ABSTRACT
Pointer analysis techniques are crucial for many software security mitigation approaches. However, these techniques suffer from imprecision; hence, the reported points-to sets are a superset of the actual points-to sets that can possibly form during program execution. To improve the precision of pointer analysis techniques, we propose Kaleidoscope. By using an invariant-guided optimistic (IGO) pointer analysis approach, Kaleidoscope makes optimistic assumptions during the pointer analysis that it later validates at runtime. If these optimistic assumptions do not hold true at runtime, Kaleidoscope falls back to an imprecise baseline analysis, thus preserving soundness. We show that Kaleidoscope reduces the average points-to set size by 13.15× across a set of 9 applications over the current state-of-the-art pointer analysis framework. Furthermore, we demonstrate how Kaleidoscope can implement control flow integrity (CFI) to increase the security of traditional CFI policies.
- ab - apache http server benchmarking tool. https://httpd.apache.org/docs/2.4/programs/ab.html.Google Scholar
- Arbitrary pointer arithmetic in musl. https://github.com/bminor/musl/blob/master/src/thread/pthread_create.c#L127.Google Scholar
- Arbitrary pointer arithmetic in the linux kernel. https://elixir.bootlin.com/linux/latest/source/drivers/net/ethernet/intel/e100.c#L650.Google Scholar
- Clang: a c language family frontend for llvm. https://clang.llvm.org/.Google Scholar
- Libevent: An event notification library. https://libevent.org/.Google Scholar
- libmemcached: open source c/c++ client library and tools for the mem-cached server. https://libmemcached.org/libMemcached.html.Google Scholar
- Libpng: Png reference library. http://www.libpng.org/pub/png/libpng.html.Google Scholar
- The llvm compiler infrastructure. https://llvm.org/.Google Scholar
- Mbedtls: An open source, portable, easy to use, readable and flexible ssl library. https://github.com/Mbed-TLS/mbedtls.Google Scholar
- Svf: Static value-flow analysis framework for source code. https://github.com/SVF-tools/SVF.Google Scholar
- Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):1--40, 2009.Google Scholar
- Muhammad Abubakar, Adil Ahmad, Pedro Fonseca, and Dongyan Xu. Shard: Fine-grained kernel specialization with context-aware hardening. In 30th USENIX Security Symposium (USENIX Security 21), 2021.Google Scholar
- Adil Ahmad, Botong Ou, Congyu Liu, Xiaokuan Zhang, and Pedro Fonseca. Veil: A protected services framework for confidential virtual machines. In Proceedings of the 29th Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'24), pages 1-16, April 2024.Google Scholar
- Adil Ahmad, Alex Schultz, Byoungyoung Lee, and Pedro Fonseca. An extensible orchestration and protection framework for confidential cloud computing. In Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Jul 2023.Google Scholar
- Lars Ole Andersen. Program analysis and specialization for the C programming language. PhD thesis, Citeseer, 1994.Google Scholar
- George Balatsouras and Yannis Smaragdakis. Structure-sensitive points-to analysis for c and c++. In International Static Analysis Symposium, pages 84--104. Springer, 2016.Google ScholarCross Ref
- Subarno Banerjee, David Devecsery, Peter M Chen, and Satish Narayanasamy. Iodine: fast dynamic taint tracking using rollback-free optimistic hybrid analysis. In 2019 IEEE Symposium on Security and Privacy (SP), pages 490--504. IEEE, 2019.Google ScholarCross Ref
- Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 2329-2344, 2017.Google ScholarDigital Library
- Scott A Carr and Mathias Payer. Datashield: Configurable data confidentiality and integrity. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pages 193-204, 2017.Google ScholarDigital Library
- Hongxu Chen, Shengjian Guo, Yinxing Xue, Yulei Sui, Cen Zhang, Yuekang Li, Haijun Wang, and Yang Liu. Muzz: Thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs. In 29th USENIX Security Symposium (USENIX Security 20), pages 23252342, 2020.Google Scholar
- Dipanjan Das, Priyanka Bose, Aravind Machiry, Sebastiano Mariani, Yan Shoshitaishvili, Giovanni Vigna, and Christopher Kruegel. Hybrid pruning: Towards precise pointer and taint analysis. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1--22. Springer, 2022.Google Scholar
- Manuvir Das. Unification-based pointer analysis with directional assignments. Acm Sigplan Notices, 35(5):35--46, 2000.Google ScholarDigital Library
- David Devecsery, Peter M Chen, Jason Flinn, and Satish Narayanasamy. Optimistic hybrid analysis: Accelerating dynamic analysis through predicated static analysis. In Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems, pages 348-362, 2018.Google ScholarDigital Library
- Maryam Emami, Rakesh Ghiya, and Laurie J Hendren. Context-sensitive interprocedural points-to analysis in the presence of function pointers. ACM SIGPLAN Notices, 29(6):242--256, 1994.Google ScholarDigital Library
- Manuel Fähndrich, Jeffrey S Foster, Zhendong Su, and Alexander Aiken. Partial online cycle elimination in inclusion constraint graphs. In Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, pages 85-96, 1998.Google ScholarDigital Library
- Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. AFL++: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2020.Google Scholar
- Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. Temporal system call specialization for attack surface reduction. In 29th USENIX Security Symposium (USENIX Security 20), pages 1749-1766, 2020.Google Scholar
- Seyedhamed Ghavamnia, Tapti Palit, and Michalis Polychronakis. C2c: Fine-grained configuration-driven system call filtering. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 1243-1257, 2022.Google ScholarDigital Library
- Sishuai Gong, Deniz Altinbüken, Pedro Fonseca, and Petros Maniatis. Snowboard: Finding kernel concurrency bugs through systematic inter-thread communication analysis. In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles, pages 66-83, 2021.Google ScholarDigital Library
- Sishuai Gong, Dinglan Peng, Deniz Altinbuken, Pedro Fonseca, and Petros Maniatis. Snowcat: Efficient kernel concurrency testing using a learned coverage predictor. In Proceedings of the ACM SIGOPS 29th Symposium on Operating Systems Principles, 2023.Google ScholarDigital Library
- Ben Hardekopf and Calvin Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 290-299, 2007.Google ScholarDigital Library
- Ben Hardekopf and Calvin Lin. Semi-sparse flow-sensitive pointer analysis. ACM SIGPLAN Notices, 44(1):226--238, 2009.Google ScholarDigital Library
- Behnaz Hassanshahi, Raghavendra Kagalavadi Ramesh, Padmanabhan Krishnan, Bernhard Scholz, and Yi Lu. An efficient tunable selective points-to analysis for large codebases. In Proceedings of the 6th ACM SIGPLAN International Workshop on State of the Art in Program Analysis, pages 13-18, 2017.Google ScholarDigital Library
- Beck Hasti and Susan Horwitz. Using static single assignment form to improve flow-insensitive pointer analysis. ACM SIGPLAN Notices, 33(5):97--105, 1998.Google ScholarDigital Library
- Xuangcheng Jin, Xuangan Xiao, Songlin Jia, Wang Gao, Dawu Gu, Hang Zhang, Siqi Ma, Zhiyun Qian, and Juanru Li. Annotating, tracking, and protecting cryptographic secrets with cryptompk. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2022.Google ScholarCross Ref
- Yuxiang Lei and Yulei Sui. Fast and precise handling of positive weight cycles for field-sensitive pointer analysis. In Static Analysis: 26th International Symposium, SAS 2019, Porto, Portugal, October 8-11, 2019, Proceedings 26, pages 27--47. Springer, 2019.Google ScholarDigital Library
- Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. Precision-guided context sensitivity for pointer analysis. Proceedings of the ACM on Programming Languages, 2(OOPSLA):1--29, 2018.Google ScholarDigital Library
- Bozhen Liu, Jeff Huang, and Lawrence Rauchwerger. Rethinking incremental and parallel pointer analysis. ACM Transactions on Programming Languages and Systems (TOPLAS), 41(1):1--31, 2019.Google Scholar
- Congyu Liu, Sishuai Gong, and Pedro Fonseca. KIT: Testing os-level virtualization for functional interference bugs. In Proceedings of the ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2023.Google ScholarDigital Library
- Peiming Liu, Yanze Li, Brad Swain, and Jeff Huang. Pus: A fast and highly efficient solver for inclusion-based pointer analysis. In International Conference on Software Engineering (ICSE'22), 2022.Google Scholar
- Rajesh Nishtala, Hans Fugal, Steven Grimm, Marc Kwiatkowski, Herman Lee, Harry C Li, Ryan McElroy, Mike Paleczny, Daniel Peek, Paul Saab, et al. Scaling memcache at facebook. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 385-398, 2013.Google ScholarDigital Library
- Tapti Palit, Jarin Firose Moon, Fabian Monrose, and Michalis Poly-chronakis. Dynpta: Combining static and dynamic analysis for practical selective data protection. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1919--1937. IEEE, 2021.Google ScholarCross Ref
- David J Pearce, Paul HJ Kelly, and Chris Hankin. Efficient field-sensitive pointer analysis of c. ACM Transactions on Programming Languages and Systems (TOPLAS), 30(1):4-es, 2007.Google Scholar
- Hui Peng, Yan Shoshitaishvili, and Mathias Payer. T-fuzz: fuzzing by program transformation. In 2018 IEEE Symposium on Security and Privacy (SP), pages 697--710. IEEE, 2018.Google ScholarCross Ref
- Fernando Magno Quintao Pereira and Daniel Berlin. Wave propagation and deep propagation for pointer analysis. In 2009 International Symposium on Code Generation and Optimization, pages 126--135. IEEE, 2009.Google ScholarDigital Library
- Yannis Smaragdakis, George Balatsouras, et al. Pointer analysis. Foundations and Trends® in Programming Languages, 2(1):1--69, 2015.Google ScholarDigital Library
- Yannis Smaragdakis, George Kastrinis, and George Balatsouras. Introspective analysis: context-sensitivity, across the board. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 485-495, 2014.Google ScholarDigital Library
- Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. Boomerang: Demand-driven flow-and context-sensitive pointer analysis for java. In 30th European Conference on Object-Oriented Programming (ECOOP 2016). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2016.Google Scholar
- Bjarne Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 32-41, 1996.Google ScholarDigital Library
- David Trabish, Timotej Kapus, Noam Rinetzky, and Cristian Cadar. Past-sensitive pointer analysis for symbolic execution. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 197-208, 2020.Google ScholarDigital Library
- Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. Erim: Secure, efficient in-process isolation with protection keys (mpk). In 28th USENIX Security Symposium (USENIX Security 19), pages 1221-1238, 2019.Google Scholar
- John Whaley and Monica S Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 131-144, 2004.Google ScholarDigital Library
- Robert P Wilson and Monica S Lam. Efficient context-sensitive pointer analysis for c programs. ACM Sigplan Notices, 30(6):1--12, 1995.Google ScholarDigital Library
Recommendations
Interprocedural pointer alias analysis
We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Precise null-pointer analysis
In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly ...
Comments