect three common types of bugs (null-pointer dereferences, uninitialized-variable accesses and memory leaks). PATA finds 574 real bugs with a false positive rate of 28%. 206 of these bugs have been confirmed by the developers of the four OSes. We also compare PATA to seven state-of-the-art static approaches (Cppcheck, Coccinelle, Smatch, CSA, Infer, Saber and SVF). PATA finds many real bugs missed by them, with a lower false positive rate.