Abstract
We address the problem of verifying the temporal safety of heap memory at each pointer dereference. Our whole-program analysis approach is undertaken from the perspective of pointer analysis, allowing us to leverage the advantages of and advances in pointer analysis to improve precision and scalability. A dereference \(\omega \), say, via pointer q is unsafe iff there exists a deallocation \(\psi \), say, via pointer p such that on a control-flow path \(\rho \),p aliases with q (with both pointing to an object o representing an allocation), denoted , and \(\psi \) reaches \(\omega \) on \(\rho \) via control flow, denoted
. Applying directly any existing pointer analysis, which is typically solved separately with an associated control-flow reachability analysis, will render such verification highly imprecise, since
(i.e., \(\exists \) does not distribute over \(\wedge \)). For precision, we solve
, with a control-flow path \(\rho \) containing an allocation o, a deallocation \(\psi \) and a dereference \(\omega \) abstracted by a tuple of three contexts
. For scalability, a demand-driven full context-sensitive (modulo recursion) pointer analysis, which operates on pre-computed def-use chains with adaptive context-sensitivity, is used to infer
, without losing soundness or precision. Our evaluation shows that our approach can successfully verify the safety of 81.3% (or \(\frac{93,141}{114,508}\)) of all the dereferences in a set of ten C programs totalling 1,166 KLOC.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Juliet Test Suite 1.2. https://samate.nist.gov/srd/testsuite.php
Aiken, A., Bugrara, S., Dillig, I., Dillig, T., Hackett, B., Hawkins, P.: An overview of the Saturn project. In: PASTE 2007, pp. 43–48 (2007)
Clang Static Analyzer. http://clang-analyzer.llvm.org/
Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, DIKU, University of Copenhagen (1994)
Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: PLDI 2001, pp. 203–213 (2001)
Berdine, J., Cook, B., Ishtiaq, S.: SLAyer: memory safety for systems-level code. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 178–183. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_15
Calcagno, C., Distefano, D.: Infer: an automatic program verifier for memory safety of C programs. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 459–465. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_33
Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. In: POPL 2009, pp. 289–300 (2009)
Cherem, S., Princehouse, L., Rugina, R.: Practical memory leak detection using guarded value-flow analysis. In: PLDI 2007, pp. 480–491 (2007)
Cifuentes, C., et al.: Static deep error checking in large system applications using parfait. In: ESEC/FSE 2011, pp. 432–435 (2011)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Kenneth Zadeck, F.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. (TOPLAS) 13(4), 451–490 (1991)
Das, M., Lerner, S., Seigle, M.: ESP: path-sensitive program verification in polynomial time. In: PLDI 2002, pp. 57–68 (2002)
Dillig, I., Dillig, T.: Explain: a tool for performing abductive inference. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 684–689. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_46
Dillig, I., Dillig, T., Aiken A.: Sound, complete and scalable path-sensitive analysis. In: PLDI 2008, pp. 270–280 (2008)
Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 287–302. Springer, Heidelberg (2006). https://doi.org/10.1007/11691372_19
Fink, S.J., Yahav, E., Dor, N., Ramalingam, G., Geay, E.: Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol. (TOSEM) 17, 9 (2008)
Hackett, B., Aiken, A.: How is aliasing used in systems software? In: FSE 2006, pp. 69–80 (2006)
Haran, A., Carter, M., Emmi, M., Lal, A., Qadeer, S., Rakamarić, Z.: SMACK+Corral: a modular verifier. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 451–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46681-0_42
Hardekopf, B., Lin, C.: Semi-sparse flow-sensitive pointer analysis. In: POPL 2009, pp. 226–238 (2009)
Heintze, N., Tardieu, O.: Demand-driven pointer analysis. In: PLDI 2001, pp. 24–34 (2001)
Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: POPL 2004, pp. 232–244 (2004)
Henzinger, T.A., Necula, G.C., Jhala, R., Sutre, G., Majumdar, R., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_45
Jeong, S., Jeon, M., Cha, S., Oh, H.: Data-driven context-sensitivity for points-to analysis. In: OOPSLA 2014, pp. 100:1–100:28 (2017)
Jhala, R., Majumdar, R.: Software model checking. ACM Comput. Surv. (CSUR) 41(4), 21 (2009)
Kastrinis, G., Smaragdakis, Y.: Hybrid context-sensitivity for points-to analysis. In: PLDI 2013, pp. 423–434 (2013)
Kroening, D., Tautschnig, M.: CBMC – C bounded model checker. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54862-8_26
Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: CGO 2004, pp. 75–86 (2004)
Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: NDSS 2015 (2015)
Lhoták, O., Chung, K.-C.A.: Points-to analysis with efficient strong updates. In: POPL 2011, pp. 3–16 (2011)
Li, L., Cifuentes, C., Keynes, N.: Practical and effective symbolic analysis for buffer overflow detection. In: FSE 2010, pp. 317–326 (2010)
Li, L., Cifuentes, C., Keynes, N.: Boosting the performance of flow-sensitive points-to analysis using value flow. In: ESEC/FSE 2011, pp. 343–353 (2011)
Li, Y., Tan, T., Møller, A., Smaragdakis, Y.: Precision-guided context sensitivity for pointer analysis. In: OOPSLA 2018, p. 141 (2018)
Liang, P., Tripp, O., Naik, M.: Learning minimal abstractions. In: POPL 2011, pp. 31–42 (2011)
Loginov, A., Yahav, E., Chandra, S., Fink, S., Rinetzky, N., Nanda, M.: Verifying dereference safety via expanding-scope analysis. In: ISSTA 2008, pp. 213–224 (2008)
Lu, K., Song, C., Kim, T., Lee, W.: UniSan: proactive kernel memory initialization to eliminate data leakages. In: CCS 2016, pp. 920–932 (2016)
Madhavan, R., Komondoor, R.: Null dereference verification via over-approximated weakest pre-conditions analysis. In: OOSPLA 2011, pp. 1033–1052 (2011)
Milanova, A., Rountev, A., Ryder, B.G.: Parameterized object sensitivity for points-to analysis for java. ACM Trans. Softw. Eng. Methodol. (TOSEM) 14(1), 1–41 (2005)
Musuvathi, M., Park, D.Y.W., Chou, A., Engler, D.R., Dill, D.L.: CMC: a pragmatic approach to model checking real code. In: OSDI 2002, pp. 75–88 (2002)
Nagarakatte, S., Zhao, J., Martin, M.M.K., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ISMM 2010, pp. 31–40 (2010)
Oh, H., Lee, W., Heo, K., Yang, H., Yi, K.: Selective context-sensitivity guided by impact pre-analysis. In: PLDI 2014, pp. 475–484 (2014)
Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995, pp. 49–61 (1995)
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: LICS 2002, pp. 55–74 (2002)
Coverity Scan. https://scan.coverity.com/
Shi, Q., Xiao, X., Wu, R., Zhou, J., Fan, G., Zhang, C.: Pinpoint: fast and precise sparse value flow analysis for million lines of code. In: PLDI 2018, pp. 693–706 (2018)
Smaragdakis, Y., Bravenboer, M., Lhoták, O.: Pick your contexts well: understanding object-sensitivity. In: POPL 2011, pp. 17–30 (2011)
Smaragdakis, Y., Kastrinis, G., Balatsouras, G.: Introspective analysis: context-sensitivity, across the board. In: PLDI 2014, pp. 485–495 (2014)
Späth, J., Do, L.N.Q., Ali, K., Bodden, E.: Boomerang: demand-driven flow-and context-sensitive pointer analysis for Java. In: ECOOP 2016, pp. 22:1–22:26 (2016)
Sridharan, M., Bodík, R.: Refinement-based context-sensitive points-to analysis for Java. In: PLDI 2016, pp. 387–400 (2006)
Sui, Y., Xue, J.: On-demand strong update analysis via value-flow refinement. In: FSE 2016, pp. 460–473 (2016)
Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: CC 2016, pp. 265–266 (2016)
Sui, Y., Xue, J.: Value-flow-based demand-driven pointer analysis for C and C++. IEEE Trans. Softw. Eng. (TSE) (2018)
Sui, Y., Ye, D., Xue, J.: Static memory leak detection using full-sparse value-flow analysis. In: ISSTA 2012, pp. 254–264 (2012)
Symbiotic. https://github.com/staticafi/symbiotic
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: SP 2013, pp. 48–62 (2013)
Tan, T., Li, Y., Xue, J.: Efficient and precise points-to analysis: modeling the heap by merging equivalent automata. In: PLDI 2017, pp. 278–291 (2017)
Yan, H., Sui, Y., Chen, S., Xue, J.: Machine-learning-guided typestate analysis for static use-after-free detection. In: ACSAC 2017, pp. 42–54 (2017)
Yan, H., Sui, Y., Chen, S., Xue, J.: Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In: ICSE 2018, pp. 327–337 (2018)
Yang, H., et al.: Scalable shape analysis for systems code. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 385–398. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_36
Yang, H., O’Hearn, P.: A semantic basis for local reasoning. In: Nielsen, M., Engberg, U. (eds.) FoSSaCS 2002. LNCS, vol. 2303, pp. 402–416. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45931-6_28
Ye, D., Sui, Y., Xue, J.: Accelerating dynamic detection of uses of undefined values with static value-flow analysis. In: CGO 2014, pp. 154–164 (2014)
Yu, H., Xue, J., Huo, W., Feng, X., Zhang, Z.: Level by level: making flow-and context-sensitive pointer analysis scalable for millions of lines of code. In: CGO 2010, pp. 218–229 (2010)
Zhang, X., Mangal, R., Grigore, R., Naik, M., Yang, H.: On abstraction refinement for program analyses in datalog. In: PLDI 2014, pp. 239–248 (2014)
Acknowledgement
We would like to thank the anonymous reviewers for their valuable comments. This research is supported by an Australian Research Grant DP180104169.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Yan, H., Chen, S., Sui, Y., Zhang, Y., Zou, C., Xue, J. (2019). Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis. In: Chang, BY. (eds) Static Analysis. SAS 2019. Lecture Notes in Computer Science(), vol 11822. Springer, Cham. https://doi.org/10.1007/978-3-030-32304-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-32304-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32303-5
Online ISBN: 978-3-030-32304-2
eBook Packages: Computer ScienceComputer Science (R0)