Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.3785/j.issn.1008-973X.2015.06.005

2015-01-01

Abstract:A points-to analysis approach was proposed to generate partial call graphs of application part without analyzing the method bodies of libraries. A set of rules was bulit to model the interaction between application and libraries in order to infer the pointer information libraries. The approach was implemented based on the Soot program analysis framework. The performance, completeness and precision of generated call graphs were evaluated on 14 Java benchmarks. The experimental results showed that the proposed approach was faster than Averroes and Spark call graph construction approaches by a factor of 4.9 xand13. 7xrespectively. Meanwhile, the proposed approach can construct complete and precise partial call graphs.

Shuang Hu,Baojian Hua,Lei Xia,Yang Wang

DOI: https://doi.org/10.1109/qrs57517.2022.00101

2022-01-01

Abstract:Rust is a new safe system programming language enforcing safety guarantees by novel language features, a rich type system, and strict compile-time checking rules, and thus has been used extensively to build system software. For multilingual Rust applications containing external C code, memory security vulnerabilities can occur due to the intrinsically unsafe nature of C and the improper interactions between Rust and C. Unfortunately, existing security studies on Rust only focus on pure Rust code but cannot analyze either the native C code or the Rust/C interactions in multilingual Rust applications. As a result, the lack of such studies may defeat the guarantee that Rust is a safe language.This paper presents CRust, a unified program analysis framework across Rust and C, which enables program analyses to understand the semantics of C code by translating Rust and C into a unified specification language. The CRust framework consists of three key components: (1) a unified specification language CRustIR, which is a strong-typed low-level intermediate language suitable for program analysis; (2) a transformation to build models of C code by converting C code into CRustIR; and (3) program analysis algorithms on CRustIR to detect security vulnerabilities. We have implemented a software prototype for CRust, and have conducted extensive experiments to evaluate its effectiveness and performance. Experimental results demonstrated that CRust can effectively detect common memory security vulnerabilities caused by the interaction of Rust and C that are missed by state-of-the-art tools. In addition, CRust is efficient in bringing negligible overhead (0.23 seconds on average).

Jianyu Jiang,Shixiong Zhao,Danish Alsayed,Yuexuan Wang,Heming Cui,Feng Liang,Zhaoquan Gu

DOI: https://doi.org/10.1145/3134600.3134607

2017-01-01

Abstract:Big-data frameworks (e.g., Spark) enable computations on tremendous data records generated by third parties, causing various security and reliability problems such as information leakage and programming bugs. Existing systems for big-data security (e.g., Titian) track data transformations in a record level, so they are imprecise and too coarse-grained for these problems. For instance, when we ran Titian to drill down input records that produced a buggy output record, Titian reported 3 to 9 orders of magnitude more input records than the actual ones. Information Flow Tracking (IFT) is a conventional approach for precise information control. However, extant IFT systems are neither efficient nor complete for big-data frameworks, because theses frameworks are data-intensive, and data flowing across hosts is often ignored by IFT. This paper presents KAKUTE, the first precise, fine-grained in- formation flow analysis system for big-data. Our insight on mak- ing IFT efficient is that most fields in a data record often have the same IFT tags, and we present two new efficient techniques called Reference Propagation and Tag Sharing. In addition, we design an efficient, complete cross-host information flow propagation approach. Evaluation on seven diverse big-data programs (e.g., WordCount) shows that KAKUTE had merely 32.3% overhead on average even when fine-grained information control was en abled. Compared with Titian, KAKUTE precisely drilled down the actual bug inducing input records, a huge reduction of 3 to 9 or ders of magnitude. KAKUTE's performance overhead is comparable with Titian. Furthermore, KAKUTE effectively detected 13 real world security and reliability bugs in 4 diverse problems, including information leakage, data provenance, programming and performance bugs. KAKUTE'S source code and results are available on https://github.com/hku-systems/kakute.

Baojian Hua,Wanrong Ouyang,Chengman Jiang,Qiliang Fan,Zhizhong Pan

DOI: https://doi.org/10.1145/3485832.3485841

2021-01-01

Abstract:Rust is an emerging programming language which aims to provide both safety guarantee and runtime efficiency, and has been used extensively in system programming scenarios. However, as Rust consists of an unsafe language subset unsafe, Rust programs are still vulnerable to severe security attacks which may defeat its safety guarantees. Existing studies on Rust security focus on the detection of vulnerabilities but seldom consider the bug fix issues. Meanwhile, it is often time-consuming and error-prone for Rust developers to understand and fix bugs manually, due to Rust’s advanced language features. In this paper, we present Rupair, an automated rectification system, to detect and fix one sort of the most severe Rust vulnerabilities—buffer overflows, and to help developers release secure Rust projects. The key technical component of Rupair is a novel security oriented lightweight data-flow analysis algorithm, which makes use of Rust’s two primary intermediate representations and works across the boundary of Rust’s safe and unsafe sub-languages. To evaluate the effectiveness of Rupair, we first apply it to all 4 reported buffer overflow-related CVEs and vulnerabilities (as of June 20, 2021). Experiment results demonstrated that Rupair successfully detected and rectified all these CVEs. To testify the scalability of Rupair, we collected 36 open-source Rust projects from 8 different application domains, consisting of 5,108,432 lines of Rust source code, and applied Rupair on these projects. Experiment results showed that Rupair successfully identified 14 previously undiscovered buffer overflow vulnerabilities in these projects, and rectified all of them. Moreover, Rupair is efficient, only introduced 3.6% overhead to each rectified Rust program on average.

Lei Xia,Yufei Wu,Baojian Hua

DOI: https://doi.org/10.1109/qrs-c60940.2023.00102

2023-01-01

Abstract:Rust is a modern system-level programming language providing strong security guarantees, which has been widely applied in building software infrastructures. However, unsafe Rust, a language feature introduced for programming flexibility and efficiency, can be prone to memory vulnerabilities due to the lack of compile-time and run-time checks. Worse yet, it is challenging to diagnose such memory vulnerabilities in Rust programs, due to the subtle interactions between the safe and unsafe code. This paper presents Rustcheck, the first memory safety enhancement framework for dynamic program analysis of Rust programs. The key idea of Rustcheck is to dynamically detect memory safety issues caused by the improper use of unsafe Rust through static instrumentations. We have implemented a software prototype for Rustcheck and conducted experiments to evaluate the effectiveness and performance of it by applying Rustcheck to 56 CVES from real-world Rust projects. And experimental results showed that Rustcheck can successfully detect all of 65 memory vulnerabilities in CVEs, with low runtime overhead (3.30% on average) to the Rust projects being checked.

Tian Tan,Yue Li,Xiaoxing Ma,Chang Xu,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3485524

2021-01-01

Proceedings of the ACM on Programming Languages

Abstract:Traditional context-sensitive pointer analysis is hard to scale for large and complex Java programs. To address this issue, a series of selective context-sensitivity approaches have been proposed and exhibit promising results. In this work, we move one step further towards producing highly-precise pointer analyses for hard-to-analyze Java programs by presenting the Unity-Relay framework, which takes selective context sensitivity to the next level. Briefly, Unity-Relay is a one-two punch: given a set of different selective context-sensitivity approaches, say S = S1, . . . , Sn, Unity-Relay first provides a mechanism (called Unity)to combine and maximize the precision of all components of S. When Unity fails to scale, Unity-Relay offers a scheme (called Relay) to pass and accumulate the precision from one approach Si in S to the next, Si+1, leading to an analysis that is more precise than all approaches in S. As a proof-of-concept, we instantiate Unity-Relay into a tool called Baton and extensively evaluate it on a set of hard-to-analyze Java programs, using general precision metrics and popular clients. Compared with the state of the art, Baton achieves the best precision for all metrics and clients for all evaluated programs. The difference in precision is often dramatic — up to 71% of alias pairs reported by previously-best algorithms are found to be spurious and eliminated.

Zhiyuan Wan,Bo Zhou,Ye Wang,Yuanhong Shen

2014-01-01

Abstract:Many static analysis tools provide whole-program analysis to generate call graphs. However, the whole-program analysis suffers from scalability issue. The increasing size of the libraries exacerbates the issue. For many Web applications, the libraries (e.g. Servlet containers) are even not available for whole-program analysis. We present HyPta, a points-to analysis approach, to construct partial call graphs for Java programs. HyPta extends the standard points-to analysis by establishing a hybrid heap model. Since our approach does not analyze the method bodies of the library classes, the heap model distinguishes between the abstract memory locations in the application and those in the library. HyPta infers the pointer information in the library from the interactions between the application and the library. We implement HyPta based on Spark framework and evaluate it on 14 widely cited Java benchmarks. The evaluation shows that HyPta is faster than Averroes and Spark by a factor of 4.9x and 13.7x, respectively. Meanwhile, it constructs sound and precise partial call graphs.

Jianhao Guo,Siliang Tang,Juncheng Li,Kaihang Pan,Lingfei Wu

DOI: https://doi.org/10.1109/tkde.2023.3328645

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Dynamic graph-based data are ubiquitous in the real world, such as social networks, finance systems, and traffic flow. Fast and accurately detecting anomalies in these dynamic graphs is of vital importance. However, despite promising results the current anomaly detection methods have achieved, there are two major limitations when coping with dynamic graphs. The first limitation is that the topological structures and the temporal dynamics have been modeled separately, resulting in less expressive features for detection. The second limitation is that the models have been trained by unreliable noisy labels generated by random negative sampling, rendering it severely vulnerable to subtle perturbations. To overcome the above limitations, we propose RustGraph, a robust anomaly detection framework by jointly learning structural-temporal dependency in dynamic graphs. To this end, we design a variational graph auto-encoder with informative prior that simultaneously encodes both graph structural and temporal information. Then we introduce a fine-grained contrastive learning method to learn better node representations by utilizing the temporal consistency between two snapshots. Furthermore, we formulate the noisy label learning problem for anomaly detection in dynamic graph, and then propose a robust anomaly detector to improve the model performance by leveraging learned graph structure signal. Our extensive experiments on six real-world datasets demonstrate the proposed RustGraph method achieves state-of-the-art performance with an average of 3.64% improvement on AUC-ROC metric compared with all baselines. The codes are available at https://github.com/aubreygjh/RustGraph .

Boqin Qin,Yilun Chen,Haopeng Liu,Hua Zhang,Qiaoyan Wen,Linhai Song,Yiying Zhang

DOI: https://doi.org/10.1109/tse.2024.3380393

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Rust is a relatively new programming language designed for systems software development. Its objective is to combine the safety guarantees typically associated with high-level languages with the performance efficiency often found in executable programs implemented in low-level languages. The core design of Rust is a set of strict safety rules enforced through compile-time checks. However, to support more low-level controls, Rust also allows programmers to bypass its compiler checks by writing unsafe code. As the adoption of Rust grows in the development of safety-critical software, it becomes increasingly important to understand what safety issues may elude Rust’s compiler checks and manifest in real Rust programs.In this paper, we conduct a comprehensive, empirical study of Rust safety issues by close, manual inspection of 70 memory bugs, 100 concurrency bugs, and 110 programming errors leading to unexpected execution panics from five open-source Rust projects, five widely-used Rust libraries, and two online security databases. Our study answers three important questions: what memory-safety issues real Rust programs have, what concurrency bugs Rust programmers make, and how unexpected panics in Rust programs are caused. Our study reveals interesting real-world Rust program behaviors and highlights new issues made by Rust programmers. Building upon the findings of our study, we design and implement five static detectors. After being applied to the studied Rust programs and another 12 selected Rust projects, our checkers pinpoint 96 previously unknown bugs and report a negligible number of false positives, confirming their effectiveness and the value of our empirical study.

Son Ho,Guillaume Boisseau,Lucas Franceschino,Yoann Prak,Aymeric Fromherz,Jonathan Protzenko

2024-10-24

Abstract:With the explosion in popularity of the Rust programming language, a wealth of tools have recently been developed to analyze, verify, and test Rust programs. Alas, the Rust ecosystem remains relatively young, meaning that every one of these tools has had to re-implement difficult, time-consuming machinery to interface with the Rust compiler and its cargo build system, to hook into the Rust compiler's internal representation, and to expose an abstract syntax tree (AST) that is suitable for analysis rather than optimized for efficiency. We address this missing building block of the Rust ecosystem, and propose Charon, an analysis framework for Rust. Charon acts as a swiss-army knife for analyzing Rust programs, and deals with all of the tedium above, providing clients with a clean, stable AST that can serve as the foundation of many analyses. We demonstrate the usefulness of Charon through a series of case studies, ranging from a Rust verification framework (Aeneas), a compiler from Rust to C (Eurydice), and a novel taint-checker for cryptographic code. To drive the point home, we also re-implement a popular existing analysis (Rudra), and show that it can be replicated by leveraging the Charon framework.

Programming Languages

Vlad-Alexandru Teodorescu,Dorel Lucanu

DOI: https://doi.org/10.4204/EPTCS.410.7

2024-10-31

Abstract:Pointers are a powerful, but dangerous feature provided by the C and C++ programming languages, and incorrect use of pointers is a common source of bugs and security vulnerabilities. Making secure software is crucial, as vulnerabilities exploited by malicious actors not only lead to monetary losses, but possibly loss of human lives. Fixing these vulnerabilities is costly if they are found at the end of development, and the cost will be even higher if found after deployment. That is why it is desirable to find the bugs as early in the development process as possible. We propose a framework that can statically find use-after-free bugs at compile-time and report the errors to the users. It works by tracking the lifetime of objects and memory locations pointers might point to and, using this information, a possibly invalid dereferencing of a pointer can be detected. The framework was tested on over 100 handwritten small tests, as well as 5 real-world projects, and has shown good results detecting errors, while at the same time highlighting some scenarios where false positive reports may occur. Based on the results, it was concluded that our framework achieved its goals, as it is able to detect multiple patterns of use-after-free bugs, and correctly report the errors to the programmer.

Formal Languages and Automata Theory

Xiangjun Han,Baojian Hua,Yang Wang,Ziyao Zhang

DOI: https://doi.org/10.1109/qrs-c57518.2022.00122

2022-01-01

Abstract:Rust is an emerging programming language designed for both performance and security, and thus many research efforts have been conducted recently to migrate legacy code bases in C/C++ to Rust to exploit Rust's safety benefits. Unfortunately, prior studies on C to Rust conversion still have three limitations: 1) complex structure; 2) code explosion; and 3) poor performance. These limitations greatly affect the effectiveness and usefulness of such conversions. This paper presents RUSTY, the first system for effective C to Rust code conversion via unstructured control specialization. The key technical insight of RUSTY is to implement C-style syntactic sugars on top of Rust, thus eliminating the discrepancies between the two languages. We have implemented a software prototype for RUSTY and conducted experiments to evaluate the effectiveness and testify the usefulness of it by applying RUSTY to micro-benchmarks, as well as 3 realworld C projects: 1) Vim; 2) cURL; and 3) the silver searcher. And experimental results demonstrated that RUSTY is effective in eliminating unstructured controls, reducing the code size by 16% on average with acceptable overhead (less than 61 microseconds per line of C code).

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3276511

2018-01-01

Proceedings of the ACM on Programming Languages

Abstract:Context sensitivity is an essential technique for ensuring high precision in Java pointer analyses. It has been observed that applying context sensitivity partially, only on a select subset of the methods, can improve the balance between analysis precision and speed. However, existing techniques are based on heuristics that do not provide much insight into what characterizes this method subset. In this work, we present a more principled approach for identifying precision-critical methods, based on general patterns of value flows that explain where most of the imprecision arises in context-insensitive pointer analysis. Accordingly, we provide an efficient algorithm to recognize these flow patterns in a given program and exploit them to yield good tradeoffs between analysis precision and speed. Our experimental results on standard benchmark and real-world programs show that a pointer analysis that applies context sensitivity partially, only on the identified precision-critical methods, preserves effectively all (98.8%) of the precision of a highly-precise conventional context-sensitive pointer analysis (2-object-sensitive with a context-sensitive heap), with a substantial speedup (on average 3.4X, and up to 9.2X).

Pingyan Wang,Shaoying Liu

DOI: https://doi.org/10.1142/s0218194024500013

IF: 1.007

2024-02-23

International Journal of Software Engineering and Knowledge Engineering

Abstract:International Journal of Software Engineering and Knowledge Engineering, Ahead of Print. Pointer analysis is the underlying technique of many static analysis tools for vulnerability discovery. It has proved to be effective in identifying a variety of vulnerabilities, such as buffer overflow vulnerabilities and injection vulnerabilities. However, most existing pointer analysis approaches require whole-program availability, i.e. the program to be analyzed should be complete, which may hinder a timely analysis during the coding phase. In this paper, we present two approaches, exhaustive and demand-driven pointer analyses, both of which are applied to a paradigm known as Human–Machine Pair Programming. The ideas enable us to discover security flaws as early as in the coding phase. In this paper, we describe in detail how our approaches maintain flow sensitivity and propagate points-to and taint information in an incremental fashion. We conduct an evaluation of our approaches on SecuriBench Micro and show that the approaches can capture all the potential vulnerabilities in the test cases, though several false alarms are reported.

computer science, artificial intelligence,engineering, electrical & electronic, software engineering

Mohan Cui,Chengjun Chen,Hui Xu,Yangfan Zhou

DOI: https://doi.org/10.1145/3542948

IF: 3.685

2022-06-21

ACM Transactions on Software Engineering and Methodology

Abstract:Rust is an emerging programming language that aims to prevent memory-safety bugs. However, the current design of Rust also brings side effects, which may increase the risk of memory-safety issues. In particular, it employs OBRM (ownership-based resource management) and enforces automatic deallocation of unused resources without using the garbage collector. It may therefore falsely deallocate reclaimed memory and lead to use-after-free or double-free issues. In this paper, we study the problem of invalid memory deallocation and propose SafeDrop , a static path-sensitive data-flow analysis approach to detect such bugs. Our approach analyzes each function of a Rust crate iteratively in a flow-sensitive and field-sensitive way. It leverages a modified Tarjan algorithm to achieve scalable path-sensitive analysis and a cache-based strategy for efficient inter-procedural analysis. We have implemented our approach and integrated it into the Rust compiler. Experiment results show that the approach can successfully detect all such bugs in our experiments with a limited number of false positives and incurs a very small overhead compared to the original compilation time.

computer science, software engineering

Yue Li,Tian Tan,Anders Moller,Yannis Smaragdakis

DOI: https://doi.org/10.1145/3236024.3236041

2018-01-01

Abstract:Context-sensitivity is important in pointer analysis to ensure high precision, but existing techniques suffer from unpredictable scalability. Many variants of context-sensitivity exist, and it is difficult to choose one that leads to reasonable analysis time and obtains high precision, without running the analysis multiple times. We present the Scaler framework that addresses this problem. Scaler efficiently estimates the amount of points-to information that would be needed to analyze each method with different variants of context-sensitivity. It then selects an appropriate variant for each method so that the total amount of points-to information is bounded, while utilizing the available space to maximize precision. Our experimental results demonstrate that Scaler achieves predictable scalability for all the evaluated programs (e.g., speedups can reach 10x for 2-object-sensitivity), while providing a precision that matches or even exceeds that of the best alternative techniques.

Yufei Wu,Baojian Hua

DOI: https://doi.org/10.1109/QRS60937.2023.00057

2023-01-01

Abstract:Despite the fact that Rust is designed to be a secure programming language for system programming, it is still vulnerable and exploitable due to its inclusion of an unsafe sub-language. However, existing studies on Rust security only focus on static detection or rectification of vulnerability, but ignore the problem of timely and effective rectifications of vulnerabilities dynamically. In this paper, to fill this gap, we present RUSPATCH, the first infrastructure to timely and effectively patch vulnerable Rust applications. RUSPATCH consists of two main phases: static partitioning and dynamic patching. In the static partitioning phase, RUSPATCH divides the candidate program into target code and patch candidates via a customized compiler. During the patching phase, RUSPATCH dynamically validates and applies the security patch once a vulnerability is detected. To realize the whole process, we tackled three technical challenges of language discrepancy, efficiency issues, and security threats. We have designed and implemented a software prototype for RUSPATCH, and have conducted extensive experiments to evaluate its effectiveness, performance, overhead, and usefulness. Experimental results demonstrated that RusPATCH is effective in patching off-the-shelf Rust applications including real-world Rust CVEs, and the extra overhead RusPATCH introduced is less than 3.28% and thus insignificant. Furthermore, RUSPATCH is easy to incorporate into existing Rust applications without any manual interventions.

Wanrong Ouyang,Baojian Hua

DOI: https://doi.org/10.1109/ISSREW53611.2021.00063

2021-01-01

Abstract:Documentation and comments are important for any software project. Although documentation is not executed, it is useful for many purposes, such as code comprehension, reuse, and maintenance. As a project evolves, the code and documentation can easily grow out-of-sync, and inconsistencies are introduced, which can mislead developers and introduce new bugs in subsequent developments. Recent studies have shown it is promising to use natural language processing and machine learning to detect inconsistencies between code and documentation. However, it's challenging to apply existing techniques to detect code-document inconsistency in Rust programs, as Rustdoc supports advanced document features like document testing, which makes existing solutions inapplicable. This paper presents the first software tool prototype, 'R, to detect and understand code-document inconsistencies in Rust. To perform such analysis, 'R leverages static program analysis, not only on Rust source code, but also on document testing code, to detect inconsistency indicating either bugs or bad documentation. To evaluate the effectiveness of 'R, we applied it to 37 open source Rust projects from 9 domains, with a total of 6,192,251 lines of Rust source code (with 322,330 lines of comments). The results of the analysis give interesting insights, for example: the cryptocurrency domain has the highest documentation ratio (58.23%), documentation testing is rarely used (ratio 2.30% on average) in real-world Rust projects in all domains, etc. Based on these findings, we propose recommendations to guide the construction of better Rust documentation, better Rust documentation quality detection tools, and boarder adoption of the language.

Wanrong Ouyang,Baojian Hua

DOI: https://doi.org/10.1109/issrew53611.2021.00063

2021-01-01

Abstract:Documentation and comments are important for any software project. Although documentation is not executed, it is useful for many purposes, such as code comprehension, reuse, and maintenance. As a project evolves, the code and documentation can easily grow out-of-sync, and inconsistencies are introduced, which can mislead developers and introduce new bugs in subsequent developments. Recent studies have shown it is promising to use natural language processing and machine learning to detect inconsistencies between code and documentation. However, it's challenging to apply existing techniques to detect code-document inconsistency in Rust programs, as Rustdoc supports advanced document features like document testing, which makes existing solutions inapplicable. This paper presents the first software tool prototype, 'R, to detect and understand code-document inconsistencies in Rust. To perform such analysis, 'R leverages static program analysis, not only on Rust source code, but also on document testing code, to detect inconsistency indicating either bugs or bad documentation. To evaluate the effectiveness of 'R, we applied it to 37 open source Rust projects from 9 domains, with a total of 6,192,251 lines of Rust source code (with 322,330 lines of comments). The results of the analysis give interesting insights, for example: the cryptocurrency domain has the highest documentation ratio (58.23%), documentation testing is rarely used (ratio 2.30% on average) in real-world Rust projects in all domains, etc. Based on these findings, we propose recommendations to guide the construction of better Rust documentation, better Rust documentation quality detection tools, and boarder adoption of the language.