research-article

Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities

Authors:
Hua Yan

University of New South Wales, Australia

University of New South Wales, Australia
View Profile

,
Yulei Sui

University of Technology Sydney, Australia

University of Technology Sydney, Australia
View Profile

,
Shiping Chen

Data61, CSIRO, Australia

Data61, CSIRO, Australia
View Profile

,
Jingling Xue

University of New South Wales, Australia

University of New South Wales, Australia
View Profile

ICSE '18: Proceedings of the 40th International Conference on Software EngineeringMay 2018Pages 327–337https://doi.org/10.1145/3180155.3180178

Published:27 May 2018Publication History

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

Pages 327–337

ABSTRACT

Zero-day Use-After-Free (UAF) vulnerabilities are increasingly popular and highly dangerous, but few mitigations exist. We introduce a new pointer-analysis-based static analysis, CRed, for finding UAF bugs in multi-MLOC C source code efficiently and effectively. CRed achieves this by making three advances: (i) a spatio-temporal context reduction technique for scaling down soundly and precisely the exponential number of contexts that would otherwise be considered at a pair of free and use sites, (ii) a multi-stage analysis for filtering out false alarms efficiently, and (iii) a path-sensitive demand-driven approach for finding the points-to information required.

We have implemented CRed in LLVM-3.8.0 and compared it with four different state-of-the-art static tools: CBMC (model checking), Clang (abstract interpretation), Coccinelle (pattern matching), and Supa (pointer analysis) using all the C test cases in Juliet Test Suite (JTS) and 10 open-source C applications. For the ground-truth validated with JTS, CRed detects all the 138 known UAF bugs as CBMC and Supa do while Clang and Coccinelle miss some bugs, with no false alarms from any tool. For practicality validated with the 10 applications (totaling 3+ MLOC), CRed reports 132 warnings including 85 bugs in 7.6 hours while the existing tools are either unscalable by terminating within 3 days only for one application (CBMC) or impractical by finding virtually no bugs (Clang and Coccinelle) or issuing an excessive number of false alarms (Supa).

References

Juliet Test Suite 1.2. https://samate.nist.gov/SRD/testsuite.php.Google Scholar
Periklis Akritidis. 2010. Cling: A memory allocator to mitigate dangling pointers. In USENIX Security'10. 177--192. Google ScholarDigital Library
Clang Static Analyzer. http://clang-analyzer.llvm.org/.Google Scholar
Lars Ole Andersen. 1994. Program analysis and specialization for the C programming language. Ph.D. Dissertation. DIKU, University of Copenhagen.Google Scholar
George Balatsouras and Yannis Smaragdakis. 2016. Structure-Sensitive Points-To Analysis for C and C++. In SAS'16. 84--104.Google ScholarCross Ref
Thomas Ball and Sriram K Rajamani. 2002. The SLAM project: Debugging system software via static analysis. In POPL'02. 1--3. Google ScholarDigital Library
Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic memory safety for unsafe languages. In PLDI'06. 158--168. Google ScholarDigital Library
Dirk Beyer, Thomas A Henzinger, Ranjit Jhala, and Rupak Majumdar. 2007. The software model checker Blast. International Journal on Software Tools for Technology Transfer 9, 5--6 (2007), 505--525. Google ScholarDigital Library
Derek Bruening and Qin Zhao. 2011. Practical memory checking with Dr. Memory. In CGO'11. 213--223. Google ScholarDigital Library
Juan Caballero, Gustavo Grieco, Mark Marron, and Antonio Nappa. 2012. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In ISSTA'12. 133--143. Google ScholarDigital Library
Sigmund Cherem, Lonnie Princehouse, and Radu Rugina. 2007. Practical memory leak detection using guarded value-flow analysis. In PLDI'07. 480--491. Google ScholarDigital Library
Thurston HY Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A practical page-permissions-based scheme for thwarting dangling pointers. In USENIX Security'17. 815--832. Google ScholarDigital Library
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS'08. 337--340. Google ScholarDigital Library
Isil Dillig, Thomas Dillig, and Alex Aiken. 2008. Sound, complete and scalable path-sensitive analysis. In PLDI'08. 270--280. Google ScholarDigital Library
Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the weaknesses of fine-grained control flow integrity. In CCS'15. 901--913. Google ScholarDigital Library
Manuel Fähndrich and Francesco Logozzo. 2010. Static contract checking with abstract interpretation. In FoVeOOS'10. 10--30. Google ScholarDigital Library
Xiaokang Fan, Yulei Sui, Xiangke Liao, and Jingling Xue. 2017. Boosting the Precision of Virtual Call Integrity Protection with Partial Pointer Analysis for C++. In ISSTA'17. 329--340. Google ScholarDigital Library
Josselin Feist, Laurent Mounier, and Marie-Laure Potet. 2014. Statically detecting use after free on binary code. Journal of Computer Virology and Hacking Techniques 10, 3 (2014), 211--217.Google ScholarCross Ref
Ben Hardekopf and Calvin Lin. 2011. Flow-sensitive pointer analysis for millions of lines of code. In CGO'11. 289--298. Google ScholarDigital Library
Nevin Heintze and Olivier Tardieu. 2001. Demand-Driven Pointer Analysis. In PLDI'01. 24--34. Google ScholarDigital Library
Julien Julien Bertrane, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, and Xavier Rival. 2011. Static analysis by abstract interpretation of embedded critical software. ACM SIGSOFT Software Engineering Notes 36, 1 (2011), 1--8. Google ScholarDigital Library
Daniel Kroening and Michael Tautschnig. 2014. CBMC-C Bounded model checker. In TACAS'14. 389--391.Google ScholarCross Ref
William Landi and Barbara G Ryder. 1992. A safe approximate algorithm for interprocedural aliasing. In PLDI'92. 235--248. Google ScholarDigital Library
Wei Le and Mary Lou Soffa. 2008. Marple: A demand-driven path-sensitive buffer overflow detector. In FSE'08. 272--282. Google ScholarDigital Library
Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing use-after-free with dangling pointers nullification.. In NDSS'15.Google ScholarCross Ref
Ondrej Lhoták and Kwok-Chiang Andrew Chung. 2011. Points-to analysis with efficient strong updates. In POPL'11. 3--16. Google ScholarDigital Library
Lian Li, Cristina Cifuentes, and Nathan Keynes. 2010. Practical and effective symbolic analysis for buffer overflow detection. In FSE'10. 317--326. Google ScholarDigital Library
Lian Li, Cristina Cifuentes, and Nathan Keynes. 2011. Boosting the performance of flow-sensitive points-to analysis using value flow. In FSE'11. 343--353. Google ScholarDigital Library
Ravichandhran Madhavan and Raghavan Komondoor. 2011. Null dereference verification via over-approximated weakest pre-conditions analysis. In OOSPLA'11. 1033--1052. Google ScholarDigital Library
Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In ISMM'10. 31--40. Google ScholarDigital Library
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In PLDI '07. 89--100. Google ScholarDigital Library
Gene Novark and Emery D Berger. 2010. DieHarder: Securing the heap. In CCS'10. 573--584. Google ScholarDigital Library
Mads Chr Olesen, René Rydhof Hansen, Julia L Lawall, and Nicolas Palix. 2014. Coccinelle: Tool support for automated CERT C secure coding standard certification. Science of Computer Programming 91 (2014), 141--160.Google ScholarCross Ref
Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In POPL'95. 49--61. Google ScholarDigital Library
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In USENIX ATC'12. 309--318. Google ScholarDigital Library
Lei Shang, Xinwei Xie, and Jingling Xue. 2012. On-demand dynamic summary-based points-to analysis. In CGO'12. 264--274. Google ScholarDigital Library
Fabio Somenzi. CUDD: CU Decision Diagram Package (3.0.0). http://vlsi.colorado.edu/~fabio/CUDD/cudd.pdf.Google Scholar
Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. 2016. Boomerang: Demand-driven flow-and context-sensitive pointer analysis for Java. In ECOOP'16. 22:1--22:26.Google Scholar
Manu Sridharan and Rastislav Bodík. 2006. Refinement-based context-sensitive points-to analysis for Java. In PLDI'16. 387--400. Google ScholarDigital Library
Yulei Sui, Peng Di, and Jingling Xue. 2016. Sparse flow-sensitive pointer analysis for multithreaded programs. In CGO'16. 160--170. Google ScholarDigital Library
Yulei Sui, Yue Li, and Jingling Xue. 2013. Query-directed adaptive heap cloning for optimizing compilers. In CGO'13. 1--11. Google ScholarDigital Library
Yulei Sui and Jingling Xue. 2016. On-demand strong update analysis via value-flow refinement. In FSE'16. 460--473. Google ScholarDigital Library
Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural static value-flow analysis in LLVM. https://github.com/unsw-corg/SVF. In CC'16. 265--266. Google ScholarDigital Library
Yulei Sui, Ding Ye, and Jingling Xue. 2012. Static memory leak detection using full-sparse value-flow analysis. In ISSTA'12. 254--264. Google ScholarDigital Library
Yulei Sui, Ding Ye, and Jingling Xue. 2014. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Transactions on Software Engineering 40, 2 (2014), 107--122. Google ScholarDigital Library
Yulei Sui, Sen Ye, Jingling Xue, and Pen-Chung Yew. 2011. SPAS: Scalable Path-Sensitive Pointer Analysis on Full-Sparse SSA. In APLAS'11. 155--171. Google ScholarDigital Library
Erik van der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. DangSan: Scalable use-after-free detection.. In EuroSys'17. 405--419. Google ScholarDigital Library
Kostyantyn Vorobyov and Padmanabhan Krishnan. 2010. Comparing model checking and static program analysis: A case study in error detection approaches. In SSV'10. 1--7.Google Scholar
National vulnerability database. http://nvd.nist.gov/.Google Scholar
Yichen Xie and Alex Aiken. 2007. Saturn: A scalable framework for error detection using boolean satisfiability. ACM Transactions on Programming Languages and Systems 29, 3 (2007), 16. Google ScholarDigital Library
Wei Xu, Daniel C DuVarney, and R Sekar. 2004. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In FSE'12. 117--126. Google ScholarDigital Library
Sen Ye, Yulei Sui, and Jingling Xue. 2014. Region-based selective flow-sensitive pointer analysis. In SAS'14. 319--336.Google ScholarCross Ref
Yves Younan. 2015. FreeSentry: Protecting against use-after-free vulnerabilities due to dangling pointers. In NDSS'15.Google ScholarCross Ref
Hongtao Yu, Jingling Xue, Wei Huo, Xiaobing Feng, and Zhaoqing Zhang. 2010. Level by level: Making flow-and context-sensitive pointer analysis scalable for millions of lines of code. In CGO'10. 218--229. Google ScholarDigital Library
Jianzhou Zhao, Santosh Nagarakatte, Milo M.K. Martin, and Steve Zdancewic. 2012. Formalizing the LLVM intermediate representation for verified program transformations. In POPL'12. 427--440. Google ScholarDigital Library
Xin Zheng and Radu Rugina. 2008. Demand-driven alias analysis for C. In POPL'08. 197--208. Google ScholarDigital Library

Index Terms

Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
Read More
Tracking pointers with path and context sensitivity for bug detection in C programs

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Read More
Interprocedural pointer alias analysis

We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '18: Proceedings of the 40th International Conference on Software Engineering
May 2018
1307 pages
ISBN:9781450356381
DOI:10.1145/3180155
Conference Chair:
Michel Chaudron
Chalmers University of Technology, University of Gothenburg, Sweden
,
General Chair:
Ivica Crnkovic
Chalmers University of Technology, University of Gothenburg, Sweden
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Mark Harman
Facebook and University College London, United Kingdom
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 May 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Distinguished Paper
Author Tags
bug detection
program analysis
use-after-free
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 50
  Total Citations
  View Citations
- 428
  Total Downloads
- Downloads (Last 12 months)60
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection

Tracking pointers with path and context sensitivity for bug detection in C programs

Interprocedural pointer alias analysis