ABSTRACT
Although static bug detectors are extensively applied, there is a cost in using them. One challenge is that static analysis often reports a large number of false positives but little diagnostic information. Also, individual bug detectors need to be built in response to new types of faults, and tuning a static tool for precision and scalability is time-consuming. This paper presents a novel frame-work that automatically generates scalable, interprocedural, path-sensitive analyses to detect user-specified faults. The framework consists of a specification technique that expresses faults and information needed for their detection, a scalable, path-sensitive algorithm, and a generator that unifies the two. The analysis produced identifies not only faults but also the path segments where the root causes of a fault are located. The generality of the framework is accomplished for both data- and control-centric faults. We implemented our framework and generated fault detectors for identifying buffer overflows, integer violations, null-pointer dereferences and memory leaks. We experimentally demonstrate that the generated analyses scales to large deployed software, and its detection capability is comparable to tools that target a specific type of fault. In our experiments, we identify a total of 146 faults of the four types. While the length of path segments for the majority of faults is 1--4 procedures, we are able to detect faults deeply embedded in the code across 35 procedures.
- D. Babic and A. J. Hu. Calysto: scalable and precise extended static checking. In Proceedings of the 30th international conference on Software engineering, 2008. Google ScholarDigital Library
- R. Bodik, R. Gupta, and M. L. Soffa. Interprocedural conditional branch elimination. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, 1997. Google ScholarDigital Library
- D. Brumley, T. cker Chiueh, R. Johnson, H. Lin, and D. Song. Rich: Automatically protecting against integer-based vulnerabilities. In In Symposium on Network and Distributed Systems Security, 2007.Google Scholar
- W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software Practice and Experience, 2000. Google ScholarDigital Library
- H. Chen and D. Wagner. Mops: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002. Google ScholarDigital Library
- S. Cherem, L. Princehouse, and R. Rugina. Practical memory leak detection using guarded value-flow analysis. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, 2007. Google ScholarDigital Library
- J. Clause and A. Orso. Leakpoint: pinpointing the causes of memory leaks. In Proceedings of the 32nd International Conference on Software Engineering, 2010. Google ScholarDigital Library
- M. Das, S. Lerner, and M. Seigle. ESP: path-sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, 2002. Google ScholarDigital Library
- R. J. David and D. Wagner. Finding user/kernel pointer bugs with type inference. In In Usenix Security Symposium, 2004. Google ScholarDigital Library
- E. Duesterwald, R. Gupta, and M. L. Soffa. A practical framework for demand-driven interprocedural data flow analysis. ACM Transactions on Programming Languages and Systems, 1997. Google ScholarDigital Library
- D. Evans. Static detection of dynamic memory errors. In Proceedings of the ACM SIGPLAN 1996 Conference on Programming Language Design and Implementation, 1996. Google ScholarDigital Library
- FindBugs. http://findbugs.sourceforge.net/.Google Scholar
- B. Hackett, M. Das, D. Wang, and Z. Yang. Modular checking for buffer overflows in the large. In Proceeding of the International Conference on Software Engineering, 2006. Google ScholarDigital Library
- S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002. Google ScholarDigital Library
- Y. Hamadi. Disolver: A Distributed Constraint Solver. Technical Report MSR-TR-2003-91, Microsoft Research.Google Scholar
- N. Heintze and O. Tardieu. Demand-driven pointer analysis. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2001. Google ScholarDigital Library
- W. Le and M. L. Soffa. Marple: a demand-driven path-sensitive buffer overflow detector. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, 2008. Google ScholarDigital Library
- W. Le and M. L. Soffa. Path-based fault correlation. In Proceedings of the 18th ACM SIGSOFT International Symposium on Foundations of software engineering, 2010. Google ScholarDigital Library
- V. B. Livshits and M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in c programs. In Proceedings of 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2003. Google ScholarDigital Library
- S. Lu, Z. Li, F. Qin, L. Tan, P. Zhou, and Y. Zhou. Bugbench: Benchmarks for evaluating bug detection tools. In Proceedings of Workshop on the Evaluation of Software Defect Detection Tools, 2005.Google Scholar
- G. C. Necula, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy code. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 128--139, 2002. Google ScholarDigital Library
- M. Orlovich and R. Rugina. Memory leak analysis by contradiction. In Static Analysis, 13th International Symposium, 2006. Google ScholarDigital Library
- Phoenix. http://research.microsoft.com/phoenix/.Google Scholar
- W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In Proceedings of the IEEE international conference on Automated software engineering, 2000. Google ScholarDigital Library
- M. Weiser. Program slicing. In ICSE 81: Proceedings of the 5th international conference on Software engineering, 1981. Google ScholarDigital Library
- Y. Xie and A. Aiken. Saturn: A scalable framework for error detection using boolean satisfiability. ACM Trans. Program. Lang. Syst., 29(3), 2007. Google ScholarDigital Library
- Y. Xie, A. Chou, and D. Engler. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In Proceedings of 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2003. Google ScholarDigital Library
- M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In Proceedings of the International Symposium on Foundations of Software Engineering, 2004. Google ScholarDigital Library
Index Terms
- Generating analyses for detecting faults in path segments
Recommendations
Marple: Detecting faults in path segments using automatically generated analyses
In memoriam, fault detection and localization, formal methods, modeling and designGenerally, a fault is a property violation at a program point along some execution path. To obtain the path where a fault occurs, we can either run the program or manually identify the execution paths through code inspection. In both of the cases, only ...
Precise and scalable context-sensitive pointer analysis via value flow graph
ISMM '13: Proceedings of the 2013 international symposium on memory managementIn this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (...
Refining buffer overflow detection via demand-driven path-sensitive analysis
PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineeringAlthough static analysis is an important technique for detecting buffer overflow before software deployment, current static tools rely on considerable human effort for annotating code to help analysis, or for diagnosing warnings, many of which are false ...
Comments