A Comprehensive Detection of Memory Corruption Vulnerabilities for C/C plus plus Programs

被引:7
|
作者
Gao, Yuhan [1 ,2 ]
Chen, Liwei [1 ]
Shi, Gang [1 ]
Zhang, Fei [1 ,2 ]
机构
[1] Chinese Acad Sci, Inst Informat Engn, Beijing, Peoples R China
[2] Univ Chinese Acad Sci, Sch Cyber Secur, Beijing, Peoples R China
来源
2018 IEEE INT CONF ON PARALLEL & DISTRIBUTED PROCESSING WITH APPLICATIONS, UBIQUITOUS COMPUTING & COMMUNICATIONS, BIG DATA & CLOUD COMPUTING, SOCIAL COMPUTING & NETWORKING, SUSTAINABLE COMPUTING & COMMUNICATIONS | 2018年
基金
中国国家自然科学基金;
关键词
memory corruption; vulnerability detection; static analysis; unsafe operations;
D O I
10.1109/BDCloud.2018.00062
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. These unsafe languages are vulnerable to errors relating to the misuse of memory, such as buffer overflows, use-after-free. The exploit of these vulnerabilities allows attackers to tamper or even take full control over the program. In this paper, we propose a lightweight and comprehensive vulnerability detection approach for memory corruption defects in programs written in C or C++. The approach is based on identification of the unsafe operations in source code, including both invalid memory writes and reads. Supporting by flow-sensitive point-to analysis with LLVM and Datalog, and extracted information from abstract syntax tree, our method can analyze the potential memory corruption vulnerabilities in the source code. We evaluate our approach against the SPEC 2006 benchmark suite and Juliet test suite. We also show that the approach achieves high compatibility and reasonable overheads for detection.
引用
收藏
页码:354 / 360
页数:7
相关论文
共 50 条
  • [31] Detecting Exception Handling Bugs in C plus plus Programs
    Zhang, Hao
    Luo, Ji
    Hu, Mengze
    Yan, Jun
    Zhang, Jian
    Qiu, Zongyan
    2023 IEEE/ACM 45TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, ICSE, 2023, : 1084 - 1095
  • [32] Static Integration of SQL Queries in C plus plus Programs
    Sysak, Maciej
    Zielinski, Bartosz
    Kruszynski, Piotr
    Sobieski, Scibor
    Maslanka, Pawel
    ADVANCES IN DATABASES AND INFORMATION SYSTEMS (ADBIS 2014), 2014, 8716 : 126 - 138
  • [33] MARX: Uncovering Class Hierarchies in C plus plus Programs
    Pawlowski, Andre
    Contag, Moritz
    van der Veen, Victor
    Ouwehand, Chris
    Holz, Thorsten
    Bos, Herbert
    Athanasopoulos, Elias
    Giuffrida, Cristiano
    24TH ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2017), 2017,
  • [34] Reconstruction of Class Hierarchies for Decompilation of C plus plus Programs
    Fokin, A.
    Troshina, K.
    Chernov, A.
    14TH EUROPEAN CONFERENCE ON SOFTWARE MAINTENANCE AND REENGINEERING (CSMR 2010), 2010, : 240 - 243
  • [35] ABOR: An Automatic Framework for Buffer Overflow Removal in C/C plus plus Programs
    Ding, Sun
    Tan, Hee Beng Kuan
    Zhang, Hongyu
    ENTERPRISE INFORMATION SYSTEMS, ICEIS 2014, 2015, 227 : 204 - 221
  • [36] An Architectural Smells Detection Tool for C and C plus plus projects
    Biaggi, Andrea
    Fontana, Francesca Arcelli
    Roveda, Riccardo
    44TH EUROMICRO CONFERENCE ON SOFTWARE ENGINEERING AND ADVANCED APPLICATIONS (SEAA 2018), 2018, : 417 - 420
  • [37] MagicDetector: A Precise and Scalable Static Deadlock Detector for C/C plus plus Programs
    Cao, Huaxiong
    Gu, Naijie
    Du, Yunkai
    ARABIAN JOURNAL FOR SCIENCE AND ENGINEERING, 2016, 41 (12) : 5149 - 5167
  • [38] HATI: Hardware Assisted Thread Isolation for Concurrent C/C plus plus Programs
    Santos, Juan Carlos Martinez
    Fei, Yunsi
    PROCEEDINGS OF 2014 IEEE INTERNATIONAL PARALLEL & DISTRIBUTED PROCESSING SYMPOSIUM WORKSHOPS (IPDPSW), 2014, : 322 - 331
  • [39] Automatic Test Generation for C and C plus plus Programs, Using Symbolic Execution
    Yoshida, Hiroaki
    Li, Guodong
    Kamiya, Takuki
    Ghosh, Indradeep
    Rajan, Sreeranga
    Tokumoto, Susumu
    Munakata, Kazuki
    Uehara, Tadahiro
    IEEE SOFTWARE, 2017, 34 (05) : 30 - 37
  • [40] Design and implementation of a C plus plus memory leak detection tool based on dynamic instrumentation
    Zhou, Liang
    Fu, Siran
    Guo, Tao
    Han, Lifang
    Cui, Baojiang
    2016 10TH INTERNATIONAL CONFERENCE ON INNOVATIVE MOBILE AND INTERNET SERVICES IN UBIQUITOUS COMPUTING (IMIS), 2016, : 149 - 153