Sen Ma,MingYang Jiao,ShiKun Zhang,Wen Zhao,Dong Wei Wang

DOI: https://doi.org/10.1109/issrew.2015.7392049

2015-01-01

Abstract:This paper proposes a practical static analysis tool named LUKE, for detecting null pointer dereferences (NPD) in C programs. LUKE first uses a guarded value-dependence graph (VDG) to track the dependence relations of values, and then detects NPD by solving the graph reachability problem on its VDG. To improve accuracy as well as scalability, the detection algorithm leverages heuristic inference algorithms and the results of control dependences analysis. We evaluated LUKE on 10 large-scale open source projects, and the results show that LUKE has a false positive rate of only 4.3%, which is much lower than Clang, Saturn and Calysto. The analysis speed is also 4.6X, 15.5X and 17.9X faster, respectively. On the evaluated benchmarks, LUKE succeeds in finding a superset of the bugs reported by the published tools we investigated. We also show that LUKE scales to 416,500 lines of code, the largest benchmark we had.

Rulin Xu,Xiaoguang Mao,Luohui Chen,Yue Yu

DOI: https://doi.org/10.1109/jcc59055.2023.00014

2023-01-01

Abstract:Memory vulnerability detection aims to identify software defects that can compromise memory safety. However, existing methods often struggle to achieve both high precision and efficiency. This paper presents a high-precision memory vulnerability detection approach based on value flow analysis and parallel computing. We first construct a static semantic representation called SVFG to enable precise detection of memory vulnerabilities such as null pointer dereference and use-after-free. We then perform dependency-aware path feasibility analysis using an SMT solver to reduce false positives. Finally, we develop a task-level parallel framework to accelerate the constraint solving process and improve efficiency.We evaluate our approach on the Juliet test set of over 2,000 test cases and 7 open-source projects. Experimental results show that our dependency-aware analysis can achieve 0.5%-2.05% false positive rates, outperforming traditional approaches and existing tools. Our task-level parallel framework can achieve up to 3.25x speedup with 4 computing nodes.Our study demonstrates that combining value flow analysis and parallel computing is a promising way to enable highly precise and efficient detection of memory vulnerabilities. For future work, we plan to integrate pointer analysis to support more complex codes, and optimize the granularity of parallelism to improve scalability. Overall, this paper presents a static analysis based method to address the inherent trade-off between precision and efficiency in memory vulnerability detection.

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Rulin Xu,Xiaoguang Mao,Wei Xiao

DOI: https://doi.org/10.1109/CSECS60003.2023.10428132

2023-01-01

Abstract:C language programs are often subject to memory vulnerabilities, posing substantial security risks to software systems. Conventional detection techniques, rooted in static value-flow analysis, necessitate exhaustive searches across the entirety of value-flow graphs. This approach results in inefficient analyses of large-scale codes and presents difficulties in parallelization due to interdependent steps. In this study, we propose an innovative approach based on parallel graph summarization. This technique effectively transforms the computational bottleneck into a task that can be expedited in a parallel manner, leveraging multicore computation to significantly enhance the performance and scalability of vulnerability detection within <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$C$</tex> programs. We segment the value-flow graph of the program into multiple subgraphs, extracting summaries of three pivotal types of information from each subgraph: path summaries, guard summaries, and behaviour summaries. These summaries significantly stream-line subsequent vulnerability detection analyses. Moreover, we implement a task-level parallel technique to accelerate the graph summary process in a multicore environment. Notably, empirical results reveal that our method, while ensuring accuracy, achieves 2.7X-6.1X speedup compared to serial algorithms. When assessed against prevalent open-source detection tools, our approach demonstrates superior trade-offs between accuracy and efficiency. In conclusion, this research presents an efficient and effective strategy for vulnerability detection in larze-scale <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$C$</tex> programs.

Yu FU,Yi DENG,Xiao-Shan SUN,Liang CHENG,Yang ZHANG,Deng-Guo FENG

DOI: https://doi.org/10.11897/SP.J.1016.2018.00574

2018-01-01

Chinese Journal of Computers

Abstract:Null pointer dereference,which may allow attackers to bypass security logic or reveal sensitive information in operating system,is a common programming bug in C/C++ programs and therefore has been an important research subject in computer security.Many (automatic) analysis tools have been proposed to detect this bug.However,all these tools run on the source code.Many commercial softwares come with no source code,and these tools running on the source code cannot detect null pointer dereferences in them.Some null pointer dereference defects are introduced by the compiling configurations or the compiler's optimizations and the tools running on the source code cannot detect them as well.So it is necessary to develop tools that can detect null pointer dereference directly on the binaries.One advantage of null pointer dereference detection on the binaries is that the library code will be included in the analysis and the source code based detections usually use crafted summaries for the library function which may lower the precision and recall.In this paper,we present and implement NPtrChecker,the first analysis tool for null pointer dereferences detection,which accepts binary programs as inputs,outputs the location where null pointers come from,where dereferences occur and the corresponding path conditions.One difficulty of null pointer dereferences detection on the binaries is that the information about pointer type and structure type is missing in binaries.Without these information,the detection can have bad performance on accuracy.However,it is hard to recover the data structure definitions from the binaries.We propose a memory model to differentiate different fields of data structures without restoring the data structures and type information.This memory model is the basis of our field sensitive pointer analysis for null pointer dereference analysis.We continue to design a context sensitive dataflow analysis algorithm based on the function summary techniques,and the algorithm improves the precision of the analysis.To reduce false positives as many as possible,we also leverage weakest precondition to filter out the unreachable paths reported by dataflow analysis.The report will be removed if the path conditions from source to the sink that dereferences the pointer cannot be satisfied.We apply NPtrChecker to 11 programs in the SPEC2000 benchmark and 37 suspicious null pointer dereference defects are reported.Among them 22 reports are proved to be true defects by manual examinations.In contrast,the tool Saturn reports 92 defects and only 13 are true positive and LUKE reports 3 defects and only 2 are true positive.This shows that our method can detects more null pointer dereferences and keep the false positive at low level.

Bozhen Liu,Jeff Huang,Lawrence Rauchwerger

DOI: https://doi.org/10.1145/3293606

IF: 1.714

2019-03-31

ACM Transactions on Programming Languages and Systems

Abstract:Pointer analysis is at the heart of most interprocedural program analyses. However, scaling pointer analysis to large programs is extremely challenging. In this article, we study incremental pointer analysis and present a new algorithm for computing the points-to information incrementally (i.e., upon code insertion, deletion, and modification). Underpinned by new observations of incremental pointer analysis, our algorithm significantly advances the state of the art in that it avoids redundant computations and the expensive graph reachability analysis, and preserves precision as the corresponding whole program exhaustive analysis. Moreover, it is parallel within each iteration of fixed-point computation. We have implemented our algorithm, IPA, for Java based on the WALA framework and evaluated its performance extensively on real-world large, complex applications. Experimental results show that IPA achieves more than 200X speedups over existing incremental algorithms, two to five orders of magnitude faster than whole program pointer analysis, and also improves the performance of an incremental data race detector by orders of magnitude. Our IPA implementation is open source and has been adopted by WALA.

computer science, software engineering

Qingkai Shi,Xiao,Rongxin Wu,Jinguo Zhou,Gang Fan,Charles Zhang

DOI: https://doi.org/10.1145/3296979.3192418

2018-01-01

ACM SIGPLAN Notices

Abstract:When dealing with millions of lines of code, we still cannot have the cake and eat it: sparse value-flow analysis is powerful in checking source-sink problems, but existing work cannot escape from the “pointer trap” – a precise points-to analysis limits its scalability and an imprecise one seriously undermines its precision. We present Pinpoint, a holistic approach that decomposes the cost of high-precision points-to analysis by precisely discovering local data dependence and delaying the expensive inter-procedural analysis through memorization. Such memorization enables the on-demand slicing of only the necessary inter-procedural data dependence and path feasibility queries, which are then solved by a costly SMT solver. Experiments show that Pinpoint can check programs such as MySQL (around 2 million lines of code) within 1.5 hours. The overall false positive rate is also very low (14.3% - 23.6%). Pinpoint has discovered over forty real bugs in mature and extensively checked open source systems. And the implementation of Pinpoint and all experimental results are freely available.

Longming Dong,Wei Dong,Liqian Chen

DOI: https://doi.org/10.1109/SERE-C.2012.30

2012-01-01

Abstract:Invalid pointer dereferences, such as null pointer dereferences, dangling pointer dereferences and double frees, are a prevalent source of software bugs in CPS software, due to flexible dereferencing pointers along various pointer fields. Existing tools have high overhead or are incomplete, thereby limiting their efficiency in checking the kind of CPS software with shared and mutable memory. In this paper, we present a novel extended pointer structure for detecting all invalid pointer dereferences in this kind of CPS software. We propose an invalid pointer dereferences detection algorithm based on the uniform transformation of abstract heap states. Experimental evaluation about a set of large C benchmark programs shows that the proposed approach is sufficiently efficient in detecting invalid pointer dereferences of CPS software with shared and mutable memory.

Qian Wang,Dahai Jin,Yunzhan Gong

DOI: https://doi.org/10.1109/APSEC.2013.80

2013-01-01

Abstract:Null dereferences are commonly occurring bugs in programming languages such as C. In this paper, we present a novel approach that performs a backward dataflow analysis to detect null-dereference bugs. The technical innovation of our approach is that owing to aliasing predicates, it can perform strong updates in the presence of aliasing, thus eliminating false positives. The aliasing predicates are introduced on the premise of a canonical representation for the program being analyzed. Moreover, the other features of our approach also contribute to improve accuracy. We have implemented this approach, and give an evaluation of it on a set of open source benchmarks. The experimental results prove the effectiveness of our approach, and show that it is suitable for exploring large real programs with reasonable accuracy.

Dongfang Xie,Bihuan Chen,Kaifeng Huang,Yu Wang,Linghao Pan,Zhicheng Chen,Xin Peng

DOI: https://doi.org/10.1109/saner60148.2024.00093

2024-01-01

Abstract:Null pointer dereference raises Null Pointer Exceptions (NPEs). There are two groups of approaches to detect NPEs. Type-based approaches carry out strict type-based null safety checking. They heavily rely on annotations, and thus produce many false positives. Dataflow-based approaches leverage static forward and/or backward dataflow analysis. They mostly have a limited capability in tracking fields and interprocedural analysis, and introduce false positives and false negatives. To address these drawbacks, we propose Wheeljack to detect NPEs for Java. It does not rely on annotations, and hence can work effectively under a lack of annotations. It leverages our novel abstraction of nullness status to enhance field tracking, and our novel invocation analysis (capturing change to return value and side effect of an invocation) to enhance interprocedural analysis. Our evaluation on 28 Java projects has demonstrated that Wheeljack can mostly outperform the four state-of-the-art NPE detectors in recall without sacrificing precision. 5 and 2 new NPEs have been confirmed and fixed by developers after we submit 8 issues.

Qian Wang,Dahai Jin,Yunzhan Gong,Hongbo Zhou

DOI: https://doi.org/10.4304/jsw.8.12.3120-3131

2013-01-01

Abstract:Null dereference is a common occurring bug in programming languages such as C. In this paper, we propose a path-sensitive and context-sensitive approach that performs a backward dataflow analysis to identify null-dereference bugs. One novel feature of our approach is that with the help of aliasing predicates, it can perform strong updates in presence of aliasing, thus eliminating false positives. The aliasing predicates are introduced on the premise of a canonical representation for program being analyzed. Moreover, a context-sensitive algorithm for inter-procedural null-dereference analysis is also presented in this paper, which also contributes to improve accuracy. We have implemented this approach, and give an evaluation of it on a set of open source benchmarks. The experimental results verify the effectiveness of our approach, and show that it is suitable for exploring large real programs with reasonable accuracy.

Wensheng Tang,Dejun Dong,Shijie Li,Chengpeng Wang,Peisen Yao,Jinguo Zhou,Charles Zhang

DOI: https://doi.org/10.1145/3632743

IF: 3.685

2024-01-24

ACM Transactions on Software Engineering and Methodology

Abstract:Value-flow analysis is a fundamental technique in program analysis, benefiting various clients, such as memory corruption detection and taint analysis. However, existing efforts suffer from the low potential speedup that leads to a deficiency in scalability. In this work, we present a parallel algorithm Octopus to collect path conditions for realizable paths efficiently. Octopus builds on the realizability decomposition to collect the intraprocedural path conditions of different functions simultaneously on-demand and obtain realizable path conditions by concatenation, which achieves a high potential speedup in parallelization. We implement Octopus as a tool and evaluate it over 15 real-world programs. The experiment shows that Octopus significantly outperforms the state-of-the-art algorithms. Particularly, it detects NPD bugs for the project llvm with 6.3 MLoC within 6.9 minutes under the 40-thread setting. We also state and prove several theorems to demonstrate the soundness, completeness, and high potential speedup of Octopus . Our empirical and theoretical results demonstrate the great potential of Octopus in supporting various program analysis clients. The implementation has officially deployed at Ant Group, scaling the nightly code scan for massive FinTech applications.

computer science, software engineering

Mei Wang,Kun He,Jing Chen,Ruiying Du,Bingsheng Zhang,Zengpeng Li

DOI: https://doi.org/10.1016/j.future.2022.01.007

IF: 7.307

2022-01-01

Future Generation Computer Systems

Abstract:Privacy-preserving data aggregation is becoming a demanding necessity for many promising scenarios, e.g., health care analysis. Sensitive data are collected and aggregated in a privacy-preserving approach using current Internet of Things (IoT) technology, leading to immense challenge and consequent interest in developing secure computing algorithms for individual and organizational data. However, most existing solutions focus on specific evaluations (e.g., SUM), and they use heavy cryptographic techniques, which are far from practice for constrained IoT devices. The Trusted Execution Environment (TEE, implemented with Intel SGX) can assist in computing arbitrary functions and avoiding resource-consuming operations. Nevertheless, TEE is subject to several challenges because TEE is vulnerable to limited resource and even function violations, e.g., the attacker may bypass the boundary of TEE. In this paper, we propose a lightweight non-interactive privacy-preserving data aggregation scheme for resource-constrained devices, named PANDA, where TEE is introduced to bypass the trusted entities requirement and heavy overhead. Additionally, PANDA explores the certificate-aided function authorization to prevent leakage from unauthorized functions, and designs the public verifiable certificate management to detect the abnormal behaviors of the host to mitigate the external host compromise. We formalize PANDA with rigorous security analysis to indicate privacy protection against the compromised aggregator and analyst. The evaluation results show that PANDA has constant online communication cost and lightweight computation overhead for constrained devices, which is suitable for IoT applications.

Md. Fahim Sultan,Tasmin Karim,Md. Shazzad Hossain Shaon,Mohammad Wardat,Mst Shapna Akter

2024-11-30

Abstract:Software security is crucial in any field where breaches can exploit sensitive data, and lead to financial losses. As a result, vulnerability detection becomes an essential part of the software development process. One of the key steps in maintaining software integrity is identifying vulnerabilities in the source code before deployment. A security breach like CWE-476, which stands for NULL pointer dereferences (NPD), is crucial because it can cause software crashes, unpredictable behavior, and security vulnerabilities. In this scientific era, there are several vulnerability checkers, where, previous tools often fall short in analyzing specific feature connections of the source code, which weakens the tools in real-world scenarios. In this study, we propose another novel approach using a fine-tuned Large Language Model (LLM) termed "DeLLNeuN". This model leverages the advantage of various layers to reduce both overfitting and non-linearity, enhancing its performance and reliability. Additionally, this method provides dropout and dimensionality reduction to help streamline the model, making it faster and more efficient. Our model showed 87% accuracy with 88% precision using the Draper VDISC dataset. As software becomes more complex and cyber threats continuously evolve, the need for proactive security measures will keep growing. In this particular case, the proposed model looks promising to use as an early vulnerability checker in software development.

Software Engineering

Rong Gu,Zhiqiang Zuo,Xi Jiang,Han Yin,Zhaokang Wang,Linzhang Wang,Xuandong Li,Yihua Huang

DOI: https://doi.org/10.1109/tpds.2020.3036190

IF: 5.3

2020-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Static program analysis has been widely applied along the whole process of the program development for bug detection, code optimization, testing, etc. Although researchers have made significant work in static program analysis, it is still challenging to perform sophisticated interprocedural analysis on large-scale modern software. The underlying reason is that interprocedural analysis for large-scale modern software is highly computation- and memory-intensive, leading to poor efficiency and scalability. In this article, we introduce an efficient distributed and scalable solution for sophisticated static analysis. Specifically, we propose a data-parallel algorithm and a join-process-filter computation model for the CFL-reachability-based interprocedural analysis. Based on that, an efficient distributed static analysis engine called BigSpa is developed, which is composed of an offline batch static program analysis system and an online incremental static program analysis system. The BigSpa system has high generality and can support all kinds of static analysis tasks that can be expressed as CFL reachability problems. The performance of BigSpa is evaluated on real-world large-scale software datasets. Our experiments show that the offline batch system can exceed an order of magnitude compared with the most advanced analysis tools available on performance, and for incremental analysis with small batch updates on the same data sets, the online analysis system can achieve near real-time response, which is very fast and flexible.

GJ ZHU,L XIE,ZX SUN

DOI: https://doi.org/10.1145/219726.219744

1995-01-01

Abstract:This paper details parallelism detection in NUAPC[4], an automatically parallelizing compiler based on C++. Two kinds of parallelism, i.e. the inter- and intra-object parallelism, are introduced in NUAPC. The paper presents the method for seeking these parallelism based on the key structures Conflict Set and method Reference Vector, and proposes a new theoretical formation for expressing and performing data dependence analysis in object-oriented program paradigm. Data dependence involving inherited data and function members are also discussed.

Xiong Wei,Ming Hu,Tao Peng,Minghua Jiang,Zhiying Wang,Xiao Qin

DOI: https://doi.org/10.1007/s10586-017-1295-4

2017-01-01

Cluster Computing

Abstract:GPU’s powerful parallel processing capability has been highly recognized throughout the industry; however, GPU computing environments have not yet been widely used in the field of parallel computing. In this study, we develop a method of parallelization of serial programs for GPU computing. In particular, we propose an approach called PRODA to speedup parallel programs on GPUs through dependency analysis. PRODA provides theoretical underpins of task partitioning in parallel programs running in GPU computing environments. At the heart of PRODA is an analyzer for program workflows as well as data and function dependencies in a GPU program. With the dependency analysis in place, PRODA assigns computing tasks to multiple GPU cores in a way to speedup the performance of parallel program on GPUs. An overarching goal of PRODA is to minimize data communication cost between GPUs and main memory of a host CPU. PRODA achieves this goal by apply deploying two strategies. First, PRODA assigns functions processing the same data to a GPU core. Second, PRODA runs multiple independent functions on separate GPU cores. In doing so, PRODA improves the parallelism of parallel programs. We evaluate the performance of PRODA by running two popular benchmarks (i.e., AES and T26) on an 256-core system, where key length is set to 256 bits. The experimental results show that the speedup ratio of AES governed by PRODA is 5.2. Specifically, PRODA improves the performance of the existing CFM scheme by a factor of 1.39. To measure cost of parallel computing, we test PRODA and the alternative solutions by running AES under the 256-bit key length on 128 cores. The cost of parallel computing in PRODA is 524.8ms, which is 61.2% lower than that of the existing SA solution. The parallel efficiency of PRODA is 2.08, which represents an improvement of the PDM algorithm by a factor of 2.08.

G. Wang,Lei Wang

DOI: https://doi.org/10.1109/ICMSS.2011.5999219

2011-08-30

Abstract:Open source applications have flourished recent years. Meanwhile, security vulnerabilities in such applications have grown. Since manual code auditing is error-prone, time-consuming and costly, it is necessary to find automatic solutions. To address this problem we propose an approach that combines constraint-based analysis and model checking together. Model checking technology as a constraint solver can be employed to solve the constraint-based system. CodeAuditor, the prototype implementation of our methods, is targeted at detecting vulnerabilities in C source code. With this tool, 9 previously unknown vulnerabilities in two open source applications were discovered and the observed false positive rate was at around 29%.

Computer Science

Sam Estep,Jenna Wise,Jonathan Aldrich,Éric Tanter,Johannes Bader,Joshua Sunshine

DOI: https://doi.org/10.48550/arXiv.2105.06081

2021-07-15

Abstract:Static analysis tools typically address the problem of excessive false positives by requiring programmers to explicitly annotate their code. However, when faced with incomplete annotations, many analysis tools are either too conservative, yielding false positives, or too optimistic, resulting in unsound analysis results. In order to flexibly and soundly deal with partially-annotated programs, we propose to build upon and adapt the gradual typing approach to abstract-interpretation-based program analyses. Specifically, we focus on null-pointer analysis and demonstrate that a gradual null-pointer analysis hits a sweet spot, by gracefully applying static analysis where possible and relying on dynamic checks where necessary for soundness. In addition to formalizing a gradual null-pointer analysis for a core imperative language, we build a prototype using the Infer static analysis framework, and present preliminary evidence that the gradual null-pointer analysis reduces false positives compared to two existing null-pointer checkers for Infer. Further, we discuss ways in which the gradualization approach used to derive the gradual analysis from its static counterpart can be extended to support more domains. This work thus provides a basis for future analysis tools that can smoothly navigate the tradeoff between human effort and run-time overhead to reduce the number of reported false positives.

Programming Languages