Journal of Computer Science and Technology ›› 2019, Vol. 34 ›› Issue (5): 972-992.doi: 10.1007/s11390-019-1955-3

Special Issue: Software Systems

• Special Section on Software Systems 2019 • Previous Articles     Next Articles

Automatic Detection and Repair Recommendation for Missing Checks

Ling-Yun Situ1,2, Student Member, CCF, Lin-Zhang Wang1,2,*, Distinguished Member, CCF, Yang Liu3, Member, ACM, IEEE, Bing Mao1,2, Xuan-Dong Li1,2, Fellow, CCF   

  1. 1 State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210023, China;
    2 Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China;
    3 School of Computer Science and Engineering, Nanyang Technological University, Singapore 639798, Singapore
  • Received:2019-02-26 Revised:2019-07-22 Online:2019-08-31 Published:2019-08-31
  • Contact: Lin-Zhang Wang
  • About author:Ling-Yun Situ is a Ph.D. candidate in State Key Laboratory for Novel Software Technology, Department of Computer Science and Technology, Nanjing University, Nanjing. He received his B.S. degree in computer science from Jiangsu University, Zhenjiang, in 2011, and his M.S. degree in computer science from Guilin University of Electronic and Technology, Guilin, in 2014. His research interests include software and system security, static analysis and fuzzing.
  • Supported by:
    This work was supported by the National Key Research and Development Program of China under Grant No. 2017YFA0700604, and the National Natural Science Foundation of China under Grant Nos. 61632015 and 61690204, and partially supported by the Collaborative Innovation Center of Novel Software Technology and Industrialization, and Nanjing University Innovation and Creative Program for Ph.D. Candidate under Grant No. 2016014.

Missing checks for untrusted inputs used in security-sensitive operations is one of the major causes of various vulnerabilities. Efficiently detecting and repairing missing checks are essential for prognosticating potential vulnerabilities and improving code reliability. We propose a systematic static analysis approach to detect missing checks for manipulable data used in security-sensitive operations of C/C++ programs and recommend repair references. First, customized securitysensitive operations are located by lightweight static analysis. Then, the assailability of sensitive data used in securitysensitive operations is determined via taint analysis. And, the existence and the risk degree of missing checks are assessed. Finally, the repair references for high-risk missing checks are recommended. We implemented the approach into an automated and cross-platform tool named Vanguard based on Clang/LLVM 3.6.0. Large-scale experimental evaluation on open-source projects has shown its effectiveness and efficiency. Furthermore, Vanguard has helped us uncover five known vulnerabilities and 12 new bugs.

Key words: static analysis; missing check; vulnerability detection; repair recommendation;

[1] Piromsopa K, Enbody R J. Survey of protections from buffer-overflow attacks. Engineering Journal, 2011, 15(2):31-52.
[2] Sipser M. Introduction to the Theory of Computation (2nd edition). Course Technology, 2006.
[3] Gao F, Wang L, Li X. BovInspector:Automatic inspection and repair of buffer overflow vulnerabilities. In Proc. the 31st Int. Conference on Automated Software Engineering, September 2016, pp.786-791.
[4] Chen G, Jin H, Zou D, Zhou B, Liang Z, Zheng W, Shi X. SafeStack:Automatically patching stack-based buffer overflow vulnerabilities. IEEE Trans. Dependable and Secure Computing, 2013, 10(6):368-379.
[5] Wang T, Wei T, Lin Z, Zou W. IntScope:Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In Proc. the 16th Network and Distributed System Security Symposium, February 2009, Article No. 17.
[6] Dietz W, Li P, Regehr J, Adve V. Understanding integer overflow in C/C++. ACM Trans. Software Engineering and Methodology, 2015, 25(1):Article No. 2.
[7] Lee B, Song C, Jang Y et al. Preventing use-after-free with Dangling pointers nullification. In Proc. the 22th Annual Network and Distributed System Security Symposium, February 2015, Article No. 21.
[8] Yan H, Sui Y, Chen S, Xue J. Spatio-temporal context reduction:A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In Proc. the 40th Int. Software Conference on Engineering, May 2018, pp.327-337.
[9] Li M, Chen Y, Wang L, Xu G. Dynamically validating static memory leak warnings. In Proc. the 22nd Int. Symposium on Software Testing and Analysis, July 2013, pp.112-122.
[10] Sui Y, Ye D, Xue J. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Trans. Software Engineering, 2014, 40(2):107-122.
[11] Szekeres L, Payer M, Wei T, Dawn S. SoK:Eternal war in memory. In Proc. the 34th Int. IEEE Symposium on Security and Privacy, May 2013, pp.48-62.
[12] Das A, Lal A. Precise null pointer analysis through global value numbering. In Proc. the 15th Int. Symposium on Automated Technology for Verification and Analysis, October 2017, pp.25-41.
[13] Akritidis P, Costa M, Castro M, Hand S. Baggy bounds checking:An efficient and backwards-compatible defense against out-of-bounds errors. In Proc. the 18th USENIX Security Symposium, August 2009, pp.51-66.
[14] Kim D, Nam J, Song J et al. Automatic patch generation learned from human-written patches. In Proc. the 35th Int. Conference on Software Engineering, May 2013, pp.802-811.
[15] Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools. In Proc. the 2010 International Conference on Information Theory and Information Security, Dec. 2010, pp.521-524.
[16] Wagner D A, Foster J S, Brewer E A, Aiken A. A first step towards automated detection of buffer overrun vulnerabilities. In Proc. the 7th Network and Distributed System Security Symposium, February 2000, Article No. 1.
[17] Situ L, Zou L, Wang L, Liu Y, Mao B, Li X. Detecting missing checks for identifying insufficient attack protections. In Proc. the 40th Int. Conference on Software Engineering, May 2018, pp.238-239.
[18] Ming J, Wu D, Xiao G, Wang J, Liu P. TaintPipe:Pipelined symbolic taint analysis. In Proc. the 24th USENIX Security Symposium, August 2015, pp.65-80.
[19] Cadar C, Sen K. Symbolic execution for software testing:Three decades later. Commun. ACM, 2013, 56(2):82-90.
[20] Li Y, Su Z, Wang L, Li X. Steering symbolic execution to less traveled paths. In Proc. the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, October 2013, pp.19-32.
[21] Majumdar R, Sen K. Hybrid concolic testing. In Proc. the 29th Int. Conference on Software Engineering, May 2007, pp.416-426.
[22] Seo H, Kim S. How we get there:A context-guided search strategy in concolic testing. In Proc. the 22nd Int. Symposium on Foundations of Software Engineering, November 2014, pp.413-424.
[23] Bérard B, Bidoit M, Finkel A, Laroussinie F, Petit A, Petrucci L, Schnoebelen P, McKenzie P. Systems and Software Verification:Model-Checking Techniques and Tools. Springer, 2001.
[24] Situ L, Zhao L. CSP bounded model checking of preprocessed CTL extended with events using answer set programming. In Proc. the 2015 Asia-Pacific Software Engineering Conference, December 2015, pp.16-23.
[25] Sutton M, Greene A, Amini P. Fuzzing:Brute Force Vulnerability Discovery (1st edition). Addison-Wesley Professional, 2007.
[26] Stephens N, Grosen J, Salls C et al. Driller:Augmenting fuzzing through selective symbolic execution. In Proc. the 23rd Annual Network and Distributed System Security Symposium, February 2016, Article No. 28.
[27] Yamaguchi F, Wressnegger C, Gascon H et al. Chucky:Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.499-510.
[28] Son S, McKinley K S, Shmatikov V. RoleCast:Finding missing security checks when you do not know what checks are. In Proc. the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, October 2011, pp.1069-1084.
[29] Lattner C. LLVM and Clang:Next generation compiler technology., July 2019.
[30] Ryder B G. Constructing the call graph of a program. IEEE Trans. Software Engineering, 1979, 5(3):216-226.
[31] Stanier J, Watson D. Intermediate representations in imperative compilers:A survey. ACM Computing Surveys, 2013, 45(3):Article No. 26.
[32] Pendleton M, Garcia-Lebron R, Cho J H, Xu S. A survey on systems security metrics. ACM Computing Surveys, 2017, 49(4):Article No. 62.
[33] Gao F, Chen T, Wang Y, Situ L, Wang L, Li X. Carraybound:Static array bounds checking in C programs based on taint analysis. In Proc. the 8th Int. Asia-Pacific Symposium on Internetware, September 2016, pp.81-90.
[34] Ceara D, Potet M L, Ensimag G I, Mounier, L. Detecting software vulnerabilities-static taint analysis., July 2019.
[35] Lalande J F, Heydemann K, Berthomé P. Software countermeasures for control flow integrity of smart card C codes. In Proc. the 19th European Symposium on Research in Computer Security, Sept. 2014, pp.200-2018.
[36] Kang M G, McCamant S, Poosankam P, Dawn S. DTA++:Dynamic taint analysis with targeted control-flow propagation. In Proc. the 18th Network and Distributed System Security Symposium, February 2011, Article No. 15.
[37] Li L, Bartel A, Klein J, Traon Y L, Arzt S, Rasthofer S, Bodden E, Octeau D, Mcdaniel P. I know what leaked in your pocket:Uncovering privacy leaks on Android Apps with static taint analysis. arXiv:1404.7431, 2014., June 2019.
[38] Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. the 31st IEEE Symposium on Security and Privacy, May 2010, pp.317-331.
[39] Clause J, Li W, Orso A. Dytan:A generic dynamic taint analysis framework. In Proc. the 16th ACM/SIGSOFT Int. Symposium on Software Testing and Analysis, July 2007, pp.196-206.
[40] Jovanovic N, Krüegel C, Kirda E. Pixy:A static analysis tool for detecting Web application vulnerabilities (Short Paper). In Proc. the 27th IEEE Symposium on Security and Privacy, May 2006, pp.258-263.
[41] Chang R, Jiang G, Ivancic F, Sankaranarayanan S, Shmatikov V. Inputs of coma:Static detection of denial-ofservice vulnerabilities. In Proc. the 22nd IEEE Computer Security Foundations Symposium, July 2009, pp.186-199.
[42] Kremenek T, Engler D. Z-Ranking:Using statistical analysis to counter the impact of static analysis approximations. In Proc. the 10th Int. Symposium on Static Analysis, June 2003, pp.295-315.
[43] Kim S, Ernst M D. Prioritizing warning categories by analyzing software history. In Proc. the 4th Workshop on Mining Software Repositories, May 2007, pp.27-31.
[44] Ha J, Rossbach C J, Davis J V, Roy I, Ramadan H E, Porter D E, Chen D L, Witchel E. Improved error reporting for software that uses black-box components. In Proc. the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007, pp.101-111.
[45] Situ L, Wang L, Liu Y, Mao B, Li X. Vanguard:Detecting missing checks for prognosing potential vulnerabilities. In Proc. the 10th Asia-Pacific Symposium on Internetware, September 2018, Article No. 5.
[46] Goues L C, Nguyen T V, Forrest S et al. GenProg:A generic method for automatic software repair. IEEE Trans. Software Engineering, May 2011, 38(1):54-72.
[47] Qi Y, Mao X, Lei Y, Dai Z, Wang C. The strength of random search on automated program repair. In Proc. the 36th Int. Conference on Software Engineering, May 2014, pp.254-265.
[48] Xiong Y, Wang J, Yan R, Zhang J, Han S, Huang G, Zhang L. Precise condition synthesis for program repair. In Proc. the 39th Int. Conference on Software Engineering, May 2017, pp.416-426.
[49] Tan S H, Roychoudhury A. Relifix:Automated repair of software regressions. In Proc. the 37th IEEE/ACM International Conference on Software Engineering, May 2015, pp.471-482.
[50] Nguyen H D T, Qi D, Roychoudhury A, Chandra S. SemFix:Program repair via semantic analysis. In Proc. the 35th Int. Conference on Software Engineering, May 2013, pp.772-781.
[51] Mechtaev S, Yi J, Roychoudhury A. Angelix:Scalable multiline program patch synthesis via symbolic analysis. In Proc. the 38th Int. Conference on Software Engineering, May 2016, pp.691-701.
[52] Le X B D, Chu D H, Lo D, Le G C, Visser W. JFIX:Semantics-based repair of Java programs via symbolic PathFinder. In Proc. the 26th ACM SIGSOFT Int. Symposium on Software Testing and Analysis, July 2017, pp.376-379.
[53] Gupta R, Pal S, Kanade A, Shevade S. DeepFix:Fixing common C language errors by deep learning. In Proc. the 31st AAAI Conference on Artificial Intelligence, February 2017, pp.1345-1351.
[54] Wang C, Jiang Y, Zhao X, Song X, Gu M. Weak-Assert:A weakness-oriented assertion recommendation toolkit for program analysis. In Proc. the 40th Int. Conference on Software Engineering, May 2018, pp.69-72.
[1] Gen Zhang, Peng-Fei Wang, Tai Yue, Xu Zhou, Kai Lu. MEBS: Uncovering Memory Life-Cycle Bugs in Operating System Kernels [J]. Journal of Computer Science and Technology, 2021, 36(6): 1248-1268.
[2] Ling-Yun Situ, Zhi-Qiang Zuo, Le Guan, Lin-Zhang Wang, Xuan-Dong Li, Jin Shi, Peng Liu. Vulnerable Region-Aware Greybox Fuzzing [J]. Journal of Computer Science and Technology, 2021, 36(5): 1212-1228.
[3] Jung-Been Lee, Taek Lee, Hoh Peter In. Topic Modeling Based Warning Prioritization from Change Sets of Software Repository [J]. Journal of Computer Science and Technology, 2020, 35(6): 1461-1479.
[4] Feng-Juan Gao, Yu Wang, Lin-Zhang Wang, Zijiang Yang, Xuan-Dong Li. Automatic Buffer Overflow Warning Validation [J]. Journal of Computer Science and Technology, 2020, 35(6): 1406-1427.
[5] Gökçer Peynirci, Mete Eminaǧaoǧlu, Korhan Karabulut. Feature Selection for Malware Detection on the Android Platform Based on Differences of IDF Values [J]. Journal of Computer Science and Technology, 2020, 35(4): 946-962.
[6] Ming-Zhe Zhang, Yun-Zhan Gong, Ya-Wen Wang, Da-Hai Jin. Unit Test Data Generation for C Using Rule-Directed Symbolic Execution [J]. Journal of Computer Science and Technology, 2019, 34(3): 670-689.
[7] Ji Wang, Senior Member, CCF, Xiao-Dong Ma, Wei Dong, Hou-Feng Xu, and Wan-Wei Liu, Member, CCF. Demand-Driven Memory Leak Detection Based on Flow- and Context-Sensitive Pointer Analysis [J]. , 2009, 24(2): 347-356.
[8] ZHANG WenHui . Combining Static Analysis and Case-Based Search Space Partitioning for Reducing Peak Memory in Model Checking [J]. , 2003, 18(6): 0-0.
[9] LIAO Husheng;. An Action Analysis for Combining Partial Evaluation [J]. , 2000, 15(2): 196-201.
[10] Qu Yuzhong; Wang Zhijian; Xu Jiafu;. Denotational Semantics of a Simple Model of Eiffel [J]. , 1995, 10(3): 214-226.
Full text



[1] Zhang Bo; Zhang Ling;. Statistical Heuristic Search[J]. , 1987, 2(1): 1 -11 .
[2] Meng Liming; Xu Xiaofei; Chang Huiyou; Chen Guangxi; Hu Mingzeng; Li Sheng;. A Tree-Structured Database Machine for Large Relational Database Systems[J]. , 1987, 2(4): 265 -275 .
[3] Lin Qi; Xia Peisu;. The Design and Implementation of a Very Fast Experimental Pipelining Computer[J]. , 1988, 3(1): 1 -6 .
[4] Sun Chengzheng; Tzu Yungui;. A New Method for Describing the AND-OR-Parallel Execution of Logic Programs[J]. , 1988, 3(2): 102 -112 .
[5] Zhang Bo; Zhang Tian; Zhang Jianwei; Zhang Ling;. Motion Planning for Robots with Topological Dimension Reduction Method[J]. , 1990, 5(1): 1 -16 .
[6] Wang Dingxing; Zheng Weimin; Du Xiaoli; Guo Yike;. On the Execution Mechanisms of Parallel Graph Reduction[J]. , 1990, 5(4): 333 -346 .
[7] Zhou Quan; Wei Daozheng;. A Complete Critical Path Algorithm for Test Generation of Combinational Circuits[J]. , 1991, 6(1): 74 -82 .
[8] Zhao Jinghai; Liu Shenquan;. An Environment for Rapid Prototyping of Interactive Systems[J]. , 1991, 6(2): 135 -144 .
[9] Shang Lujun; Xu Lihui;. Notes on the Design of an Integrated Object-Oriented DBMS Family[J]. , 1991, 6(4): 389 -394 .
[10] Xu Jianguo; Gou Yuchai; Lin Zongkai;. HEPAPS:A PCB Automatic Placement System[J]. , 1992, 7(1): 39 -46 .

ISSN 1000-9000(Print)

CN 11-2296/TP

Editorial Board
Author Guidelines
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
  Copyright ©2015 JCST, All Rights Reserved