Pointer Analysis, Conditional Soundness, and Proving the Absence of Errors

Conway, Christopher L.; Dams, Dennis; Namjoshi, Kedar S.; Barrett, Clark

doi:10.1007/978-3-540-69166-2_5

Cited by 10 publications

(6 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, when performing a points-to analysis, we can safely assume pointer arithmetic does not make a pointer go outside of a block. This assumption of memory-safe executions is also in previous work of formalizing points-to analysis [14], [42].…”

Section: A the Block Memory Modelmentioning

confidence: 84%

Refining Indirect Call Targets at the Binary Level

Kim¹,

Zeng

Tan

2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Enforcing fine-grained Control-Flow Integrity (CFI) is critical for increasing software security. However, for commercial off-the-shelf (COTS) binaries, constructing highprecision Control-Flow Graphs (CFGs) is challenging, because there is no source-level information, such as symbols and types, to assist in indirect-branch target inference. The lack of sourcelevel information brings extra challenges to inferring targets for indirect calls compared to other kinds of indirect branches. Points-to analysis could be a promising solution for this problem, but there is no practical points-to analysis framework for inferring indirect call targets at the binary level. Value set analysis (VSA) is the state-of-the-art binary-level points-to analysis but does not scale to large programs. It is also highly conservative by design and thus leads to low-precision CFG construction. In this paper, we present a binary-level points-to analysis framework called BPA to construct sound and high-precision CFGs. It is a new way of performing points-to analysis at the binary level with the focus on resolving indirect call targets. BPA employs several major techniques, including assuming a block memory model and a memory access analysis for partitioning memory into blocks, to achieve a better balance between scalability and precision. In evaluation, we demonstrate that BPA achieves a 34.5% precision improvement rate over the current state-of-theart technique without introducing false negatives.

show abstract

Section: A the Block Memory Modelmentioning

confidence: 84%

Refining Indirect Call Targets at the Binary Level

Kim¹,

Zeng

Tan

2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Conditional static analysis explores only those the permitted states are described by a condition θ expressed as a logical formula. the condition θ is either determined from the analysis design [42], [43], where θ is applicable to all program states, or determined during program analysis execution [44], where θ is composed of the conditions assumed to hold for a certain set of states. Elena Sherman automatic generate the condition θ to decompose the program's state space into multiple partitions based on the program's control flow graph, and each partition corresponds to a set of paths expressed as a set of CFG branches [45].…”

Section: Conditional Static Analysismentioning

confidence: 99%

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Lin¹,

Jiang²,

Wang³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

Value set analysis is a common static binary program analysis approach. Value set analysis attempts to identify a tight over-approximation of the program state at any given point in the program and can be used to detect vulnerability. Existing memory corruption detection analysis technologies based on value set analysis have a high false positive rate, because value set analysis suffers from a lack of accuracy. We observed that two main sources of imprecision in value set analysis are merge operation and failed branch conditions tracking. In order to address above problems, in this paper, we propose a value set analysis refinement approach based on conditional merging and lazy constraint solving. We propose a variable dependence analysis algorithm to divide program paths into subsets and only merge the states which satisfy the condition that the states are from the same subset, which reduces the imprecision from the merging operation. We collect path predicates as path constraint and solve the path constraint using Satisfiability Modulo Theories (SMT) solver lazily to get a tighter number range of the variable when a variable need be refined, which reduces the imprecision from the failed branch conditions tracking. We implement a prototype system RVSA based on the proposed approach and verify its effectiveness according to experimentation. Compared with state-of-the-art approach, the experimental results demonstrate that the false positive rate is reduced by 12.9%. Furthermore, using our proposed approach, 25 zero-day vulnerabilities are found in the Netgear httpd binary.

show abstract

“…Another approach aims to improve the scalability of precise analysis by permitting the analysis to explore only those program states for which it is adequately precise, i.e., able to provide definitive result. In the literature [5][6][7] this approach is called conditional static analysis (CSA) since the permitted states are described by a condition θ expressed as a logical formula. In such a framework an analysis verifies a program under some assumptions, i.e., there are no null pointer exceptions or a pre-condition on input values is assumed to hold.…”

Section: Introductionmentioning

confidence: 99%

“…Next, another analysis attempts to prove these assumptions by showing that the states, which do not satisfy θ are either not reachable or do not lead to property violations. In prior work the condition θ is either determined from the analysis design [5,6], where θ is applicable to all program states, or determined during program analysis execution [7], where θ is composed of the conditions assumed to hold for a certain set of states.…”

Section: Introductionmentioning

confidence: 99%

Structurally Defined Conditional Data-Flow Static Analysis

Sherman

Dwyer

2018

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

Data flow analysis (DFA) is an important verification technique that computes the effect of data values propagating over program paths. While more precise than flow-insensitive analyses, such an analysis is time-consuming. This paper investigates the acceleration of DFA by structural decomposition of the underlying control flow graph. Specifically, we explore the cost and effectiveness of dividing program paths into subsets by partitioning path suffixes at conditional statements, applying a DFA on each subset, and then combining the resulting invariants. This yields a family of independent DFA problems that are solved in parallel and where the partial results of each problem represent safe program invariants.Empirical evaluations reveal that depending on the DFA type and its conditional implementation the invariants for a large fraction of program points can be computed in less time than traditional DFA. This work suggests a strategy for an "anytime DFA" algorithm: computing safe program invariants as the analysis proceeds.

show abstract

Pointer Analysis, Conditional Soundness, and Proving the Absence of Errors

Cited by 10 publications

References 24 publications

Refining Indirect Call Targets at the Binary Level

Refining Indirect Call Targets at the Binary Level

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Structurally Defined Conditional Data-Flow Static Analysis

Contact Info

Product

Resources

About