Skip to main content

Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis

  • Conference paper
  • First Online:
Static Analysis (SAS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11822))

Included in the following conference series:

  • 789 Accesses

Abstract

We address the problem of verifying the temporal safety of heap memory at each pointer dereference. Our whole-program analysis approach is undertaken from the perspective of pointer analysis, allowing us to leverage the advantages of and advances in pointer analysis to improve precision and scalability. A dereference \(\omega \), say, via pointer q is unsafe iff there exists a deallocation \(\psi \), say, via pointer p such that on a control-flow path \(\rho \),p aliases with q (with both pointing to an object o representing an allocation), denoted , and \(\psi \) reaches \(\omega \) on \(\rho \) via control flow, denoted . Applying directly any existing pointer analysis, which is typically solved separately with an associated control-flow reachability analysis, will render such verification highly imprecise, since (i.e., \(\exists \) does not distribute over \(\wedge \)). For precision, we solve , with a control-flow path \(\rho \) containing an allocation o, a deallocation \(\psi \) and a dereference \(\omega \) abstracted by a tuple of three contexts . For scalability, a demand-driven full context-sensitive (modulo recursion) pointer analysis, which operates on pre-computed def-use chains with adaptive context-sensitivity, is used to infer , without losing soundness or precision. Our evaluation shows that our approach can successfully verify the safety of 81.3% (or \(\frac{93,141}{114,508}\)) of all the dereferences in a set of ten C programs totalling 1,166 KLOC.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Juliet Test Suite 1.2. https://samate.nist.gov/srd/testsuite.php

  2. Aiken, A., Bugrara, S., Dillig, I., Dillig, T., Hackett, B., Hawkins, P.: An overview of the Saturn project. In: PASTE 2007, pp. 43–48 (2007)

    Google Scholar 

  3. Clang Static Analyzer. http://clang-analyzer.llvm.org/

  4. Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen (1994)

    Google Scholar 

  5. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: PLDI 2001, pp. 203–213 (2001)

    Article  Google Scholar 

  6. Berdine, J., Cook, B., Ishtiaq, S.: SLAyer: memory safety for systems-level code. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 178–183. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_15

    Chapter  Google Scholar 

  7. Calcagno, C., Distefano, D.: Infer: an automatic program verifier for memory safety of C programs. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 459–465. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_33

    Chapter  Google Scholar 

  8. Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. In: POPL 2009, pp. 289–300 (2009)

    Article  Google Scholar 

  9. Cherem, S., Princehouse, L., Rugina, R.: Practical memory leak detection using guarded value-flow analysis. In: PLDI 2007, pp. 480–491 (2007)

    Article  Google Scholar 

  10. Cifuentes, C., et al.: Static deep error checking in large system applications using parfait. In: ESEC/FSE 2011, pp. 432–435 (2011)

    Google Scholar 

  11. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. (TOPLAS) 13(4), 451–490 (1991)

    Article  Google Scholar 

  12. Das, M., Lerner, S., Seigle, M.: ESP: path-sensitive program verification in polynomial time. In: PLDI 2002, pp. 57–68 (2002)

    Article  Google Scholar 

  13. Dillig, I., Dillig, T.: Explain: a tool for performing abductive inference. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 684–689. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_46

    Chapter  MATH  Google Scholar 

  14. Dillig, I., Dillig, T., Aiken A.: Sound, complete and scalable path-sensitive analysis. In: PLDI 2008, pp. 270–280 (2008)

    Article  Google Scholar 

  15. Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 287–302. Springer, Heidelberg (2006). https://doi.org/10.1007/11691372_19

    Chapter  MATH  Google Scholar 

  16. Fink, S.J., Yahav, E., Dor, N., Ramalingam, G., Geay, E.: Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol. (TOSEM) 17, 9 (2008)

    Article  Google Scholar 

  17. Hackett, B., Aiken, A.: How is aliasing used in systems software? In: FSE 2006, pp. 69–80 (2006)

    Google Scholar 

  18. Haran, A., Carter, M., Emmi, M., Lal, A., Qadeer, S., Rakamarić, Z.: SMACK+Corral: a modular verifier. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 451–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46681-0_42

    Chapter  Google Scholar 

  19. Hardekopf, B., Lin, C.: Semi-sparse flow-sensitive pointer analysis. In: POPL 2009, pp. 226–238 (2009)

    Article  Google Scholar 

  20. Heintze, N., Tardieu, O.: Demand-driven pointer analysis. In: PLDI 2001, pp. 24–34 (2001)

    Google Scholar 

  21. Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: POPL 2004, pp. 232–244 (2004)

    Article  Google Scholar 

  22. Henzinger, T.A., Necula, G.C., Jhala, R., Sutre, G., Majumdar, R., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_45

    Chapter  Google Scholar 

  23. Jeong, S., Jeon, M., Cha, S., Oh, H.: Data-driven context-sensitivity for points-to analysis. In: OOPSLA 2014, pp. 100:1–100:28 (2017)

    Article  Google Scholar 

  24. Jhala, R., Majumdar, R.: Software model checking. ACM Comput. Surv. (CSUR) 41(4), 21 (2009)

    Article  Google Scholar 

  25. Kastrinis, G., Smaragdakis, Y.: Hybrid context-sensitivity for points-to analysis. In: PLDI 2013, pp. 423–434 (2013)

    Article  Google Scholar 

  26. Kroening, D., Tautschnig, M.: CBMC – C bounded model checker. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54862-8_26

    Chapter  Google Scholar 

  27. Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: CGO 2004, pp. 75–86 (2004)

    Google Scholar 

  28. Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: NDSS 2015 (2015)

    Google Scholar 

  29. Lhoták, O., Chung, K.-C.A.: Points-to analysis with efficient strong updates. In: POPL 2011, pp. 3–16 (2011)

    Google Scholar 

  30. Li, L., Cifuentes, C., Keynes, N.: Practical and effective symbolic analysis for buffer overflow detection. In: FSE 2010, pp. 317–326 (2010)

    Google Scholar 

  31. Li, L., Cifuentes, C., Keynes, N.: Boosting the performance of flow-sensitive points-to analysis using value flow. In: ESEC/FSE 2011, pp. 343–353 (2011)

    Google Scholar 

  32. Li, Y., Tan, T., Møller, A., Smaragdakis, Y.: Precision-guided context sensitivity for pointer analysis. In: OOPSLA 2018, p. 141 (2018)

    Google Scholar 

  33. Liang, P., Tripp, O., Naik, M.: Learning minimal abstractions. In: POPL 2011, pp. 31–42 (2011)

    Google Scholar 

  34. Loginov, A., Yahav, E., Chandra, S., Fink, S., Rinetzky, N., Nanda, M.: Verifying dereference safety via expanding-scope analysis. In: ISSTA 2008, pp. 213–224 (2008)

    Google Scholar 

  35. Lu, K., Song, C., Kim, T., Lee, W.: UniSan: proactive kernel memory initialization to eliminate data leakages. In: CCS 2016, pp. 920–932 (2016)

    Google Scholar 

  36. Madhavan, R., Komondoor, R.: Null dereference verification via over-approximated weakest pre-conditions analysis. In: OOSPLA 2011, pp. 1033–1052 (2011)

    Article  Google Scholar 

  37. Milanova, A., Rountev, A., Ryder, B.G.: Parameterized object sensitivity for points-to analysis for java. ACM Trans. Softw. Eng. Methodol. (TOSEM) 14(1), 1–41 (2005)

    Article  Google Scholar 

  38. Musuvathi, M., Park, D.Y.W., Chou, A., Engler, D.R., Dill, D.L.: CMC: a pragmatic approach to model checking real code. In: OSDI 2002, pp. 75–88 (2002)

    Google Scholar 

  39. Nagarakatte, S., Zhao, J., Martin, M.M.K., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ISMM 2010, pp. 31–40 (2010)

    Google Scholar 

  40. Oh, H., Lee, W., Heo, K., Yang, H., Yi, K.: Selective context-sensitivity guided by impact pre-analysis. In: PLDI 2014, pp. 475–484 (2014)

    Article  Google Scholar 

  41. Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995, pp. 49–61 (1995)

    Google Scholar 

  42. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: LICS 2002, pp. 55–74 (2002)

    Google Scholar 

  43. Coverity Scan. https://scan.coverity.com/

  44. Shi, Q., Xiao, X., Wu, R., Zhou, J., Fan, G., Zhang, C.: Pinpoint: fast and precise sparse value flow analysis for million lines of code. In: PLDI 2018, pp. 693–706 (2018)

    Article  Google Scholar 

  45. Smaragdakis, Y., Bravenboer, M., Lhoták, O.: Pick your contexts well: understanding object-sensitivity. In: POPL 2011, pp. 17–30 (2011)

    Article  Google Scholar 

  46. Smaragdakis, Y., Kastrinis, G., Balatsouras, G.: Introspective analysis: context-sensitivity, across the board. In: PLDI 2014, pp. 485–495 (2014)

    Article  Google Scholar 

  47. Späth, J., Do, L.N.Q., Ali, K., Bodden, E.: Boomerang: demand-driven flow-and context-sensitive pointer analysis for Java. In: ECOOP 2016, pp. 22:1–22:26 (2016)

    Google Scholar 

  48. Sridharan, M., Bodík, R.: Refinement-based context-sensitive points-to analysis for Java. In: PLDI 2016, pp. 387–400 (2006)

    Article  Google Scholar 

  49. Sui, Y., Xue, J.: On-demand strong update analysis via value-flow refinement. In: FSE 2016, pp. 460–473 (2016)

    Google Scholar 

  50. Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: CC 2016, pp. 265–266 (2016)

    Google Scholar 

  51. Sui, Y., Xue, J.: Value-flow-based demand-driven pointer analysis for C and C++. IEEE Trans. Softw. Eng. (TSE) (2018)

    Google Scholar 

  52. Sui, Y., Ye, D., Xue, J.: Static memory leak detection using full-sparse value-flow analysis. In: ISSTA 2012, pp. 254–264 (2012)

    Google Scholar 

  53. Symbiotic. https://github.com/staticafi/symbiotic

  54. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: SP 2013, pp. 48–62 (2013)

    Google Scholar 

  55. Tan, T., Li, Y., Xue, J.: Efficient and precise points-to analysis: modeling the heap by merging equivalent automata. In: PLDI 2017, pp. 278–291 (2017)

    Article  Google Scholar 

  56. Yan, H., Sui, Y., Chen, S., Xue, J.: Machine-learning-guided typestate analysis for static use-after-free detection. In: ACSAC 2017, pp. 42–54 (2017)

    Google Scholar 

  57. Yan, H., Sui, Y., Chen, S., Xue, J.: Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In: ICSE 2018, pp. 327–337 (2018)

    Google Scholar 

  58. Yang, H., et al.: Scalable shape analysis for systems code. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 385–398. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_36

    Chapter  Google Scholar 

  59. Yang, H., O’Hearn, P.: A semantic basis for local reasoning. In: Nielsen, M., Engberg, U. (eds.) FoSSaCS 2002. LNCS, vol. 2303, pp. 402–416. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45931-6_28

    Chapter  Google Scholar 

  60. Ye, D., Sui, Y., Xue, J.: Accelerating dynamic detection of uses of undefined values with static value-flow analysis. In: CGO 2014, pp. 154–164 (2014)

    Google Scholar 

  61. Yu, H., Xue, J., Huo, W., Feng, X., Zhang, Z.: Level by level: making flow-and context-sensitive pointer analysis scalable for millions of lines of code. In: CGO 2010, pp. 218–229 (2010)

    Google Scholar 

  62. Zhang, X., Mangal, R., Grigore, R., Naik, M., Yang, H.: On abstraction refinement for program analyses in datalog. In: PLDI 2014, pp. 239–248 (2014)

    Article  Google Scholar 

Download references

Acknowledgement

We would like to thank the anonymous reviewers for their valuable comments. This research is supported by an Australian Research Grant DP180104169.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Hua Yan , Changwei Zou or Jingling Xue .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yan, H., Chen, S., Sui, Y., Zhang, Y., Zou, C., Xue, J. (2019). Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis. In: Chang, BY. (eds) Static Analysis. SAS 2019. Lecture Notes in Computer Science(), vol 11822. Springer, Cham. https://doi.org/10.1007/978-3-030-32304-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-32304-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-32303-5

  • Online ISBN: 978-3-030-32304-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics