Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

Ju Qian,Baowen Xu,Xiaoyu Zhou,Lin Chen,Liang Shi

DOI: https://doi.org/10.1007/s11859-009-0408-1

2009-01-01

Abstract:To avoid the precision loss caused by combining dataflow facts impossible to occur in the same execution path in dependence analysis for C programs, this paper first proposes a flow-sensitive and context-insensitive points-to analysis algorithm and then presents a new dependence analysis approach based on it. The approach makes more sufficient consideration on the executable path problem and can avoid invalid combination between points-to relations and between points-to relations and reaching definitions. The results of which are therefore more precise than those of the ordinary dependence analysis approaches.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

潘剑锋,刘守群,奚宏生,谭小彬

2010-01-01

Abstract:The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Christian Saad,Bernhard Bauer

DOI: https://doi.org/10.1007/978-3-642-41533-3_43

2013-01-01

Abstract:In this paper we present a data-flow based approach to static model analysis to address the problem of current methods being either limited in their expressiveness or employing formalisms which complicate seamless integration with standards and tools in the modeling domain.By applying data-flow analysis - a technique widely used for static program analysis - to models, we realize what can be considered a generic “programming language” for context-sensitive model analysis through declarative specifications. This is achieved by enriching meta models with data-flow attributes which are afterward instantiated for models. The resulting equation system is subjected to a fixed-point computation that yields a static approximation of the model’s dynamic behavior as specified by the analysis. The applicability of the approach is evaluated in the context of a running example, the examination of viable application domains and a statistical review of the algorithm’s performance.

白莉莉,庞建民,张一弛,岳峰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.09.048

2010-01-01

Abstract:Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques,this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG).By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware,each malicious behavior can be presented by one CAG.A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does.Experimental results show that the method can detect malware variants efficiently with low false negative rate.

XIA Nai,GUO Ming-song,Bing Mao,Li Xie

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.038

2007-01-01

Abstract:Attacks to program vulnerabilities is a severe problem nowadays.This paper puts forward a new simplified approach based on programs' runtime control flow monitoring.Compared to the methods based on system call sequence analysis,this approach has better granularity;Compared to the methods using whole call graph verification,it has the same effectiveness but more applicable.The results show that this approach can detect many kinds of known attacks to program vulnerabilities.

Mizuhito OGAWA,Zhenjiang HU,Isao SASANO,Masato TAKEICHI

2002-01-01

Abstract:This paper proposes a new framework for program analysis that regards them as maximum marking problems: mark the codes of a program under a certain condition such that the number of marked nodes is maximum. We show that if one can develop an efficient checking program (in terms of a finite catamorphism) whether marked programs are correctly marked, then an efficient and incremental marking algorithm to analyze control flow of structured programs (say in C or Java with limited numbers of gotos) is obtained for free. To describe catamorphisms on control flow graphs, we present an algebraic construction, called SP Term, for graphs with bounded tree width. The transformation to SP Terms is done efficiently in linear time. We demonstrate that our framework is powerful to describe various kinds of control flow analyses. Especially, for analyses in which some optimality is required (or expected), our approach has a big advantage.

Zhilong Wang,Haizhou Wang,Hong Hu,Peng Liu

2024-05-02

Abstract:As control-flow protection gets widely deployed, it is difficult for attackers to corrupt control-data and achieve control-flow hijacking. Instead, data-oriented attacks, which manipulate non-control data, have been demonstrated to be feasible and powerful. In data-oriented attacks, a fundamental step is to identify non-control, security-critical data. However, critical data identification processes are not scalable in previous works, because they mainly rely on tedious human efforts to identify critical data. To address this issue, we propose a novel approach that combines traditional program analysis with deep learning. At a higher level, by examining how analysts identify critical data, we first propose dynamic analysis algorithms to identify the program semantics (and features) that are correlated with the impact of a critical data. Then, motivated by the unique challenges in the critical data identification task, we formalize the distinguishing features and use customized program dependence graphs (PDG) to embed the features. Different from previous works using deep learning to learn basic program semantics, this paper adopts a special neural network architecture that can capture the long dependency paths (in the PDG), through which a critical variable propagates its impact. We have implemented a fully-automatic toolchain and conducted comprehensive evaluations. According to the evaluations, our model can achieve 90% accuracy. The toolchain uncovers 80 potential critical variables in Google FuzzBench. In addition, we demonstrate the harmfulness of the exploits using the identified critical variables by simulating 7 data-oriented attacks through GDB.

Cryptography and Security

Xiao Cheng,Haoyu Wang,Jiayi Hua,Miao Zhang,Guoai Xu,Li Yi,Yulei Sui

DOI: https://doi.org/10.1109/ICECCS.2019.00012

2019-01-01

Abstract:Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

Steven P. Reiss

DOI: https://doi.org/10.48550/arXiv.1909.13683

2019-09-30

Abstract:We introduce a tool that supports continuous flow analysis in order to detect security problems as the user edits. The tool uses abstract interpretation over both byte codes and abstract syntax trees to trace the flow of both type annotations and system states from their sources to security problems. The flow analysis achieves a balance between performance and accuracy in order to detect security vulnerabilities within seconds, and uses incremental update to provide immediate feedback to the programmer. Resource files are used to specify the specific security constraints of an application and to tune the analysis. The system can also provide detailed information to the programmer as to why it flagged a particular problem. The tool is integrated into the Code Bubbles development environment.

Software Engineering,Cryptography and Security

M Ogawa,ZJ Hu,I Sasano

DOI: https://doi.org/10.1145/944746.944716

2003-01-01

Abstract:Program analysis is the heart of modern compilers. Most control flow analyses are reduced to the problem of finding a fixed point in a certain transition system, and such fixed point is commonly computed through an iterative procedure that repeats tracing until convergence.This paper proposes a new method to analyze programs through recursive graph traversals instead of iterative procedures, based on the fact that most programs (without spaghetti GOTO) have well-structured control flow graphs, graphs with bounded tree width. Our main techniques are; an algebraic construction of a control flow graph, called SP Term, which enables control flow analysis to be defined in a natural recursive form, and the Optimization Theorem, which enables us to compute optimal solution by dynamic programming.We illustrate our method with two examples; dead code detection and register allocation. Different from the traditional standard iterative solution, our dead code detection is described as a simple combination of bottom-up and top-down traversals on SP Term. Register allocation is more interesting, as it further requires optimality of the result. We show how the Optimization Theorem on SP Terms works to find an optimal register allocation as a certain dynamic programming.

Han Yujie,Lü Zhengliang,Lin Zhiwen,Wang Hong,Yang Shiyuan

2010-01-01

Journal of Computer Research and Development

Abstract:As an approach for system testability analysis and fault diagnosis,multi_signal flow graph modeling method represents the dependency relationship between faults and tests using a directed graph.The method based on the traditional fault model needs to know the exact communication relationship between each function,bringing the inconvenience for modeling.In this paper,we present a multi-functional fault model which refines the functional fault,allowing modeling more easily.Furthermore,this article illustrates the dependency matrix generation algorithm and corresponding testability analysis method of the modeling method based on the multi-functional fault model.And also,an example about the whole process is discussed.This method has been applied on the TADS(testability analysis and diagnosis system) software platform.

Pankaj Kohli

DOI: https://doi.org/10.48550/arXiv.0906.4481

2009-07-01

Abstract:Memory corruption attacks remain the primary threat for computer security. Information flow tracking or taint analysis has been proven to be effective against most memory corruption attacks. However, there are two shortcomings with current taint analysis based techniques. First, these techniques cause application slowdown by about 76% thereby limiting their practicality. Second, these techniques cannot handle non-control data attacks i.e., attacks that do not overwrite control data such as return address, but instead overwrite critical application configuration data or user identity data. In this work, to address these problems, we describe a coarse-grained taint analysis technique that uses information flow tracking at the level of application data objects. We propagate a one-bit taint over each application object that is modified by untrusted data thereby reducing the taint management overhead considerably. We performed extensive experimental evaluation of our approach and show that it can detect all critical attacks such as buffer overflows, and format string attacks, including non-control data attacks. Unlike the currently known approaches that can detect such a wide range of attacks, our approach does not require the source code or any hardware extensions. Run-time performance overhead evaluation shows that, on an average, our approach causes application slowdown by only 37% which is an order of magnitude improvement over existing approaches. Finally, since our approach performs run-time binary instrumentation, it is easier to integrate it with existing applications and systems.

Cryptography and Security

Li Zhou,Minhuan Huang,Yujun Li,Yuanping Nie,Jin Li,Yiwei Liu

DOI: https://doi.org/10.48550/arXiv.2202.02501

2022-02-05

Abstract:With the continuous extension of the Industrial Internet, cyber incidents caused by software vulnerabilities have been increasing in recent years. However, software vulnerabilities detection is still heavily relying on code review done by experts, and how to automatedly detect software vulnerabilities is an open problem so far. In this paper, we propose a novel solution named GraphEye to identify whether a function of C/C++ code has vulnerabilities, which can greatly alleviate the burden of code auditors. GraphEye is originated from the observation that the code property graph of a non-vulnerable function naturally differs from the code property graph of a vulnerable function with the same functionality. Hence, detecting vulnerable functions is attributed to the graph classification <a class="link-external link-http" href="http://problem.GraphEye" rel="external noopener nofollow">this http URL</a> is comprised of VecCPG and GcGAT. VecCPG is a vectorization for the code property graph, which is proposed to characterize the key syntax and semantic features of the corresponding source code. GcGAT is a deep learning model based on the graph attention graph, which is proposed to solve the graph classification problem according to VecCPG. Finally, GraphEye is verified by the SARD Stack-based Buffer Overflow, Divide-Zero, Null Pointer Deference, Buffer Error, and Resource Error datasets, the corresponding F1 scores are 95.6%, 95.6%,96.1%,92.6%, and 96.1% respectively, which validate the effectiveness of the proposed solution.

Cryptography and Security,Machine Learning

Nai Xia,Bing Mao,Qingkai Zeng,Li Xie

DOI: https://doi.org/10.1007/978-3-540-77505-8_8

2007-01-01

Abstract:Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a progam's source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs' dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.

Tao Zhang,Xiarun Chen,Zhong Chen

DOI: https://doi.org/10.1145/3630138.3630437

2024-01-01

Abstract:In modern research on program analysis and static vulnerability detection techniques, variables have consistently remained a critical focal point, especially concerning hazardous variables associated with crucial program operations. Analyzing the value ranges of variables in a program not only enhances the accuracy of program analysis but also provides further support for static vulnerability detection. This paper proposes a variable value range analysis method based on path analysis. By combining control flow graph analysis, data flow analysis, and abstract interpretation, it comprehensively analyzes the process from variable definition to its usage, iteratively capturing value ranges during the process to obtain more precise value range results. Experimental results demonstrate that the method presented in this paper accurately determines variable value ranges and is compatible with the analysis of various types of variables. Moreover, the paper's method successfully validates multiple security vulnerabilities, thereby substantiating its practical application value.

Yuchen Xing,Hanfei Wang,Jianhua Zhao

DOI: https://doi.org/10.1007/978-3-642-35795-4_58

2013-01-01

Abstract:This paper describes a tool which integrates three different kinds of data flow analysis techniques: null pointer dereference analysis, integer variables differences analysis and single linked list analysis. Each one of them can share and exchange program information with the other two. And also users can add properties manually to enhance the processing capabilities. Through the demonstration in the case study section, we can see that our tool achieves the goal to connect these three analysis techniques and can explore more insightful program information with the artificial help. © Springer-Verlag Berlin Heidelberg 2013.

Gabriel Ryan,Abhishek Shah,Dongdong She,Koustubha Bhat,Suman Jana

DOI: https://doi.org/10.48550/arXiv.1909.03461

2021-02-25

Abstract:Dataflow tracking with Dynamic Taint Analysis (DTA) is an important method in systems security with many applications, including exploit analysis, guided fuzzing, and side-channel information leak detection. However, DTA is fundamentally limited by the Boolean nature of taint labels, which provide no information about the significance of detected dataflows and lead to false positives/negatives on complex real world programs. We introduce proximal gradient analysis (PGA), a novel, theoretically grounded approach that can track more accurate and fine-grained dataflow information. PGA uses proximal gradients, a generalization of gradients for non-differentiable functions, to precisely compose gradients over non-differentiable operations in programs. Composing gradients over programs eliminates many of the dataflow propagation errors that occur in DTA and provides richer information about how each measured dataflow effects a program. We compare our prototype PGA implementation to three state of the art DTA implementations on 7 real-world programs. Our results show that PGA can improve the F1 accuracy of data flow tracking by up to 33% over taint tracking (20% on average) without introducing any significant overhead (<5% on average). We further demonstrate the effectiveness of PGA by discovering 22 bugs (20 confirmed by developers) and 2 side-channel leaks, and identifying exploitable dataflows in 19 existing CVEs in the tested programs.

Cryptography and Security