Spatio-temporal context reduction a pointer-analysis-based static approach for detecting use-after-free vulnerabilities

Zero-day Use-After-Free (UAF) vulnerabilities are increasingly popular and highly dangerous, but few mitigations exist. We introduce a new pointer-analysis-based static analysis, CRed, for finding UAF bugs in multi-MLOC C source code efficiently and effectively. CRed achieves this by making three ad...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE) s. 327 - 337
Hlavní autori: Yan, Hua, Sui, Yulei, Chen, Shiping, Xue, Jingling
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: New York, NY, USA ACM 27.05.2018
Edícia:ACM Conferences
Predmet:
Australia
bug detection
Computer bugs
Correlation
Pattern matching
program analysis
Security and privacy > Software and application security
Software
Software and its engineering > Software creation and management > Software verification and validation > Software defect analysis
Static analysis
Theory of computation > Semantics and reasoning > Program reasoning > Program analysis
use after free
use-after-free
program analysis
bug detection
ISBN:9781450356381, 1450356389
ISSN:1558-1225
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Zero-day Use-After-Free (UAF) vulnerabilities are increasingly popular and highly dangerous, but few mitigations exist. We introduce a new pointer-analysis-based static analysis, CRed, for finding UAF bugs in multi-MLOC C source code efficiently and effectively. CRed achieves this by making three advances: (i) a spatio-temporal context reduction technique for scaling down soundly and precisely the exponential number of contexts that would otherwise be considered at a pair of free and use sites, (ii) a multi-stage analysis for filtering out false alarms efficiently, and (iii) a path-sensitive demand-driven approach for finding the points-to information required. We have implemented CRed in LLVM-3.8.0 and compared it with four different state-of-the-art static tools: CBMC (model checking), Clang (abstract interpretation), Coccinelle (pattern matching), and Supa (pointer analysis) using all the C test cases in Juliet Test Suite (JTS) and 10 open-source C applications. For the ground-truth validated with JTS, CRed detects all the 138 known UAF bugs as CBMC and Supa do while Clang and Coccinelle miss some bugs, with no false alarms from any tool. For practicality validated with the 10 applications (totaling 3+ MLOC), CRed reports 132 warnings including 85 bugs in 7.6 hours while the existing tools are either unscalable by terminating within 3 days only for one application (CBMC) or impractical by finding virtually no bugs (Clang and Coccinelle) or issuing an excessive number of false alarms (Supa).
ISBN:9781450356381
1450356389
ISSN:1558-1225
DOI:10.1145/3180155.3180178