Bin Yu,Cong Tian,Hengrui Xing,Zuchao Yang,Jie Su,Xu Lu,Jiyu Yang,Liang Zhao,Xiaofeng Li,Zhenhua Duan

DOI: https://doi.org/10.1145/3611643.3616276

2023-01-01

Abstract:Interrupt-driven programs have been widely used in safety-critical areas such as aerospace and embedded systems. However, uncertain interleaving execution of interrupt service routines (ISRs) usually causes concurrency bugs. Specifically, when one or more ISRs attempt to preempt a sequence of instructions which are expected to be atomic, a kind of concurrency bugs namely atomicity violation may occur, and it is challenging to find this kind of bugs precisely and efficiently. In this paper, we propose a static approach for detecting atomicity violations in interrupt-driven programs. First, the program model is constructed with interruption points being selected to determine the possibly influenced ISRs. After that, reachability computation is conducted to build up a whole abstract reachability tree, and a delayed ISR-triggering strategy is employed to reduce the state space. Meanwhile, unserializable interleaving patterns are recognized to achieve the goal of atomicity violation detection. The approach has been implemented as a configurable tool namely CPA4AV. Extensive experiments show that CPA4AV is much more precise than the relative tools available with little extra time overhead. In addition, more complex situations can be dealt with CPA4AV.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Lei Wang,Qiang Zhang,Peng Zhao

DOI: https://doi.org/10.1109/SCAM.2008.24

2008-10-03

Abstract:Ensuring the correctness and reliability of software systems is one of the main problems in software development. Model checking, a static analysis method, is preponderant in improving the precision of vulnerabilities detection. However, when applied to buffer overflow and other bugs, it is hard to automatically construct the model for detecting the vulnerabilities. To address this problem we propose an approach that combines constraint based analysis and model checking together. We trace the memory size of buffer-related variables and instrument the code with corresponding constraint assertions before the potential vulnerable points by constraint based analysis. Then the problem of detecting vulnerabilities is converted into the problem of detecting vulnerabilities to verifying the reach ability of these assertions by model checking. In order to reduce the cost of model checking, program slicing is introduced to reduce the code size. CodeAuditor is a prototype implementation of our approach. With CodeAuditor, several yet unreported vulnerabilities are discovered in several open source software, and the performance is shown to be improved significantly with the help of program slicing.

Computer Science

Haining Feng,Liangze Yin,Wenfeng Lin,Xudong Zhao,Wei Dong

DOI: https://doi.org/10.1109/qrs-c51114.2020.00084

2020-01-01

Abstract:Interrupt-driven programs are widely used in aerospace, medical equipment, and other embedded systems that require extreme safety and stability. However, uncertain interrupt interleaving executions may cause serious data race problems. Static analysis is an important technology to detect data race problems. Existing methods are either too conservative to have low accuracy, or bring lots of false alarms, there still need a more effective solution. The program verification tool CBMC has an excellent performance in the analysis and verification of C multi-threaded modeling, but it doesn't support interrupt-driven programs. In this paper, we proposed a method based on CBMC to detect data race in interrupt-driven programs. Our method achieved accurate analysis of interrupt-driven programs by performing analysis toward interrupt preemption and synchronization semantics, and further validation of the program can be supported. Experiments results on related benchmarks demonstrate our approach's usability and effectiveness.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

Yuan Zhang,Lei Qu,Yifei Wu,Leihuan Wu,Tingting Yu,Rui Chen,Weiqiang Kong

DOI: https://doi.org/10.1145/3705311

IF: 3.685

2024-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Detecting atomicity violations effectively in interrupt-driven programs is difficult due to the asymmetric concurrency interleaving of interrupts. Current approaches face two main challenges: (1) A large number of false positives are generated by efficient static analysis techniques. (2) Loops with large or unknown bounds in these programs limit the scalability of the bounded verification techniques. To address these challenges, we present NIChecker, a new bounded verification tool designed to detect atomicity violations in interrupt-driven programs. The key ideas are: (1) Transforming an interrupt-driven program into a bounded sequential C program through lazy sequentialization technique. This sequential program accurately models interrupt masking and nested interrupt execution. (2) Combining a refined loop abstraction technique with our sequentialization to enhance the efficiency of detecting programs with intractable loops. (3) Integrating slicing and an interleaving path reduction technique known as preemption point reduction in NIChecker to shrink the explored state space. We prove the bounded correctness of our translation and discuss the impact of our optimizations. We evaluate NIChecker on 31 academic benchmark programs and 18 real-world interrupt-driven programs. Our results show that NIChecker achieves better precision, a lower false positive rate, and a significant verification speed-up than related state-of-the-art tools.

Yu Wang,Junjing Shi,Linzhang Wang,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/2875913.2875943

2015-01-01

Abstract:Interrupt-driven programs are often embedded in safety-critical systems to perform hardware/resource dependent data operation tasks, such as data acquisition, processing, and transformation. The interrupt programs and tasks may happen in parallel which in a result causes indeterminist concurrent problems at runtime. Data race is one of the most popular problems challenging researchers and practitioners. Various static analysis, software testing approaches have been proposed to detect data races in source code, testing, and even production run. However, static analysis may report too many false positives due to the lack of execution information. Dynamic testing may miss some important races since it could not generate adequate test cases to test all possible execution scenarios. In this paper, we propose a hybrid approach to detect data races in interrupt-driven programs based on static analysis and dynamic simulation. We implemented a prototype tool and conducted a controlled experiment to demonstrate the applicability of our approach.

Ruixue Li,Bin Yu,Xu Lu,Lei Ke,Jiawei Chen,Zixuan Yuan,Jingxian Wang,Cong Tian,Yansong Dong

DOI: https://doi.org/10.1145/3691620.3695325

2024-01-01

Abstract:Interrupt-driven programs are widely used in safety-critical fields like aerospace and embedded systems. However, the unpredictable interleaving of Interrupt Service Routines (ISRs) can lead to concurrency bugs, particularly atomicity violations when ISRs preempt atomic sequences of instructions. To address this, we propose a dynamic approach for detecting atomicity violations in interrupt-driven programs. Extensive experiments demonstrate that our method is more precise and efficient than related approaches.

Jiangchao Liu,Liqian Chen,Xavier Rival

DOI: https://doi.org/10.1109/tcad.2018.2858462

IF: 2.9

2018-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:User-space programs rely on memory allocation primitives when they need to construct dynamic structures such as lists or trees. However, low-level OS kernel services and embedded device drivers typically avoid resorting to an external memory allocator in such cases, and store structure elements in contiguous arrays instead. This programming pattern leads to very complex code, based on data-structures that can be viewed and accessed either as arrays or as chained dynamic structures. The code correctness then depends on intricate invariants mixing both aspects. We propose a static analysis that is able to verify such programs. It relies on the combination of abstractions of the allocator array and of the dynamic structures built inside it. This approach allows to integrate program reasoning steps inherent in the array and in the chained structure into a single abstract interpretation. We report on the successful verification of several embedded OS kernel services and drivers.

Xinyu Feng,Zhong Shao,Yu Guo,Yuan Dong

DOI: https://doi.org/10.1007/s10817-009-9118-9

2009-01-01

Journal of Automated Reasoning

Abstract:Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques—including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.

Jianqi Shi,Longfei Zhu,Yanhong Huang,Jian Guo,Huibiao Zhu,Huixing Fang,Xin Ye

DOI: https://doi.org/10.1109/tase.2012.46

2012-01-01

Abstract:Interrupt mechanism is indispensable in embedded software due to lots of factors such as switching context and enhancing efficiency. In this context, the traditional way to ensure the correctness of software will not remain in force. Having the interrupt is envolved, the complicated and nondeterminism environment should be taken into consideration during the verification process. In this paper, we propose a novel way to verify the interrupt safety properties based on low-level binary code. At first, an Abstract xBIL is transformed from the xBIL with the time and interrupt properties reserved. xBIL [1] is a binary intermediate language we proposed to represent the machine instructions on multiple architectures. Afterwards, we present an automatic way to construct the Discrete-Time Markov Chains [2] from the Abstract xBIL code. After that, the properties can be easily generated and quantitative analysis could be performed. To prove the feasibility of our approach, we have applied our method to the verification of a commercial automotive operating system and it is proved to be of great help with the development of software.

Zhihong Tian,Binxing Fang,Bin Li,Hongli Zhang

2005-01-01

Abstract:Intrusion detection systems are used to alert system administrators to malicious attacks. Unfortunately, running without any information of the network resources that they protect, intrusion detection systems are notorious for generating a large number of alerts that are either not related to malicious activity or not representative of a successful attack. To address this shortcoming, this paper presents a vulnerability-driven active alert verification approach that performs real-time verification of attacks detected by an intrusion detection system. By means of checking for the vulnerability that the attack attempts to exploit, we can verify whether the attack has succeeded or not. The Experimental evaluation illustrates that it is a useful tool for reducing the false positive rate.

Zhihong Tian,Binxing Fang,Bin Li,Hongli Zhang

2005-01-01

Abstract:Intrusion detection systems are used to alert system administrators to malicious attacks. Unfortunately, running without any information of the network resources that they protect, intrusion detection systems are notorious for generating a large number of alerts that are either not related to malicious activity or not representative of a successful attack. To address this shortcoming, this paper presents a vulnerability-driven active alert verification approach that performs real-time verification of attacks detected by an intrusion detection system. By means of checking for the vulnerability that the attack attempts to exploit, we can verify whether the attack has succeeded or not. The Experimental evaluation illustrates that it is a useful tool for reducing the false positive rate.

J. Vadayath,Kyle Zeng,Christophe Hauser,Ruoyu Wang,Y. Fratantonio,Tiffany Bao,Adam Doupé,Nicolaas Weideman,Yan Shoshitaishvili,Moritz Eckert,Gokulkrishna Praveen Menon,D. Balzarotti

Abstract:In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called A RBITER . We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Un-controlled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

Computer Science

Yu Wang,Fengjuan Gao,Linzhang Wang,Tingting Yu,Ke Wang,Jianhua Zhao,Xuandong Li

2023-05-29

Abstract:Interrupt-driven programs are widely deployed in safety-critical embedded systems to perform hardware and resource dependent data operation tasks. The frequent use of interrupts in these systems can cause race conditions to occur due to interactions between application tasks and interrupt handlers (or two interrupt handlers). Numerous program analysis and testing techniques have been proposed to detect races in multithreaded programs. Little work, however, has addressed race condition problems related to hardware interrupts. In this paper, we present SDRacer, an automated framework that can detect, validate and repair race conditions in interrupt-driven embedded software. It uses a combination of static analysis and symbolic execution to generate input data for exercising the potential races. It then employs virtual platforms to dynamically validate these races by forcing the interrupts to occur at the potential racing points. Finally, it provides repair candidates to eliminate the detected races. We evaluate SDRacer on nine real-world embedded programs written in C language. The results show that SDRacer can precisely detect and successfully fix race conditions.

Software Engineering

Binfa Gui,Wei Song,Hailong Xiong,Jeff Huang

DOI: https://doi.org/10.1109/tse.2021.3121994

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:C/C++ programs frequently encounter memory errors, such as Use-After-Free (UAF), buffer overflow, and integer overflow. Among these memory errors, UAF vulnerabilities are increasingly being exploited by attackers to disrupt critical software systems, leading to serious consequences, such as remote code execution and data breaches. Researchers have proposed dozens of approaches to detect UAFs in testing environments and to mitigate UAF exploit in production environments. However, to the best of our knowledge, no comprehensive studies have evaluated and compared these approaches. In this paper, we shed light on the current UAF detection and exploit mitigation approaches and provide a systematic overview, comprehensive comparison, and evaluation. Specifically, we evaluate the effectiveness and efficiency of publicly available UAF detection and exploit mitigation tools. The experimental results show that static UAF detectors are suitable for detecting intra-procedural UAFs but are not sufficient to detect inter-procedural UAFs in real-world programs. Dynamic UAF detectors are still the first choice for detecting inter-procedural UAFs. Our evaluation also demonstrates that the runtime overhead of existing UAF exploit mitigation tools is relatively stable whereas the memory overhead may vary dramatically with respect to different programs. Finally, we envision potential valuable future research directions.

Xueguang Wu,Liqian Chen,Antoine Mine,Wei Dong,Ji Wang

DOI: https://doi.org/10.1145/2914789

2016-01-01

ACM Transactions on Embedded Computing Systems

Abstract:Embedded software often involves intensive numerical computations and thus can contain a number of numerical runtime errors. The technique of numerical static analysis is of practical importance for checking the correctness of embedded software. However, most of the existing approaches of numerical static analysis consider sequential programs, while interrupts are a commonly used technique that introduces concurrency in embedded systems. To this end, a numerical static analysis approach is desired for embedded software with interrupts. In this paper, we propose a sound numerical static analysis approach specifically for interrupt-driven programs based on sequentialization techniques. A key benefit of using sequentialization is the ability to leverage the power of the state-of-the-art analysis and verification techniques for sequential programs to analyze interrupt-driven programs. To be more clear, we first propose a sequentialization algorithm to sequentialize interrupt-driven programs into non-deterministic sequential programs according to the semantics of interrupts. On this basis, we leverage the power of numerical abstract interpretation to analyze numerical properties of the sequentialized programs. Moreover, to improve the analysis precision, we design specific abstract domains to analyze sequentialized interrupt-driven programs by considering their specific features. Finally, we present encouraging experimental results obtained by our prototype implementation.

Jingwen Zhao,Yanxia Wu,Yun Feng,Jibin Dong,Changting Shi

DOI: https://doi.org/10.1002/smr.2725

2024-01-01

Abstract:Atomicity violation bugs are a frequent problem in concurrency. Because of the unpredictable nature of thread interleaving, most current methods are unable to differentiate between harmful and benign atomicity violations. This makes it challenging to determine the existence of an actual bug. This paper presents a method for detecting atomicity violation bugs in programs based on user interaction. First, UserTrack matches access interleaving patterns to identify all potential violations. We then verify the programmer's atomicity intent between two logical access operations on the same thread and filter out some candidates. Finally, a user interaction mechanism checks the paths that do not produce atomicity violations when threads are interleaved. Our method focuses on a small number of interesting states and interleavings, while allowing the programmer to impose constraints on thread interleavings and explore all executions that satisfy these constraints. We continuously gather information through user feedback results and detect atomicity violation bugs that truly go against the programmer's intent. We evaluated the method using benchmark tests, which demonstrated the effectiveness of UserTrack in detecting atomicity violations. This method verifies the atomicity intent between nonserializable interleaving and logical access operations, allows programmers to impose constraints on thread interleaving, and explores all executions that satisfy these constraints and continuously gain information through user feedback to identify atomicity violation bugs that truly violate the programmer's intent. image

Minxue Pan,Shouyu Chen,Yu Pei,Tian Zhang,Xuandong Li

DOI: https://doi.org/10.1109/icse.2019.00037

2019-01-01

Abstract:The widespread real-time and embedded systems are mostly interrupt-driven because their heavy interaction with the environment is often initiated by interrupts. With the interrupt arrival being unpredictable and the interrupt handling being preemptive, a large number of possible system behaviours are generated, which makes the correctness assurance of such systems difficult and costly. Model checking is considered to be one of the effective methods for exhausting behavioural state space for correctness. However, existing modelling approaches for interrupt-driven systems are based on either calculus or automata theory, and have a steep learning curve. To address this problem, we propose a new modelling language called interrupt sequence diagram (ISD). By extending the popular UML sequence diagram notations, the ISD supports the modelling of interrupts' essential features visually and concisely. We also propose an automata-based semantics for ISD, based on which ISD can be transformed to a subset of hybrid automata so as to leverage the abundant off-the-shelf checkers. Experiments on examples from both real-world and existing literature were conducted, and the results demonstrate our approach's usability and effectiveness.

Xueguang Wu,Yanjun Wen,Liqian Chen,Wei Dong,Ji Wang

DOI: https://doi.org/10.1109/SERE-C.2013.33

2013-01-01

Abstract:In Cyber-Physical Systems with interrupt mechanism, interrupts may cause unexpected interleaving executions and even wrong execution results. A kind of frequently occurred errors are caused by data race. We present an approach under the framework of bounded model checking (BMC) to detect data race for interrupt driven programs. The key idea is to automatically serialize a concurrent interrupt driven program as a non-deterministic sequential program, whose possible execution set includes all the possible executions of the interrupt driven program. Moreover, our approach checks data race in the sequential program and collects all the path condition of the data race location. On this basis, we leverage bounded model checking to convert all the path conditions into SMT formulae. Furthermore, our analysis uses a decision procedure to determine whether the formula is satisfiable, from which the analysis eliminates false alarms which can't occur in real concurrent executions. A prototype based on CBMC is implemented and preliminary experimental results are encouraging.