Article

Improving software security with a C pointer analysis

Authors:

Dzintars Avots,

Michael Dalton,

V. Benjamin Livshits,

Monica S. LamAuthors Info & Claims

ICSE '05: Proceedings of the 27th international conference on Software engineering

Pages 332 - 341

https://doi.org/10.1145/1062455.1062520

Published: 15 May 2005 Publication History

Abstract

This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C and uses the analysis to detect and prevent security vulnerabilities in programs. In addition to a conservative analysis, we propose an optimistic analysis that assumes a more restricted C semantics that reflects common C usage to increase the precision of the analysis.This paper uses the proposed pointer alias analyses to infer the types of variables in C programs and shows that most C variables are used in a manner consistent with their declared types. We show that pointer analysis can be used to reduce the overhead of a dynamic string-buffer overflow detector by 30% to 100% among applications with significant overheads. Finally, using pointer analysis, we statically found six format string vulnerabilities in two of the 12 programs we analyzed.

References

[1]

G. Aigner, A. Diwan, D. Heine, M. Lam, D. Moore, B. Murphy, and C. Sapuntzakis. An overview of the SUIF2 compiler infrastructure. Technical report, Stanford University, 2000.

[2]

L. O. Andersen. Program analysis and specialization for the C programming language. PhD thesis, University of Copenhagen, 1994.

[3]

M. Berndl, O. Lhotk, F. Qian, L. Hendren, and N. Umanee. Points-to analysis using BDDs. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, pages 103--114, 2003.

Digital Library

[4]

W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. In Proceedings of Software Practice and Experience, pages 775--802, 2000.W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. In Proceedings of Software Practice and Experience, pages 775--802, 2000.

[5]

CERT/CC. Advisories 2002. http://www.cert.org/advisories.

[6]

J.-D. Choi, M. Burke, and P. Carini. Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects. In Proceedings of the 20th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 232--245, 1993.

Digital Library

[7]

M. Emami, R. Ghiya, and L. J. Hendren. Context-sensitive interprocedural points-to analysis in the presence of function pointers. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, pages 242--256, 1994.

Digital Library

[8]

M. Fähndrich, J. S. Foster, Z. Su, and A. Aiken. Partial online cycle elimination in inclusion constraint graphs. In Proceedings of the 1998 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 85--96, Montreal, Canada, June 1998.

Digital Library

[9]

S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, pages 69--82, June 2002.

Digital Library

[10]

N. Heintze and O. Tardieu. Ultra-fast aliasing analysis using CLA: A million lines of C code. In Proceedings of the ACM SIGPLAN'01 Conference on Programming Language Design and Implementation, pages 146--161, June 2001.

Digital Library

[11]

R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging, pages 13--26, May 1997.

[12]

W. Landi, B. G. Ryder, and S. Zhang. Interprocedural modification side effect analysis with pointer aliasing. In Proceedings of the ACM SIGPLAN 1993 Conference on Programming Language Design and Implementation, pages 56--67, 1993.

Digital Library

[13]

D. Liang, M. Pennings, and M. J. Harrold. Extending and evaluating ow-insensitive and context-insensitive points-to analyses for Java. In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program analysis for Software Tools and Engineering, pages 73--79, June 2001.

Digital Library

[14]

A. Rountev, A. Milanova, and B. Ryder. Points-to analysis for Java using annotated inclusion constraints. Technical Report DCS-TR-417, Department of Computer Science, Rutgers University, July 2000.

[15]

O. Ruwase and M. S. Lam. A practical dynamic buffer over ow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159--169, 2004.

[16]

B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23th Annual ACM Symposium on Principles of Programming Languages, pages 32--41, 1996.

Digital Library

[17]

J. D. Ullman. Principles of Database and Knowledge-Base Systems. Computer Science Press, Rockville, MD, volume II edition, 1989.

Digital Library

[18]

D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3--17, February 2000.

[19]

J. Whaley and M. S. Lam. An efficient inclusion-based points-to analysis for strictly-typed languages. In Proceedings of the 9th International Symposium on Static Analysis, pages 180--195. Springer-Verlag, September 2002.

Digital Library

[20]

J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, pages 131--144, June 2004.

Digital Library

[21]

J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer over ow prevention. In Proceedings of the Network and Distributed System Security Symposium, pages 149--162, February 2003.

[22]

R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN'90 Conference on Programming Language Design and Implementation, pages 1--12, June 1995.

Digital Library

[23]

S. H. Yong, S. Horwitz, and T. Reps. Pointer analysis for programs with structures and casting. In Proceedings of the ACM Conference on Programming Language Design and Implementation, pages 91--103, June 1999.

Digital Library

[24]

J. Zhu. Symbolic pointer analysis. In Proceedings of the International Conference in Computer-Aided Design, pages 150--157, November 2002.

Digital Library

[25]

J. Zhu and S. Calman. Symbolic pointer analysis revisited. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, pages 145--157, June 2004.

Digital Library

Cited By

An XJia XDu HXie Y(2024)Structure-Sensitive Pointer Analysis for Multi-structure ObjectsProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671396(155-164)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671396
Li WHe DGui YChen WXue JRodríguez GSadayappan PSukumaran-Rajam A(2024)A Context-Sensitive Pointer Analysis Framework for Rust and Its Application to Call Graph ConstructionProceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction10.1145/3640537.3641574(60-72)Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1145/3640537.3641574
Jeon MLee MOh H(2020)Learning graph-based heuristics for pointer analysis without handcrafting application-specific featuresProceedings of the ACM on Programming Languages10.1145/34282474:OOPSLA(1-30)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428247
Show More Cited By

Index Terms

Improving software security with a C pointer analysis
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software notations and tools
    1. Compilers

Recommendations

Tracking pointers with path and context sensitivity for bug detection in C programs

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Tracking pointers with path and context sensitivity for bug detection in C programs
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
PLDI '04

This paper presents the first scalable context-sensitive, inclusion-based pointer alias analysis for Java programs. Our approach to context sensitivity is to create a clone of a method for every context of interest, and run a context-insensitive ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '05: Proceedings of the 27th international conference on Software engineering

May 2005

754 pages

ISBN:1581139632

DOI:10.1145/1062455

General Chair:
Gruia-Catalin Roman
Washington University in St. Louis
,
Program Chairs:
William Griswold
University of California, San Diego
,
Bashar Nuseibeh
The Open University, UK

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ICSE05

Sponsor:

ICSE05: 27th International Conference on Software Engineering

May 15 - 21, 2005

MO, St. Louis, USA

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
1,830
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)3

Reflects downloads up to 21 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

An XJia XDu HXie Y(2024)Structure-Sensitive Pointer Analysis for Multi-structure ObjectsProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671396(155-164)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671396
Li WHe DGui YChen WXue JRodríguez GSadayappan PSukumaran-Rajam A(2024)A Context-Sensitive Pointer Analysis Framework for Rust and Its Application to Call Graph ConstructionProceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction10.1145/3640537.3641574(60-72)Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1145/3640537.3641574
Jeon MLee MOh H(2020)Learning graph-based heuristics for pointer analysis without handcrafting application-specific featuresProceedings of the ACM on Programming Languages10.1145/34282474:OOPSLA(1-30)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428247
Rajasekaran PCrane SGens DNa YVolckaert SFranz MSun HShieh SGu GAteniese G(2020)CoDaRR: Continuous Data Space Randomization against Data-Only AttacksProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384757(494-505)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384757
Bai JLawall JTan WHu SBahar IHerlihy MWitchel ELebeck A(2019)DCNSProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304065(287-299)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304065
Lei YSui Y(2019)Fast and Precise Handling of Positive Weight Cycles for Field-Sensitive Pointer AnalysisStatic Analysis10.1007/978-3-030-32304-2_3(27-47)Online publication date: 2-Oct-2019
https://doi.org/10.1007/978-3-030-32304-2_3
Jeon MJeong SOh H(2018)Precise and scalable points-to analysis via data-driven context tunnelingProceedings of the ACM on Programming Languages10.1145/32765102:OOPSLA(1-29)Online publication date: 24-Oct-2018
https://dl.acm.org/doi/10.1145/3276510
Gondi KSistla AVenkatakrishnan V(2014)DEICS: Data Erasure in Concurrent SoftwareSecure IT Systems10.1007/978-3-319-11599-3_3(42-58)Online publication date: 2014
https://doi.org/10.1007/978-3-319-11599-3_3
Glukhikh MItsykson VTsesko V(2013)Using dependencies to improve precision of code analysisAutomatic Control and Computer Sciences10.3103/S014641161207009746:7(338-344)Online publication date: 7-Jan-2013
https://doi.org/10.3103/S0146411612070097
Cui HHu GWu JYang J(2013)Verifying systems rules using rule-directed symbolic executionACM SIGPLAN Notices10.1145/2499368.245115248:4(329-342)Online publication date: 16-Mar-2013
https://dl.acm.org/doi/10.1145/2499368.2451152
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents