research-article

Validation of memory accesses through symbolic analyses

Authors:

Henrique Nazaré,

Izabela Maffra,

Leonardo Barbosa,

Fernando Magno Quintão PereiraAuthors Info & Claims

ACM SIGPLAN Notices, Volume 49, Issue 10

Pages 791 - 809

https://doi.org/10.1145/2714064.2660205

Published: 15 October 2014 Publication History

Abstract

The C programming language does not prevent out-of-bounds memory accesses. There exist several techniques to secure C programs; however, these methods tend to slow down these programs substantially, because they populate the binary code with runtime checks. To deal with this problem, we have designed and tested two static analyses - symbolic region and range analysis - which we combine to remove the majority of these guards. In addition to the analyses themselves, we bring two other contributions. First, we describe live range splitting strategies that improve the efficiency and the precision of our analyses. Secondly, we show how to deal with integer overflows, a phenomenon that can compromise the correctness of static algorithms that validate memory accesses. We validate our claims by incorporating our findings into AddressSanitizer. We generate SPEC CINT 2006 code that is 17% faster and 9% more energy efficient than the code produced originally by this tool. Furthermore, our approach is 50% more effective than Pentagons, a state-of-the-art analysis to sanitize memory accesses.

References

[1]

P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In SSYM, pages 51--66. USENIX, 2009.

Digital Library

[2]

S. Ananian. The static single information form. Master's thesis, MIT, September 1999.

[3]

L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, DIKU, University of Copenhagen, 1994.

[4]

C. Bauer, A. Frink, and R. Kreckel. Introduction to the GiNaC framework for symbolic computation within the C++ programming language. J. Symb. Comput., 33(1):1--12, 2002.

Digital Library

[5]

W. Blume and R. Eigenmann. Symbolic range propagation. In IPPS, pages 357--363, 1994.

Digital Library

[6]

R. Bodik, R. Gupta, and V. Sarkar. ABCD: eliminating array bounds checks on demand. In PLDI, pages 321--333. ACM, 2000.

Digital Library

[7]

D. Brumley, D. X. Song, T. cker Chiueh, R. Johnson, and H. Lin. RICH: Automatically protecting against integer-based vulnerabilities. In NDSS. USENIX, 2007.

[8]

J.-D. Choi, R. Cytron, and J. Ferrante. Automatic construction of sparse data flow evaluation graphs. In POPL, pages 55--66. ACM, 1991.

Digital Library

[9]

P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pages 238--252. ACM, 1977.

Digital Library

[10]

P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In POPL, pages 84--96. ACM, 1978.

Digital Library

[11]

P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, and X. Rival. Why does astrée scale up? Form. Methods Syst. Des., 35(3):229--264, 2009.

Digital Library

[12]

R. Cytron, J. Ferrante, B. Rosen, M.Wegman, and K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451--490, 1991.

Digital Library

[13]

D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: enforcing alias analysis for weakly typed languages. In PLDI, pages 144--157. ACM, 2006.

Digital Library

[14]

W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in C/C++. In ICSE, pages 760--770. IEEE, 2012.

Digital Library

[15]

J. Ferrante, J. Ottenstein, and D. Warren. The program dependence graph and its use in optimization. TOPLAS, 9(3): 319--349, 1987.

Digital Library

[16]

P. Ferrara, F. Logozzo, and M. Fähndrich. Safer unsafe code for .net. SIGPLAN Not., 43(10):329--346, 2008.

Digital Library

[17]

B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In PLDI, pages 290--299. ACM, 2007.

Digital Library

[18]

C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75--88. IEEE, 2004.

Digital Library

[19]

F. Logozzo and M. Fähndrich. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. Sci. Comput. Program., 75(9):796--807, 2010.

Digital Library

[20]

A. Miné. The octagon abstract domain. Higher Order Symbol. Comput., 19:31--100, 2006.

Digital Library

[21]

A. Miné. Backward under-approximations in numeric abstract domains to automatically infer sufficient program conditions. Science of Computer Programming, 2013.

[22]

S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. In PLDI, pages 245--258. ACM, 2009.

Digital Library

[23]

F. Nielson, H. R. Nielson, and C. Hankin. Principles of program analysis. Springer, 2005.

Digital Library

[24]

H. Oh, K. Heo, W. Lee, W. Lee, and K. Yi. Design and implementation of sparse global analyses for c-like languages. In PLDI, pages 1--11. ACM, 2012.

Digital Library

[25]

A. A. Rimsa, M. D'Amorim, F. M. Q. Pereira, and R. Bigonha. Efficient static checker for tainted variable attacks. Science of Computer Programming, 80(1):91--105, 2014.

Digital Library

[26]

R. E. Rodrigues, V. H. S. Campos, and F. M. Q. Pereira. A fast and low overhead technique to secure programs against integer overflows. In CGO. ACM, 2013.

Digital Library

[27]

R. Rugina and M. C. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. TOPLAS, 27(2):185--235, 2005.

Digital Library

[28]

E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, pages 1--15. IEEE, 2010.

Digital Library

[29]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: a fast address sanity checker. In USENIX ATC, pages 28--28. USENIX Association, 2012.

Digital Library

[30]

M. S. Simpson and R. K. Barua. Memsafe: Ensuring the spatial and temporal memory safety of c at runtime. Softw. Pract. Exper., 43(1):93--128, 2013.

Digital Library

[31]

D. Singh and W. J. Kaiser. The atom LEAP platform for energy-efficient embedded computing. Technical Report 88b146bk, UCLA, 2010.

[32]

A. L. C. Tavares, B. Boissinot, F. M. Q. Pereira, and F. Rastello. Parameterized construction of program representations for sparse dataflow analyses. In Compiler Construction, pages 2--21. Springer, 2014.

[33]

F. Tip. A survey of program slicing techniques. Technical report, CWI, 1994.

Digital Library

[34]

J. von Ronne, A. Gampe, D. Niedzielski, and K. Psarris. Safe bounds check annotations. Concurr. Comput.: Pract. Exper., 21(1):41--57, 2009.

Digital Library

[35]

M. Weiser. Program slicing. In ICSE, pages 439--449. IEEE, 1981.

Digital Library

[36]

J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS, pages 1--12. USENIX, 2003.

[37]

J. Zhao, S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Formal verification of ssa-based optimizations for llvm. In PLDI, pages 175--186. ACM, 2013.

Digital Library

Cited By

Chitre KKedia PPurandare R(2023)Rapid: Region-Based Pointer DisambiguationProceedings of the ACM on Programming Languages10.1145/36228597:OOPSLA2(1729-1757)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622859
Zhai JJin YChen WZheng WZhai JJin YChen WZheng W(2023)Informed Memory Access MonitoringPerformance Analysis of Parallel Applications for HPC10.1007/978-981-99-4366-1_4(73-97)Online publication date: 19-Jun-2023
https://doi.org/10.1007/978-981-99-4366-1_4
Chitre KKedia PPurandare R(2022)The road not taken: exploring alias analysis based optimizations missed by the compilerProceedings of the ACM on Programming Languages10.1145/35633166:OOPSLA2(786-810)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1145/3563316
Show More Cited By

Index Terms

Validation of memory accesses through symbolic analyses
1. Software and its engineering
  1. Software notations and tools
    1. Compilers

Recommendations

Validation of memory accesses through symbolic analyses
OOPSLA '14: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications

The C programming language does not prevent out-of-bounds memory accesses. There exist several techniques to secure C programs; however, these methods tend to slow down these programs substantially, because they populate the binary code with runtime ...
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors

Memory corruption errors lead to non-deterministic, elusive crashes. This paper describes ARCHER (ARray CHeckER) a static, effective memory access checker. ARCHER uses path-sensitive, interprocedural symbolic analysis to bound the values of both ...
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

Memory corruption errors lead to non-deterministic, elusive crashes. This paper describes ARCHER (ARray CHeckER) a static, effective memory access checker. ARCHER uses path-sensitive, interprocedural symbolic analysis to bound the values of both ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 49, Issue 10

OOPSLA '14

October 2014

907 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2714064

Editor:
Andy Gill
University of Kansas, Lawrence, KS

Issue’s Table of Contents

OOPSLA '14: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications
October 2014
946 pages
ISBN:9781450325851
DOI:10.1145/2660193
General Chair:
Andrew Black
Portland State University, USA
,
Program Chair:
Todd Millstein
University of California, Los Angeles, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2014

Published in SIGPLAN Volume 49, Issue 10

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
477
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chitre KKedia PPurandare R(2023)Rapid: Region-Based Pointer DisambiguationProceedings of the ACM on Programming Languages10.1145/36228597:OOPSLA2(1729-1757)Online publication date: 16-Oct-2023
Zhai JJin YChen WZheng WZhai JJin YChen WZheng W(2023)Informed Memory Access MonitoringPerformance Analysis of Parallel Applications for HPC10.1007/978-981-99-4366-1_4(73-97)Online publication date: 19-Jun-2023
Chitre KKedia PPurandare R(2022)The road not taken: exploring alias analysis based optimizations missed by the compilerProceedings of the ACM on Programming Languages10.1145/35633166:OOPSLA2(786-810)Online publication date: 31-Oct-2022
Mirliaz SPichardie D(2022)A Flow-Insensitive-Complete Program RepresentationVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-94583-1_10(197-218)Online publication date: 16-Jan-2022
Melo LRibeiro RGuimarães BPereira F(2020)Type Inference for CACM Transactions on Programming Languages and Systems10.1145/342147242:3(1-71)Online publication date: 24-Nov-2020
Alberti MSignoles J(2018)Context Generation from Formal Specifications for C Analysis ToolsLogic-Based Program Synthesis and Transformation10.1007/978-3-319-94460-9_6(93-111)Online publication date: 10-Jul-2018
Maas ANazaré HLiblit BLo DApel SKhurshid S(2016)Array length inference for C library bindingsProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering10.1145/2970276.2970310(461-471)Online publication date: 25-Aug-2016
Maia AMelo LPereira FNeto OOliveira L(2016)SMOV: Array Bound-Check and access in a single instruction2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC)10.1109/CCNC.2016.7444872(745-751)Online publication date: Jan-2016
Bessa TQuintão PFrank MMagno Quintão Pereira F(2016)JetsonLeap: A Framework to Measure Energy-Aware Code Optimizations in Embedded and Heterogeneous SystemsProgramming Languages10.1007/978-3-319-45279-1_2(16-30)Online publication date: 17-Sep-2016
Lo DApel SKhurshid S(2016)Proceedings of the 31st IEEE/ACM International Conference on Automated Software EngineeringundefinedOnline publication date: 25-Aug-2016
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents