计算机科学技术学报 ›› 2019,Vol. 34 ›› Issue (5): 972-992.doi: 10.1007/s11390-019-1955-3

所属专题: Software Systems

• Special Section on Software Systems 2019 • 上一篇    下一篇

验证缺失的自动化检测与修复推荐

Ling-Yun Situ1,2, Student Member, CCF, Lin-Zhang Wang1,2,*, Distinguished Member, CCF, Yang Liu3, Member, ACM, IEEE, Bing Mao1,2, Xuan-Dong Li1,2, Fellow, CCF   

  1. 1 State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210023, China;
    2 Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China;
    3 School of Computer Science and Engineering, Nanyang Technological University, Singapore 639798, Singapore
  • 收稿日期:2019-02-26 修回日期:2019-07-22 出版日期:2019-08-31 发布日期:2019-08-31
  • 通讯作者: Lin-Zhang Wang E-mail:lzwang@nju.edu.cn
  • 作者简介:Ling-Yun Situ is a Ph.D. candidate in State Key Laboratory for Novel Software Technology, Department of Computer Science and Technology, Nanjing University, Nanjing. He received his B.S. degree in computer science from Jiangsu University, Zhenjiang, in 2011, and his M.S. degree in computer science from Guilin University of Electronic and Technology, Guilin, in 2014. His research interests include software and system security, static analysis and fuzzing.
  • 基金资助:
    This work was supported by the National Key Research and Development Program of China under Grant No. 2017YFA0700604, and the National Natural Science Foundation of China under Grant Nos. 61632015 and 61690204, and partially supported by the Collaborative Innovation Center of Novel Software Technology and Industrialization, and Nanjing University Innovation and Creative Program for Ph.D. Candidate under Grant No. 2016014.

Automatic Detection and Repair Recommendation for Missing Checks

Ling-Yun Situ1,2, Student Member, CCF, Lin-Zhang Wang1,2,*, Distinguished Member, CCF, Yang Liu3, Member, ACM, IEEE, Bing Mao1,2, Xuan-Dong Li1,2, Fellow, CCF   

  1. 1 State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210023, China;
    2 Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China;
    3 School of Computer Science and Engineering, Nanyang Technological University, Singapore 639798, Singapore
  • Received:2019-02-26 Revised:2019-07-22 Online:2019-08-31 Published:2019-08-31
  • Contact: Lin-Zhang Wang E-mail:lzwang@nju.edu.cn
  • About author:Ling-Yun Situ is a Ph.D. candidate in State Key Laboratory for Novel Software Technology, Department of Computer Science and Technology, Nanjing University, Nanjing. He received his B.S. degree in computer science from Jiangsu University, Zhenjiang, in 2011, and his M.S. degree in computer science from Guilin University of Electronic and Technology, Guilin, in 2014. His research interests include software and system security, static analysis and fuzzing.
  • Supported by:
    This work was supported by the National Key Research and Development Program of China under Grant No. 2017YFA0700604, and the National Natural Science Foundation of China under Grant Nos. 61632015 and 61690204, and partially supported by the Collaborative Innovation Center of Novel Software Technology and Industrialization, and Nanjing University Innovation and Creative Program for Ph.D. Candidate under Grant No. 2016014.

PDF (PC)

244

补充材料

1

对安全敏感操作中使用的不可信输入缺乏验证是导致各种漏洞的主要原因之一。有效地检测和修复验证缺失对于预先诊断潜在漏洞,提高代码可靠性至关重要。我们提出了系统性的静态分析方法检测C/C++程序中对安全敏感操作使用的可操纵数据的验证缺失,并推荐修复参考。首先,借助轻量级的静态分析定位自定义的安全敏感操作。然后,通过污点分析判断安全敏感操作中使用敏感数据的可攻击性。接着,评估验证缺失的存在性和风险程度。最后,对高风险的验证缺失推荐修复参考。我们基于Clang/LLVM 3.6.0实现了我们的方法,并开发了一个名为Vanguard的跨平台自动化检测工具。在大规模开源项目上的实验评估显示了方法的有效性及其效率。进一步的,Vanguard已经帮助我们发现了五个已知的漏洞和十二个新的漏洞。

关键词: 静态分析, 验证缺失, 漏洞检测, 修复推荐

Abstract: Missing checks for untrusted inputs used in security-sensitive operations is one of the major causes of various vulnerabilities. Efficiently detecting and repairing missing checks are essential for prognosticating potential vulnerabilities and improving code reliability. We propose a systematic static analysis approach to detect missing checks for manipulable data used in security-sensitive operations of C/C++ programs and recommend repair references. First, customized securitysensitive operations are located by lightweight static analysis. Then, the assailability of sensitive data used in securitysensitive operations is determined via taint analysis. And, the existence and the risk degree of missing checks are assessed. Finally, the repair references for high-risk missing checks are recommended. We implemented the approach into an automated and cross-platform tool named Vanguard based on Clang/LLVM 3.6.0. Large-scale experimental evaluation on open-source projects has shown its effectiveness and efficiency. Furthermore, Vanguard has helped us uncover five known vulnerabilities and 12 new bugs.

Key words: static analysis, missing check, vulnerability detection, repair recommendation

[1] Piromsopa K, Enbody R J. Survey of protections from buffer-overflow attacks. Engineering Journal, 2011, 15(2):31-52.
[2] Sipser M. Introduction to the Theory of Computation (2nd edition). Course Technology, 2006.
[3] Gao F, Wang L, Li X. BovInspector:Automatic inspection and repair of buffer overflow vulnerabilities. In Proc. the 31st Int. Conference on Automated Software Engineering, September 2016, pp.786-791.
[4] Chen G, Jin H, Zou D, Zhou B, Liang Z, Zheng W, Shi X. SafeStack:Automatically patching stack-based buffer overflow vulnerabilities. IEEE Trans. Dependable and Secure Computing, 2013, 10(6):368-379.
[5] Wang T, Wei T, Lin Z, Zou W. IntScope:Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In Proc. the 16th Network and Distributed System Security Symposium, February 2009, Article No. 17.
[6] Dietz W, Li P, Regehr J, Adve V. Understanding integer overflow in C/C++. ACM Trans. Software Engineering and Methodology, 2015, 25(1):Article No. 2.
[7] Lee B, Song C, Jang Y et al. Preventing use-after-free with Dangling pointers nullification. In Proc. the 22th Annual Network and Distributed System Security Symposium, February 2015, Article No. 21.
[8] Yan H, Sui Y, Chen S, Xue J. Spatio-temporal context reduction:A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In Proc. the 40th Int. Software Conference on Engineering, May 2018, pp.327-337.
[9] Li M, Chen Y, Wang L, Xu G. Dynamically validating static memory leak warnings. In Proc. the 22nd Int. Symposium on Software Testing and Analysis, July 2013, pp.112-122.
[10] Sui Y, Ye D, Xue J. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Trans. Software Engineering, 2014, 40(2):107-122.
[11] Szekeres L, Payer M, Wei T, Dawn S. SoK:Eternal war in memory. In Proc. the 34th Int. IEEE Symposium on Security and Privacy, May 2013, pp.48-62.
[12] Das A, Lal A. Precise null pointer analysis through global value numbering. In Proc. the 15th Int. Symposium on Automated Technology for Verification and Analysis, October 2017, pp.25-41.
[13] Akritidis P, Costa M, Castro M, Hand S. Baggy bounds checking:An efficient and backwards-compatible defense against out-of-bounds errors. In Proc. the 18th USENIX Security Symposium, August 2009, pp.51-66.
[14] Kim D, Nam J, Song J et al. Automatic patch generation learned from human-written patches. In Proc. the 35th Int. Conference on Software Engineering, May 2013, pp.802-811.
[15] Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools. In Proc. the 2010 International Conference on Information Theory and Information Security, Dec. 2010, pp.521-524.
[16] Wagner D A, Foster J S, Brewer E A, Aiken A. A first step towards automated detection of buffer overrun vulnerabilities. In Proc. the 7th Network and Distributed System Security Symposium, February 2000, Article No. 1.
[17] Situ L, Zou L, Wang L, Liu Y, Mao B, Li X. Detecting missing checks for identifying insufficient attack protections. In Proc. the 40th Int. Conference on Software Engineering, May 2018, pp.238-239.
[18] Ming J, Wu D, Xiao G, Wang J, Liu P. TaintPipe:Pipelined symbolic taint analysis. In Proc. the 24th USENIX Security Symposium, August 2015, pp.65-80.
[19] Cadar C, Sen K. Symbolic execution for software testing:Three decades later. Commun. ACM, 2013, 56(2):82-90.
[20] Li Y, Su Z, Wang L, Li X. Steering symbolic execution to less traveled paths. In Proc. the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, October 2013, pp.19-32.
[21] Majumdar R, Sen K. Hybrid concolic testing. In Proc. the 29th Int. Conference on Software Engineering, May 2007, pp.416-426.
[22] Seo H, Kim S. How we get there:A context-guided search strategy in concolic testing. In Proc. the 22nd Int. Symposium on Foundations of Software Engineering, November 2014, pp.413-424.
[23] Bérard B, Bidoit M, Finkel A, Laroussinie F, Petit A, Petrucci L, Schnoebelen P, McKenzie P. Systems and Software Verification:Model-Checking Techniques and Tools. Springer, 2001.
[24] Situ L, Zhao L. CSP bounded model checking of preprocessed CTL extended with events using answer set programming. In Proc. the 2015 Asia-Pacific Software Engineering Conference, December 2015, pp.16-23.
[25] Sutton M, Greene A, Amini P. Fuzzing:Brute Force Vulnerability Discovery (1st edition). Addison-Wesley Professional, 2007.
[26] Stephens N, Grosen J, Salls C et al. Driller:Augmenting fuzzing through selective symbolic execution. In Proc. the 23rd Annual Network and Distributed System Security Symposium, February 2016, Article No. 28.
[27] Yamaguchi F, Wressnegger C, Gascon H et al. Chucky:Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.499-510.
[28] Son S, McKinley K S, Shmatikov V. RoleCast:Finding missing security checks when you do not know what checks are. In Proc. the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, October 2011, pp.1069-1084.
[29] Lattner C. LLVM and Clang:Next generation compiler technology. https://clvm.org, July 2019.
[30] Ryder B G. Constructing the call graph of a program. IEEE Trans. Software Engineering, 1979, 5(3):216-226.
[31] Stanier J, Watson D. Intermediate representations in imperative compilers:A survey. ACM Computing Surveys, 2013, 45(3):Article No. 26.
[32] Pendleton M, Garcia-Lebron R, Cho J H, Xu S. A survey on systems security metrics. ACM Computing Surveys, 2017, 49(4):Article No. 62.
[33] Gao F, Chen T, Wang Y, Situ L, Wang L, Li X. Carraybound:Static array bounds checking in C programs based on taint analysis. In Proc. the 8th Int. Asia-Pacific Symposium on Internetware, September 2016, pp.81-90.
[34] Ceara D, Potet M L, Ensimag G I, Mounier, L. Detecting software vulnerabilities-static taint analysis. https://docplayer.net/18105375-Detecting-software-vulnerabilities-static-taint-analysis.html, July 2019.
[35] Lalande J F, Heydemann K, Berthomé P. Software countermeasures for control flow integrity of smart card C codes. In Proc. the 19th European Symposium on Research in Computer Security, Sept. 2014, pp.200-2018.
[36] Kang M G, McCamant S, Poosankam P, Dawn S. DTA++:Dynamic taint analysis with targeted control-flow propagation. In Proc. the 18th Network and Distributed System Security Symposium, February 2011, Article No. 15.
[37] Li L, Bartel A, Klein J, Traon Y L, Arzt S, Rasthofer S, Bodden E, Octeau D, Mcdaniel P. I know what leaked in your pocket:Uncovering privacy leaks on Android Apps with static taint analysis. arXiv:1404.7431, 2014. https://arxiv.org/pdf/1404.7431.pdf, June 2019.
[38] Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. the 31st IEEE Symposium on Security and Privacy, May 2010, pp.317-331.
[39] Clause J, Li W, Orso A. Dytan:A generic dynamic taint analysis framework. In Proc. the 16th ACM/SIGSOFT Int. Symposium on Software Testing and Analysis, July 2007, pp.196-206.
[40] Jovanovic N, Krüegel C, Kirda E. Pixy:A static analysis tool for detecting Web application vulnerabilities (Short Paper). In Proc. the 27th IEEE Symposium on Security and Privacy, May 2006, pp.258-263.
[41] Chang R, Jiang G, Ivancic F, Sankaranarayanan S, Shmatikov V. Inputs of coma:Static detection of denial-ofservice vulnerabilities. In Proc. the 22nd IEEE Computer Security Foundations Symposium, July 2009, pp.186-199.
[42] Kremenek T, Engler D. Z-Ranking:Using statistical analysis to counter the impact of static analysis approximations. In Proc. the 10th Int. Symposium on Static Analysis, June 2003, pp.295-315.
[43] Kim S, Ernst M D. Prioritizing warning categories by analyzing software history. In Proc. the 4th Workshop on Mining Software Repositories, May 2007, pp.27-31.
[44] Ha J, Rossbach C J, Davis J V, Roy I, Ramadan H E, Porter D E, Chen D L, Witchel E. Improved error reporting for software that uses black-box components. In Proc. the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007, pp.101-111.
[45] Situ L, Wang L, Liu Y, Mao B, Li X. Vanguard:Detecting missing checks for prognosing potential vulnerabilities. In Proc. the 10th Asia-Pacific Symposium on Internetware, September 2018, Article No. 5.
[46] Goues L C, Nguyen T V, Forrest S et al. GenProg:A generic method for automatic software repair. IEEE Trans. Software Engineering, May 2011, 38(1):54-72.
[47] Qi Y, Mao X, Lei Y, Dai Z, Wang C. The strength of random search on automated program repair. In Proc. the 36th Int. Conference on Software Engineering, May 2014, pp.254-265.
[48] Xiong Y, Wang J, Yan R, Zhang J, Han S, Huang G, Zhang L. Precise condition synthesis for program repair. In Proc. the 39th Int. Conference on Software Engineering, May 2017, pp.416-426.
[49] Tan S H, Roychoudhury A. Relifix:Automated repair of software regressions. In Proc. the 37th IEEE/ACM International Conference on Software Engineering, May 2015, pp.471-482.
[50] Nguyen H D T, Qi D, Roychoudhury A, Chandra S. SemFix:Program repair via semantic analysis. In Proc. the 35th Int. Conference on Software Engineering, May 2013, pp.772-781.
[51] Mechtaev S, Yi J, Roychoudhury A. Angelix:Scalable multiline program patch synthesis via symbolic analysis. In Proc. the 38th Int. Conference on Software Engineering, May 2016, pp.691-701.
[52] Le X B D, Chu D H, Lo D, Le G C, Visser W. JFIX:Semantics-based repair of Java programs via symbolic PathFinder. In Proc. the 26th ACM SIGSOFT Int. Symposium on Software Testing and Analysis, July 2017, pp.376-379.
[53] Gupta R, Pal S, Kanade A, Shevade S. DeepFix:Fixing common C language errors by deep learning. In Proc. the 31st AAAI Conference on Artificial Intelligence, February 2017, pp.1345-1351.
[54] Wang C, Jiang Y, Zhao X, Song X, Gu M. Weak-Assert:A weakness-oriented assertion recommendation toolkit for program analysis. In Proc. the 40th Int. Conference on Software Engineering, May 2018, pp.69-72.
[1] Gen Zhang, Peng-Fei Wang, Tai Yue, Xu Zhou, Kai Lu. MEBS:挖掘操作系统内核中的内存生命周期漏洞[J]. 计算机科学技术学报, 2021, 36(6): 1248-1268.
[2] Ling-Yun Situ, Zhi-Qiang Zuo, Le Guan, Lin-Zhang Wang, Xuan-Dong Li, Jin Shi, Peng Liu. 漏洞区域感知的灰盒模糊测试[J]. 计算机科学技术学报, 2021, 36(5): 1212-1228.
[3] Feng-Juan Gao, Yu Wang, Lin-Zhang Wang, Zijiang Yang, Xuan-Dong Li. 缓冲区溢出静态警报的自动确认[J]. 计算机科学技术学报, 2020, 35(6): 1406-1427.
[4] Jung-Been Lee, Taek Lee, Hoh Peter In. 基于主题建模的软件资源库变更集预警优先级排序[J]. 计算机科学技术学报, 2020, 35(6): 1461-1479.
[5] Gökçer Peynirci, Mete Eminaǧaoǧlu, Korhan Karabulut. 基于IDF值差异的用于Android平台恶意软件检测的特征选择[J]. 计算机科学技术学报, 2020, 35(4): 946-962.
[6] Zi-Peng Zhang, Ming Fu, Xin-Yu Feng. 对Android应用隐私泄露轻量级的动态检测方法[J]. 计算机科学技术学报, 2019, 34(4): 901-923.
[7] Ming-Zhe Zhang, Yun-Zhan Gong, Ya-Wen Wang, Da-Hai Jin. 使用规则导向的符号执行进行面向C语言的单元测试数据生成[J]. 计算机科学技术学报, 2019, 34(3): 670-689.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
[1] 张钹; 张铃;. Statistical Heuristic Search[J]. , 1987, 2(1): 1 -11 .
[2] 孟力明; 徐晓飞; 常会友; 陈光熙; 胡铭曾; 李生;. A Tree-Structured Database Machine for Large Relational Database Systems[J]. , 1987, 2(4): 265 -275 .
[3] 林琦; 夏培肃;. The Design and Implementation of a Very Fast Experimental Pipelining Computer[J]. , 1988, 3(1): 1 -6 .
[4] 孙成政; 慈云桂;. A New Method for Describing the AND-OR-Parallel Execution of Logic Programs[J]. , 1988, 3(2): 102 -112 .
[5] 张钹; 张恬; 张建伟; 张铃;. Motion Planning for Robots with Topological Dimension Reduction Method[J]. , 1990, 5(1): 1 -16 .
[6] 王鼎兴; 郑纬民; 杜晓黎; 郭毅可;. On the Execution Mechanisms of Parallel Graph Reduction[J]. , 1990, 5(4): 333 -346 .
[7] 周权; 魏道政;. A Complete Critical Path Algorithm for Test Generation of Combinational Circuits[J]. , 1991, 6(1): 74 -82 .
[8] 赵靓海; 刘慎权;. An Environment for Rapid Prototyping of Interactive Systems[J]. , 1991, 6(2): 135 -144 .
[9] 商陆军; 许立辉;. Notes on the Design of an Integrated Object-Oriented DBMS Family[J]. , 1991, 6(4): 389 -394 .
[10] 许建国; 郭玉钗; 林宗楷;. HEPAPS:A PCB Automatic Placement System[J]. , 1992, 7(1): 39 -46 .
版权所有 © 《计算机科学技术学报》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn
总访问量: