Improving software security with a C pointer analysis

This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C, which we use to detect and prevent program security vulnerabilities. In addition to a conservative points-to analysis, we propose an optimistic analysis that assumes a more restricted C semantics reflecting common C usage in order to increase the precision of the analysis. Using the proposed pointer alias analyses, we infer the types of variables in C programs and show that most C variables are used in a manner consistent with their declared types. We show that pointer analysis can be used to reduce the overhead of a dynamic string-buffer overflow detector by 30% to 100% among applications with significant overheads. Finally, using pointer analysis, we statically discover twelve actual format string vulnerabilities in three of the 12 programs we analyze.