Abstract
Pointer and taint analyses are the building blocks for several other static analysis techniques. Unfortunately, these techniques frequently sacrifice precision in favor of scalability by over-approximating program behaviors. Scaling these analyses to real-world codebases written in memory-unsafe languages while retaining precision under the constraint of practical time and resource budgets is an open problem.
In this paper, we present a novel technique called hybrid pruning, where we inject the information collected from a program’s dynamic trace, which is accurate by its very nature, into a static pointer or taint analysis system to enhance its precision. We also tackle the challenge of combining static and dynamic analyses, which operate in two different analysis domains, in order to make the interleaving possible. Finally, we show the usefulness of our approach by reducing the false positives emitted by a static vulnerability detector that consumes the improved points-to and taint information. On our dataset of 12 CGC and 8 real-world applications, our hybrid approach cuts down the warnings up to \(21\%\) over vanilla static analysis, while reporting 19 out of 20 bugs in total.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Celery: Distributed task queue. http://www.celeryproject.org
Common vulnerabilities and exposures. https://cve.mitre.org
Coverity linux scan. https://scan.coverity.com/projects/linux
Darpa cyber grand challenge. https://www.darpa.mil/program/cyber-grand-challenge
The llvm compiler infrastructure. https://llvm.org
Llvm dataflowsanitizer pass. https://clang.llvm.org/docs/DataFlowSanitizer.html
Banerjee, S., Devecsery, D., Chen, P., Narayanasamy, S.: Iodine: fast dynamic taint tracking using rollback-free optimistic hybrid analysis (2019)
Bessey, A., et al.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53, 66–75 (2010)
Biallas, S., Olesen, M.C., Cassez, F., Huuck, R.: Ptrtracker: pragmatic pointer analysis. In: 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 69–73. IEEE (2013)
Borrello, P., D’Elia, D.C., Querzoni, L., Giuffrida, C.: Constantine: automatic side-channel resistance using efficient control and data flow linearization. In: CCS 2021 (2021)
Buss, M., Brand, D., Sreedhar, V., Edwards, S.A.: A novel analysis space for pointer analysis and its application for bug finding. Sci. Comput. Program. 75(11), 921–942 (2010)
Buss, M., Edwards, S.A., Yao, B., Waddington, D.: Pointer analysis for C programs through AST traversal (2005)
Caswell, B.: Cyber grand challenge corpus (2017)
Csallner, C., Smaragdakis, Y., Xie, T.: DSD-crasher: a hybrid analysis tool for bug finding. ACM Trans. Softw. Eng. Methodol. (TOSEM) 17(2), 8 (2008)
Devecsery, D., Chen, P.M., Flinn, J., Narayanasamy, S.: Optimistic hybrid analysis: accelerating dynamic analysis through predicated static analysis (2018)
Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, PLDI 2003, pp. 155–167. ACM, New York (2003)
Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles (2001)
Ganapathy, V., Jha, S., Chandler, D., Melski, D., Vitek, D.: Buffer overrun detection using linear programming and static analysis. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 345–354. ACM, New York (2003)
Gross, A.: Evaluation of dynamic points-to analysis (2004)
Hardekopf, B., Wiedermann, B., Cook, W.R., Lin, C.: A formal specification of pointer analysis approximations. In: submission to Programming Language Design and Implementation (PLDI) (2009)
Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: ACM SIGOPS Operating Systems Review, vol. 40, pp. 29–41. ACM (2006)
Jee, K., Kemerlis, V.P., Keromytis, A.D., Portokalidis, G.: Shadowreplica: efficient parallelization of dynamic data flow tracking. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 235–246. ACM (2013)
Kahlon, V.: Bootstrapping: a technique for scalable flow and context-sensitive pointer alias analysis. In: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 249–259 (2008)
Kelsey, K., Bai, T., Ding, C., Zhang, C.: Fast track: a software system for speculative program optimization. In: International Symposium on Code Generation and Optimization, CGO 2009 (2009)
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: practical dynamic data flow tracking for commodity systems. In: ACM Sigplan Notices, vol. 47, pp. 121–132. ACM (2012)
Kim, S., Kim, R., Park, Y.B.: Software vulnerability detection methodology combined with static and dynamic analysis. Wirel. Pers. Commun. 89(3), 777–793 (2016)
Lhoták, O., Chung, K.C.A.: Points-to analysis with efficient strong updates. In: Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 3–16 (2011)
Machiry, A.: The need for extensible and configurable static taint tracking for c/c++ (2017). https://machiry.github.io/blog/2017/05/31/static-taint-tracking
Machiry, A., Spensky, C., Corina, J., Stephens, N., Kruegel, C., Vigna, G.: DR. CHECKER: a soundy analysis for linux kernel drivers. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC, pp. 1007–1024. USENIX Association (2017)
Ming, J., Wu, D., Xiao, G., Wang, J., Liu, P.: Taintpipe: pipelined symbolic taint analysis. In: USENIX Security Symposium (2015)
Mock, M., Atkinson, D.C., Chambers, C., Eggers, S.J.: Improving program slicing with dynamic points-to data. In: Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, SIGSOFT 2002/FSE-10, pp. 71–80 (2002)
Mock, M., Das, M., Chambers, C., Eggers, S.J.: Dynamic points-to sets: a comparison with static analyses and potential applications in program understanding and optimization. In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, PASTE 2001, pp. 66–72 (2001)
Trail of Bits. Darpa challenge binaries on linux, osx, and windows (2016). https://github.com/trailofbits/cb-multios
Palit, T., Moon, J.F., Monrose, F., Polychronakis, M.: Dynpta: combining static and dynamic analysis for practical selective data protection. In: 2021 IEEE Symposium on Security and Privacy (SP) (2021)
Sarkar, D., Jagannathan, M., Thiagarajan, J., Venkatapathy, R.: Flow-insensitive static analysis for detecting integer anomalies in programs. In: Proceedings of the 25th Conference on IASTED International Multi-Conference: Software Engineering, pp. 334–340. ACTA Press (2007)
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010)
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: USENIX ATC (2012)
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th Conference on USENIX Security Symposium, SSYM 2001, Berkeley, CA, USA, vol. 10. USENIX Association (2001)
Shastry, B., et al.: Static program analysis as a fuzzing aid. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 26–47. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_2
Shastry, B., Maggi, F., Yamaguchi, F., Rieck, K., Seifert, J.P.: Static exploration of taint-style vulnerabilities found by fuzzing. In: 11th USENIX Workshop on Offensive Technologies. USENIX Association (2017)
Slowinska, A., Bos, H.: Pointless tainting?: evaluating the practicality of pointer tainting. In: Proceedings of the 4th ACM European Conference on Computer systems, pp. 61–74. ACM (2009)
Smaragdakis, Y., Balatsouras, G., et al.: Pointer analysis. Found. Trends Program. Lang. 2(1), 1–69 (2015)
Sridharan, M., Fink, S.J.: The complexity of Andersen’s analysis in practice. In: Proceedings of the 16th International Symposium on Static Analysis (2009)
Steensgaard, B.: Points-to analysis in almost linear time. In: Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (1996)
Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: Proceedings of the 25th International Conference on Compiler Construction (2016)
Trabish, D., Kapus, T., Rinetzky, N., Cadar, C.: Past-sensitive pointer analysis for symbolic execution. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 197–208 (2020)
Venkataramani, G., Doudalis, I., Solihin, Y., Prvulovic, M.: Flexitaint: a programmable accelerator for dynamic taint propagation. In: High Performance Computer Architecture (2008)
Wang, X., Chen, H., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Improving integer security for systems with kint. In: OSDI (2012)
Xie, Y., Aiken, A.: Context-and path-sensitive memory leak detection. In: ACM SIGSOFT Software Engineering Notes. ACM (2005)
Xie, Y., Chou, A., Engler, D.: Archer: using symbolic, path-sensitive analysis to detect memory access errors. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-11 (2003)
Xie, Y., Naik, M., Hackett, B., Aiken, A.: Soundness and its role in bug detection systems. In: Workshop on the Evaluation of Software Defect Detection Tools (2005)
Yang, J., Twohey, P., Engler, D., Musuvathi, M.: Using model checking to find serious file system errors. ACM Trans. Comput. Syst. (TOCS) 24(4), 393–423 (2006)
Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: ACM SIGSOFT Software Engineering Notes, vol. 29, pp. 97–106. ACM (2004)
Acknowledgements
We thank our shepherd Daniele Cono D’Elia and anonymous reviewers for their valuable feedback. This material is based upon work supported by ONR under Award No. N00014-17-1-2897.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Das, D. et al. (2022). Hybrid Pruning: Towards Precise Pointer and Taint Analysis. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-09484-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09483-5
Online ISBN: 978-3-031-09484-2
eBook Packages: Computer ScienceComputer Science (R0)