Skip to main content
SpringerLink
Log in

Hybrid Pruning: Towards Precise Pointer and Taint Analysis

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13358))

Abstract

Pointer and taint analyses are the building blocks for several other static analysis techniques. Unfortunately, these techniques frequently sacrifice precision in favor of scalability by over-approximating program behaviors. Scaling these analyses to real-world codebases written in memory-unsafe languages while retaining precision under the constraint of practical time and resource budgets is an open problem.

In this paper, we present a novel technique called hybrid pruning, where we inject the information collected from a program’s dynamic trace, which is accurate by its very nature, into a static pointer or taint analysis system to enhance its precision. We also tackle the challenge of combining static and dynamic analyses, which operate in two different analysis domains, in order to make the interleaving possible. Finally, we show the usefulness of our approach by reducing the false positives emitted by a static vulnerability detector that consumes the improved points-to and taint information. On our dataset of 12 CGC and 8 real-world applications, our hybrid approach cuts down the warnings up to \(21\%\) over vanilla static analysis, while reporting 19 out of 20 bugs in total.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Celery: Distributed task queue. http://www.celeryproject.org

  2. Common vulnerabilities and exposures. https://cve.mitre.org

  3. Coverity linux scan. https://scan.coverity.com/projects/linux

  4. Darpa cyber grand challenge. https://www.darpa.mil/program/cyber-grand-challenge

  5. The llvm compiler infrastructure. https://llvm.org

  6. Llvm dataflowsanitizer pass. https://clang.llvm.org/docs/DataFlowSanitizer.html

  7. Banerjee, S., Devecsery, D., Chen, P., Narayanasamy, S.: Iodine: fast dynamic taint tracking using rollback-free optimistic hybrid analysis (2019)

    Google Scholar 

  8. Bessey, A., et al.: A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM 53, 66–75 (2010)

    Article  Google Scholar 

  9. Biallas, S., Olesen, M.C., Cassez, F., Huuck, R.: Ptrtracker: pragmatic pointer analysis. In: 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 69–73. IEEE (2013)

    Google Scholar 

  10. Borrello, P., D’Elia, D.C., Querzoni, L., Giuffrida, C.: Constantine: automatic side-channel resistance using efficient control and data flow linearization. In: CCS 2021 (2021)

    Google Scholar 

  11. Buss, M., Brand, D., Sreedhar, V., Edwards, S.A.: A novel analysis space for pointer analysis and its application for bug finding. Sci. Comput. Program. 75(11), 921–942 (2010)

    Article  Google Scholar 

  12. Buss, M., Edwards, S.A., Yao, B., Waddington, D.: Pointer analysis for C programs through AST traversal (2005)

    Google Scholar 

  13. Caswell, B.: Cyber grand challenge corpus (2017)

    Google Scholar 

  14. Csallner, C., Smaragdakis, Y., Xie, T.: DSD-crasher: a hybrid analysis tool for bug finding. ACM Trans. Softw. Eng. Methodol. (TOSEM) 17(2), 8 (2008)

    Article  Google Scholar 

  15. Devecsery, D., Chen, P.M., Flinn, J., Narayanasamy, S.: Optimistic hybrid analysis: accelerating dynamic analysis through predicated static analysis (2018)

    Google Scholar 

  16. Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, PLDI 2003, pp. 155–167. ACM, New York (2003)

    Google Scholar 

  17. Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles (2001)

    Google Scholar 

  18. Ganapathy, V., Jha, S., Chandler, D., Melski, D., Vitek, D.: Buffer overrun detection using linear programming and static analysis. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 345–354. ACM, New York (2003)

    Google Scholar 

  19. Gross, A.: Evaluation of dynamic points-to analysis (2004)

    Google Scholar 

  20. Hardekopf, B., Wiedermann, B., Cook, W.R., Lin, C.: A formal specification of pointer analysis approximations. In: submission to Programming Language Design and Implementation (PLDI) (2009)

    Google Scholar 

  21. Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: ACM SIGOPS Operating Systems Review, vol. 40, pp. 29–41. ACM (2006)

    Google Scholar 

  22. Jee, K., Kemerlis, V.P., Keromytis, A.D., Portokalidis, G.: Shadowreplica: efficient parallelization of dynamic data flow tracking. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 235–246. ACM (2013)

    Google Scholar 

  23. Kahlon, V.: Bootstrapping: a technique for scalable flow and context-sensitive pointer alias analysis. In: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 249–259 (2008)

    Google Scholar 

  24. Kelsey, K., Bai, T., Ding, C., Zhang, C.: Fast track: a software system for speculative program optimization. In: International Symposium on Code Generation and Optimization, CGO 2009 (2009)

    Google Scholar 

  25. Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: practical dynamic data flow tracking for commodity systems. In: ACM Sigplan Notices, vol. 47, pp. 121–132. ACM (2012)

    Google Scholar 

  26. Kim, S., Kim, R., Park, Y.B.: Software vulnerability detection methodology combined with static and dynamic analysis. Wirel. Pers. Commun. 89(3), 777–793 (2016)

    Article  Google Scholar 

  27. Lhoták, O., Chung, K.C.A.: Points-to analysis with efficient strong updates. In: Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 3–16 (2011)

    Google Scholar 

  28. Machiry, A.: The need for extensible and configurable static taint tracking for c/c++ (2017). https://machiry.github.io/blog/2017/05/31/static-taint-tracking

  29. Machiry, A., Spensky, C., Corina, J., Stephens, N., Kruegel, C., Vigna, G.: DR. CHECKER: a soundy analysis for linux kernel drivers. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC, pp. 1007–1024. USENIX Association (2017)

    Google Scholar 

  30. Ming, J., Wu, D., Xiao, G., Wang, J., Liu, P.: Taintpipe: pipelined symbolic taint analysis. In: USENIX Security Symposium (2015)

    Google Scholar 

  31. Mock, M., Atkinson, D.C., Chambers, C., Eggers, S.J.: Improving program slicing with dynamic points-to data. In: Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, SIGSOFT 2002/FSE-10, pp. 71–80 (2002)

    Google Scholar 

  32. Mock, M., Das, M., Chambers, C., Eggers, S.J.: Dynamic points-to sets: a comparison with static analyses and potential applications in program understanding and optimization. In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, PASTE 2001, pp. 66–72 (2001)

    Google Scholar 

  33. Trail of Bits. Darpa challenge binaries on linux, osx, and windows (2016). https://github.com/trailofbits/cb-multios

  34. Palit, T., Moon, J.F., Monrose, F., Polychronakis, M.: Dynpta: combining static and dynamic analysis for practical selective data protection. In: 2021 IEEE Symposium on Security and Privacy (SP) (2021)

    Google Scholar 

  35. Sarkar, D., Jagannathan, M., Thiagarajan, J., Venkatapathy, R.: Flow-insensitive static analysis for detecting integer anomalies in programs. In: Proceedings of the 25th Conference on IASTED International Multi-Conference: Software Engineering, pp. 334–340. ACTA Press (2007)

    Google Scholar 

  36. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010)

    Google Scholar 

  37. Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: USENIX ATC (2012)

    Google Scholar 

  38. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th Conference on USENIX Security Symposium, SSYM 2001, Berkeley, CA, USA, vol. 10. USENIX Association (2001)

    Google Scholar 

  39. Shastry, B., et al.: Static program analysis as a fuzzing aid. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 26–47. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_2

    Chapter  Google Scholar 

  40. Shastry, B., Maggi, F., Yamaguchi, F., Rieck, K., Seifert, J.P.: Static exploration of taint-style vulnerabilities found by fuzzing. In: 11th USENIX Workshop on Offensive Technologies. USENIX Association (2017)

    Google Scholar 

  41. Slowinska, A., Bos, H.: Pointless tainting?: evaluating the practicality of pointer tainting. In: Proceedings of the 4th ACM European Conference on Computer systems, pp. 61–74. ACM (2009)

    Google Scholar 

  42. Smaragdakis, Y., Balatsouras, G., et al.: Pointer analysis. Found. Trends Program. Lang. 2(1), 1–69 (2015)

    Article  Google Scholar 

  43. Sridharan, M., Fink, S.J.: The complexity of Andersen’s analysis in practice. In: Proceedings of the 16th International Symposium on Static Analysis (2009)

    Google Scholar 

  44. Steensgaard, B.: Points-to analysis in almost linear time. In: Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (1996)

    Google Scholar 

  45. Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: Proceedings of the 25th International Conference on Compiler Construction (2016)

    Google Scholar 

  46. Trabish, D., Kapus, T., Rinetzky, N., Cadar, C.: Past-sensitive pointer analysis for symbolic execution. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 197–208 (2020)

    Google Scholar 

  47. Venkataramani, G., Doudalis, I., Solihin, Y., Prvulovic, M.: Flexitaint: a programmable accelerator for dynamic taint propagation. In: High Performance Computer Architecture (2008)

    Google Scholar 

  48. Wang, X., Chen, H., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Improving integer security for systems with kint. In: OSDI (2012)

    Google Scholar 

  49. Xie, Y., Aiken, A.: Context-and path-sensitive memory leak detection. In: ACM SIGSOFT Software Engineering Notes. ACM (2005)

    Google Scholar 

  50. Xie, Y., Chou, A., Engler, D.: Archer: using symbolic, path-sensitive analysis to detect memory access errors. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-11 (2003)

    Google Scholar 

  51. Xie, Y., Naik, M., Hackett, B., Aiken, A.: Soundness and its role in bug detection systems. In: Workshop on the Evaluation of Software Defect Detection Tools (2005)

    Google Scholar 

  52. Yang, J., Twohey, P., Engler, D., Musuvathi, M.: Using model checking to find serious file system errors. ACM Trans. Comput. Syst. (TOCS) 24(4), 393–423 (2006)

    Article  Google Scholar 

  53. Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: ACM SIGSOFT Software Engineering Notes, vol. 29, pp. 97–106. ACM (2004)

    Google Scholar 

Download references

Acknowledgements

We thank our shepherd Daniele Cono D’Elia and anonymous reviewers for their valuable feedback. This material is based upon work supported by ONR under Award No. N00014-17-1-2897.

Author information

Authors and Affiliations

  1. University of California, Santa Barbara, CA, USA

    Dipanjan Das, Priyanka Bose, Giovanni Vigna & Christopher Kruegel

  2. Purdue University, West Lafayette, IN, USA

    Aravind Machiry

  3. VMware, Inc., Palo Alto, CA, USA

    Sebastiano Mariani

  4. Arizona State University, Tempe, AZ, USA

    Yan Shoshitaishvili

Authors
  1. Dipanjan Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Priyanka Bose
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aravind Machiry
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sebastiano Mariani
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yan Shoshitaishvili
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dipanjan Das .

Editor information

Editors and Affiliations

  1. University College London, London, UK

    Lorenzo Cavallaro

  2. Graz University of Technology, Graz, Austria

    Daniel Gruss

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Das, D. et al. (2022). Hybrid Pruning: Towards Precise Pointer and Taint Analysis. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09484-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09483-5

  • Online ISBN: 978-3-031-09484-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation