SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate Analysis
Authors: 
Tuo Li, Jia-Ju Bai, Yulei Sui, 
Shi-Min HuAuthors Info & Claims
Tuo Li, Jia-Ju Bai, Yulei Sui, Shi-Min HuAuthors Info & ClaimsArticle No.: 9, Pages 1 - 40
Abstract
The operating system (OS) is the cornerstone for computer systems. It manages hardware and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve the reliability of computer systems. Static typestate analysis is a common technique for detecting various types of bugs, but it is often inaccurate or unscalable for large-size OS code, due to imprecision of identifying alias relationships as well as high costs of typestate tracking, path-feasibility validation, and inter-procedural analysis.
In this article, we present SPATA, a novel summary-based, alias-aware, and path-sensitive typestate analysis framework to detect OS bugs. To identify precise alias relationships in the OS code, SPATA performs a path-based alias analysis based on control-flow paths and access paths. With these alias relationships, SPATA reduces the costs of typestate tracking and path-feasibility validation, to accelerate path-sensitive typestate analysis for accurate bug detection. Moreover, SPATA uses an alias-summary-based analysis to accelerate inter-procedural bug detection, without time-consuming alias analysis across functions. We have evaluated SPATA on the Linux kernel and three popular IoT OSes, and it finds 651 real bugs with a false-positive rate of 18%. Besides, our alias-summary-based analysis achieves a 6.7x speedup in bug detection compared to non-summary-based analysis.
References
[1]
Bowen Alpern, Mark N. Wegman, and F. Kenneth Zadeck. 1988. Detecting equality of variables in programs. In Proceedings of the 15th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’88). 1–11.
[2]
Lars Ole Andersen. 1994. Program Analysis and Specialization for the C Programming Language. Ph. D. Dissertation. University of Copenhagen.
[3]
Marcelo Arroyo, Francisco Chiotta, and Francisco Bavera. 2016. An user configurable clang static analyzer taint checker. In Proceedings of the 35th International Conference of the Chilean Computer Science Society (SCCC ’16). 1–12.
[4]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th International Conference on Programming Language Design and Implementation (PLDI ’14). 259–269.
[5]
John Aycock and Nigel Horspool. 2000. Simple generation of static single-assignment form. In Proceedings of the 9th International Conference on Compiler Construction (CC ’00). 110–125.
[6]
Jia-Ju Bai, Julia Lawall, Qiu-Liang Chen, and Shi-Min Hu. 2019. Effective static analysis of concurrency use-after-free bugs in Linux device drivers. In Proceedings of the 2019 USENIX Annual Technical Conference (ATC ’19). 255–268. https://www.usenix.org/system/files/atc19-bai.pdf
[7]
Jia-Ju Bai, Julia Lawall, and Shi-Min Hu. 2020. Effective detection of sleep-in-atomic-context bugs in the Linux kernel. ACM Transactions on Computer Systems 36, 4 (2020), 1–30.
[8]
Jia-Ju Bai, Tuo Li, and Shi-Min Hu. 2022. DLOS: Effective static detection of deadlocks in OS kernels. In Proceedings of the 2022 USENIX Annual Technical Conference (ATC ’22). 367–382. https://www.usenix.org/system/files/atc22-bai.pdf
[9]
Jia-Ju Bai, Yu-Ping Wang, Jie Yin, and Shi-Min Hu. 2016. Testing error handling code in device drivers using characteristic fault injection. In Proceedings of the 2016 USENIX Annual Technical Conference (ATC ’16). 635–647. https://www.usenix.org/system/files/conference/atc16/atc16_paper-bai.pdf
[10]
George Balatsouras, Kostas Ferles, George Kastrinis, and Yannis Smaragdakis. 2017. A datalog model of must-alias analysis. In Proceedings of the 6th International Workshop on State of the Art in Program Analysis. 7–12.
[11]
Thomas Ball, Ella Bounimova, Rahul Kumar, and Vladimir Levin. 2010. SLAM2: Static driver verification with under 4% false alarms. In Proceedings of the 2010 International Conference on Formal Methods in Computer-Aided Design (FMCAD ’10). 35–42. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5770931
[12]
Mohamad Barbar and Yulei Sui. 2021. Compacting points-to sets through object clustering. In Proceedings of the 2021 International Conference on Object-Oriented Programming Systems Languages and Applications (OOPSLA ’21). 1–27.
[13]
Mohamad Barbar, Yulei Sui, and Shiping Chen. 2020. Flow-sensitive type-based heap cloning. In Proceedings of the 34th European Conference on Object-Oriented Programming (ECOOP ’20). Article 24, 26 pages.
[14]
Petr Bauch, Vojtěch Havel, and Jiří Barnat. 2014. LTL model checking of LLVM bitcode with symbolic data. In Proceedings of the 2014 International Doctoral Workshop on Mathematical and Engineering Methods in Computer Science (MEMICS ’14). 47–59.
[15]
Alexey Borodin. 2014. Summary based static analysis for practical search for defects in C programs and libraries. In Proceedings of the 2014 IEEE 7th International Conference on Software Testing, Verification, and Validation Workshops (ICST ’14). 231–232.
[16]
Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th International Symposium on Operating Systems Design and Implementation (OSDI ’08). 209–224. https://www.usenix.org/legacy/event/osdi08/tech/full_papers/cadar/cadar.pdf
[17]
Ben-Chung Cheng and Wen-Mei W. Hwu. 2000. Modular interprocedural pointer analysis using access paths: Design, implementation, and evaluation. In Proceedings of the 21st International Conference on Programming Language Design and Implementation (PLDI ’00). 57–69.
[18]
Sigmund Cherem, Lonnie Princehouse, and Radu Rugina. 2007. Practical memory leak detection using guarded value-flow analysis. In Proceedings of the 28th International Conference on Programming Language Design and Implementation (PLDI ’07). 480–491.
[19]
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. In Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’11). 265–278.
[20]
Clang. 2021. Clang: An LLVM-based C/C++ Compiler. Retrieved September 9, 2024 from http://clang.llvm.org/
[21]
CLOC. 2021. CLOC: Count Lines of Code. Retrieved September 9, 2024 from https://cloc.sourceforge.net
[22]
Kai Cong, Li Lei, Zhenkun Yang, and Fei Xie. 2015. Automatic fault injection for driver robustness testing. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA ’15). 361–372.
[23]
Kai Cong, Fei Xie, and Li Lei. 2013. Symbolic execution of virtual devices. In Proceedings of the 13th International Conference on Quality Software. 1–10.
[24]
Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. DIFUZE: Interface aware fuzzing for kernel drivers. In Proceedings of the 24th International Conference on Computer and Communications Security (CCS ’17). 2123–2138.
[25]
Coverity. 2021. Coverity: A Commercial Static Analysis Tool. Retrieved September 9, 2024 from https://scan.coverity.com/
[26]
GitHub. 2021. Coverity Reports for Linux Kernel. Retrieved September 9, 2024 from https://github.com/torvalds/linux/search?q=coverity&type=commits
[27]
GitHub. 2021. Coverity Reports for Zephyr Project. Retrieved September 9, 2024 from https://github.com/zephyrproject-rtos/zephyr/labels/Coverity
[28]
Cppcheck. 2021. Cppcheck: A Tool for Static C/C++ Code Analysis. Retrieved September 9, 2024 from http://cppcheck.sourceforge.net/
[29]
Clang. 2021. Clang Static Analyzer. Retrieved September 9, 2024 from https://clang-analyzer.llvm.org/
[30]
Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman, and F. Kenneth Zadeck. 1991. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13, 4 (1991), 451–490.
[31]
Manuvir Das. 2000. Unification-based pointer analysis with directional assignments. In Proceedings of the 21st International Conference on Programming Language Design and Implementation (PLDI ’00). 35–46.
[32]
Manuvir Das, Sorin Lerner, and Mark Seigle. 2002. ESP: Path-sensitive program verification in polynomial time. In Proceedings of the 23rd International Conference on Programming Language Design and Implementation (PLDI ’02). 57–68.
[33]
Alain Deutsch. 1994. Interprocedural may-alias analysis for pointers: Beyond k-limiting. In Proceedings of the 15th International Conference on Programming Language Design and Implementation (PLDI ’94). 230–241.
[34]
Dinakar Dhurjati, Manuvir Das, and Yue Yang. 2006. Path-sensitive dataflow analysis with iterative refinement. In Proceedings of the 13th International Static Analysis Symposium (SAS ’06). 425–442.
[35]
Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the 4th International Symposium on Operating System Design (OSDI ’00). 1–16. https://www.usenix.org/legacy/events/osdi2000/engler/engler.pdf
[36]
Gang Fan, Rongxin Wu, Qingkai Shi, Xiao Xiao, Jinguo Zhou, and Charles Zhang. 2019. Smoke: Scalable path-sensitive memory leak detection for millions of lines of code. In Proceedings of the 41st International Conference on Software Engineering (ICSE ’19). 72–82.
[37]
Yu Feng, Xinyu Wang, Isil Dillig, and Thomas Dillig. 2015. Bottom-up context-sensitive pointer analysis for Java. In Proceedings of the 2015 Asian Symposium on Programming Languages and Systems (APLAS ’15). 465–484.
[38]
Stephen Fink, Eran Yahav, Nurit Dor, G. Ramalingam, and Emmanuel Geay. 2006. Effective typestate verification in the presence of aliasing. In Proceedings of the 2006 International Symposium on Software Testing and Analysis (ISSTA ’06). 133–144.
[39]
Bolei Guo, Neil Vachharajani, and David I. August. 2007. Shape analysis with inductive recursion synthesis. In Proceedings of the 28th International Conference on Programming Language Design and Implementation (PLDI ’07). 256–265.
[40]
Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler. 2002. A system and language for building system-specific, static analyses. In Proceedings of the 23rd International Conference on Programming Language Design and Implementation (PLDI ’02). 69–82.
[41]
Ben Hardekopf and Calvin Lin. 2009. Semi-sparse flow-sensitive pointer analysis. In Proceedings of the 36th International Symposium on Principles of Programming Languages (POPL ’09). 226–238.
[42]
Ben Hardekopf and Calvin Lin. 2011. Flow-sensitive pointer analysis for millions of lines of code. In Proceedings of the 2011 International Symposium on Code Generation and Optimization (CGO ’11). 289–298.
[43]
Dominik Harmim, Vladimır Marcin, and Ondrej Pavela. 2019. Scalable static analysis using Facebook Infer. In Proceedings of theExcel@ FIT19 Conference. https://excel.fit.vutbr.cz/submissions/2019/059/59.pdf
[44]
Nevin Heintze and Olivier Tardieu. 2001. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second. In Proceedings of the 22nd International Conference on Programming Language Design and Implementation (PLDI ’01). 254–263.
[45]
Michael Hind, Michael Burke, Paul Carini, and Jong-Deok Choi. 1999. Interprocedural pointer alias analysis. ACM Transactions on Programming Languages and Systems 21, 4 (1999), 848–894.
[46]
Infer. 2021. Facebook Infer: A Tool to Detect Bugs in Java and C/C++/Objective-C Code. Retrieved September 9, 2024 from https://fbinfer.com/
[47]
Suresh Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. 1998. Single and loving it: Must-alias analysis for higher-order languages. In Proceedings of the 25th International Symposium on Principles of Programming Languages (POPL ’98). 329–341.
[48]
Xiujuan Ji, Jufeng Yang, Jing Xu, Lei Feng, and Xiaohong Li. 2012. Interprocedural path-sensitive resource leaks detection for C programs. In Proceedings of the 4th Asia-Pacific Symposium on Internetware. 1–9.
[49]
Zu-Ming Jiang, Jia-Ju Bai, Julia Lawall, and Shi-Min Hu. 2019. Fuzzing error handling code in device drivers based on software fault injection. In Proceedings of the 30th International Symposium on Software Reliability Engineering (ISSRE ’19). 128–138.
[50]
Vineet Kahlon. 2008. Bootstrapping: A technique for scalable flow and context-sensitive pointer alias analysis. In Proceedings of the 29th International Conference on Programming Language Design and Implementation (PLDI ’08). 249–259.
[51]
Vineet Kahlon, Yu Yang, Sriram Sankaranarayanan, and Aarti Gupta. 2007. Fast and accurate static data-race detection for concurrent programs. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV ’07). 226–239.
[52]
Hyun-Goo Kang and Taisook Han. 2009. A bottom-up pointer analysis using the update history. Information and Software Technology 51, 4 (2009), 691–707.
[53]
George Kastrinis, George Balatsouras, Kostas Ferles, Nefeli Prokopaki-Kostopoulou, and Yannis Smaragdakis. 2018. An efficient data structure for must-alias analysis. In Proceedings of the 27th International Conference on Compiler Construction (CC ’18). 48–58.
[54]
Seulbae Kim, Meng Xu, Sanidhya Kashyap, Jungyeon Yoon, Wen Xu, and Taesoo Kim. 2019. Finding semantic bugs in file systems with an extensible fuzzing framework. In Proceedings of the 27th International Symposium on Operating Systems Principles (SOSP ’19). 147–161.
[55]
Youil Kim, Jooyong Lee, Hwansoo Han, and Kwang-Moo Choe. 2010. Filtering false alarms of buffer overflow analysis using SMT solvers. Information and Software Technology 52, 2 (2010), 210–219.
[56]
Goh Kondoh and Tamiya Onodera. 2008. Finding bugs in Java native interface programs. In Proceedings of the 2008 International Symposium on Software Testing and Analysis (ISSTA ’08). 109–118.
[57]
Volodymyr Kuznetsov, Vitaly Chipounov, and George Candea. 2010. Testing closed-source binary device drivers with DDT. In Proceedings of the 2010 USENIX Annual Technical Conference (ATC ’10). 1–14. https://www.usenix.org/legacy/event/atc10/tech/full_papers/Kuznetsov.pdf
[58]
Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proceedings of the 28th International Conference on Programming Language Design and Implementation (PLDI ’07). 278–289.
[59]
Yuxiang Lei and Yulei Sui. 2019. Fast and precise handling of positive weight cycles for field-sensitive pointer analysis. In Proceedings of the 26th International Static Analysis Symposium (SAS ’19). 27–47.
[60]
Tuo Li, Jia-Ju Bai, Yulei Sui, and Shi-Min Hu. 2022. Path-sensitive and alias-aware typestate analysis for detecting OS bugs. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’22). 859–872.
[61]
LLVM. 2021. The LLVM Compiler Infrastructure. Retrieved September 9, 2024 from https://llvm.org/
[62]
Kangjie Lu and Hong Hu. 2019. Where does it go? Refining indirect-call targets with multi-layer type analysis. In Proceedings of the 26th International Conference on Computer and Communications Security (CCS ’19). 1867–1881.
[63]
Kangjie Lu, Aditya Pakki, and Qiushi Wu. 2019. Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences. In Proceedings of the 28th USENIX Security Symposium. 1769–1786. https://www.usenix.org/system/files/sec19-lu.pdf
[64]
Florian Merz, Stephan Falke, and Carsten Sinz. 2012. LLBMC: Bounded model checking of C and C++ programs using a compiler IR. In Proceedings of the 2012 International Conference on Verified Software: Tools, Theories, Experiments (VSTTE ’12). 146–161.
[65]
Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2004. Precise call graphs for C programs with function pointers. Automated Software Engineering 11, 1 (2004), 7–26.
[66]
Rashmi Mudduluru and Murali Krishna Ramanathan. 2014. Efficient incremental static analysis using path abstraction. In Proceedings of the 2014 International Conference on Fundamental Approaches to Software Engineering (FASE ’14). 125–139.
[67]
Erik M. Nystrom, Hong-Seok Kim, and Wen-Mei W. Hwu. 2004. Bottom-up and top-down context-sensitive summary-based pointer analysis. In Proceedings of the 11th International Static Analysis Symposium (SAS ’04). 165–180.
[68]
Yoann Padioleau, Julia Lawall, René Rydhof Hansen, and Gilles Muller. 2008. Documenting and automating collateral evolutions in Linux device drivers. In Proceedings of the 3rd European Conference on Computer Systems (EuroSys ’08). 247–260.
[69]
Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with SymCC: Don’t interpret, compile! In Proceedings of the 30th USENIX Security Symposium. 181–198. https://www.usenix.org/system/files/sec20-poeplau.pdf
[70]
Xiao Qing, Yang Zhao Hong, and Gong Yun Zhan. 2010. A method of detecting vulnerability defects based on static analysis. In Proceedings of the 2010 International Forum on Information Technology and Applications (IFITA ’10), Vol. 3. 365–368.
[71]
David A. Ramos and Dawson Engler. 2015. Under-constrained symbolic execution: Correctness checking for real code. In Proceedings of the 24th USENIX Security Symposium. 49–64. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ramos.pdf
[72]
Matthew J. Renzelmann, Asim Kadav, and Michael M. Swift. 2012. SymDrive: Testing drivers without devices. In Proceedings of the 10th International Symposium on Operating Systems Design and Implementation (OSDI ’12). 279–292. https://www.usenix.org/system/files/conference/osdi12/osdi12-final-4.pdf
[73]
RIOT. 2021. RIOT: A Real-Time Multi-Threading Operating System. Retrieved September 9, 2024 from https://github.com/RIOT-OS/RIOT
[74]
Philipp Dominik Schubert, Ben Hermann, and Eric Bodden. 2021. Lossless, persisted summarization of static callgraph, points-to and data-flow analysis. In Proceedings of the 35th European Conference on Object-Oriented Programming (ECOOP ’21). Article 2, 31 pages.
[75]
Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kAFL: Hardware-assisted feedback fuzzing for OS kernels. In Proceedings of the 26th USENIX Security Symposium. 167–182. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf
[76]
GitHub. 2021. Project to Study Faults in Linux. Retrieved September 9, 2024 from https://github.com/coccinelle/faults-in-Linux
[77]
Lei Shang, Xinwei Xie, and Jingling Xue. 2012. On-demand dynamic summary-based points-to analysis. In Proceedings of the 2012 International Symposium on Code Generation and Optimization (CGO ’12). 264–274.
[78]
V. Shakti D. Shekar, B. B. Meshram, and M. P. Varshapriya. 2012. Device driver fault simulation using KEDR. International Journal of Advanced Research in Computer Engineering and Technology 1, 4 (2012), 580–584.
[79]
Qingkai Shi, Rongxin Wu, Gang Fan, and Charles Zhang. 2020. Conquering the extensional scalability problem for value-flow analysis frameworks. In Proceedings of the 42nd International Conference on Software Engineering (ICSE ’20). 812–823.
[80]
Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Gang Fan, and Charles Zhang. 2018. Pinpoint: Fast and precise sparse value flow analysis for million lines of code. In Proceedings of the 39th International Conference on Programming Language Design and Implementation (PLDI ’18). 693–706.
[81]
Qingkai Shi, Peisen Yao, Rongxin Wu, and Charles Zhang. 2021. Path-sensitive sparse analysis without path conditions. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI ’21). 930–943.
[82]
Smatch. 2021. Smatch: A Static Bug-Finding Tool for C. Retrieved September 9, 2024 from http://smatch.sourceforge.net/
[83]
Robert E. Strom and Shaula Yemini. 1986. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering 1, 1 (1986), 157–171.
[84]
Yulei Sui, Peng Di, and Jingling Xue. 2016. Sparse flow-sensitive pointer analysis for multithreaded programs. In Proceedings of the 2016 International Symposium on Code Generation and Optimization (CGO ’16). 160–170.
[85]
Yulei Sui, Xiaokang Fan, Hao Zhou, and Jingling Xue. 2018. Loop-oriented pointer analysis for automatic SIMD vectorization. ACM Transactions on Embedded Computing Systems 17, 2 (2018), 1–31.
[86]
Yulei Sui, Ding Ye, and Jingling Xue. 2014. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Transactions on Software Engineering 40, 2 (2014), 107–122.
[87]
GitHub. 2021. SVF Wiki. Retrieved September 9, 2024 from https://github.com/SVF-tools/SVF/wiki/Detecting-memory-leaks
[88]
Syzkaller. 2021. Syzkaller: A Kernel Fuzzer. Retrieved September 9, 2024 from https://github.com/google/syzkaller
[89]
Seyed Mohammadjavad Seyed Talebi, Zhihao Yao, Ardalan Amiri Sani, Zhiyun Qian, and Daniel Austin. 2021. Undo workarounds for kernel bugs. In Proceedings of the 30th USENIX Security Symposium. https://www.usenix.org/system/files/sec21-talebi.pdf
[90]
GitHub. 2021. TencentOS-tiny: A Real-Time IoT Operating System Developed by Tencent. Retrieved September 9, 2024 from https://github.com/Tencent/TencentOS-tiny
[91]
Haijun Wang, Xiaofei Xie, Yi Li, Cheng Wen, Yuekang Li, Yang Liu, Shengchao Qin, Hongxu Chen, and Yulei Sui. 2020. Typestate-guided fuzzer for discovering use-after-free vulnerabilities. In Proceedings of the 42nd International Conference on Software Engineering (ICSE ’20). 999–1010.
[92]
Wenwen Wang. 2021. MLEE: Effective detection of memory leaks on early-exit paths in OS kernels. In Proceedings of the 2021 USENIX Annual Technical Conference (ATC ’21). 31–45. https://www.usenix.org/system/files/atc21-wang-wenwen.pdf
[93]
Fengguo Wei, Xingwei Lin, Xinming Ou, Ting Chen, and Xiaosong Zhang. 2018. JN-SAF: Precise and efficient NDK/JNI-aware inter-language static analysis framework for security vetting of Android applications with native code. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). 1137–1150.
[94]
Robert P. Wilson and Monica S. Lam. 1995. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the 16th International Conference on Programming Language Design and Implementation (PLDI ’95). 1–12.
[95]
GitHub. 2021. WLLVM: Whole Program LLVM. Retrieved September 9, 2024 from https://github.com/travitch/whole-program-llvm
[96]
Xusheng Xiao, Gogul Balakrishnan, Franjo Ivančić, Naoto Maeda, Aarti Gupta, and Deepak Chhetri. 2014. ARC++: Effective typestate and lifetime dependency analysis. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA ’14). 116–126.
[97]
Zhiwu Xu, Dongxiao Fan, and Shengchao Qin. 2016. State-taint analysis for detecting resource bugs. In Proceedings of the 10th International Symposium on Theoretical Aspects of Software Engineering (TASE ’16). 168–175.
[98]
Dacong Yan, Guoqing Xu, and Atanas Rountev. 2011. Demand-driven context-sensitive alias analysis for Java. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (ISSTA ’11). 155–165.
[99]
Hua Yan, Yulei Sui, Shiping Chen, and Jingling Xue. 2017. Machine-learning-guided typestate analysis for static use-after-free detection. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC ’17). 42–54.
[100]
Guowei Yang, Corina S. Păsăreanu, and Sarfraz Khurshid. 2012. Memoized symbolic execution. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA ’12). 144–154.
[101]
Sen Ye, Yulei Sui, and Jingling Xue. 2014. Region-based selective flow-sensitive pointer analysis. In Proceedings of the 21st International Static Analysis Symposium (SAS ’14). 319–336.
[102]
Hongtao Yu, Jingling Xue, Wei Huo, Xiaobing Feng, and Zhaoqing Zhang. 2010. Level by level: Making flow-and context-sensitive pointer analysis scalable for millions of lines of code. In Proceedings of the 2010 International Symposium on Code Generation and Optimization (CGO ’10). 218–229.
[103]
Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, and Mayur Naik. 2016. APISan: Sanitizing API usages through semantic cross-checking. In Proceedings of the 25th USENIX Security Symposium. 363–378. https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_yun.pdf
[104]
GitHub. 2021. Z3: A Theorem Prover. Retrieved September 9, 2024 from https://github.com/Z3Prover/z3
[105]
GitHub. 2021. Zephyr: A Scalable Real-Time Operating System. Retrieved September 9, 2024 from https://github.com/zephyrproject-rtos/zephyr
[106]
Yizhuo Zhai, Yu Hao, Hang Zhang, Daimeng Wang, Chengyu Song, Zhiyun Qian, Mohsen Lesani, Srikanth V. Krishnamurthy, and Paul Yu. 2020. UBITect: A precise and scalable method to detect use-before-initialization bugs in Linux kernel. In Proceedings of the 28th International Symposium on the Foundations of Software Engineering (FSE ’20). 221–232.
[107]
Qirun Zhang, Xiao Xiao, Charles Zhang, Hao Yuan, and Zhendong Su. 2014. Efficient subcubic alias analysis for C. In Proceedings of the 2014 International Conference on Object-Oriented Programming Systems Languages and Applications (OOPSLA ’14). 829–845.
[108]
Xin Zheng and Radu Rugina. 2008. Demand-driven alias analysis for C. In Proceedings of the 35th International Symposium on Principles of Programming Languages (POPL ’08). 197–208.
Index Terms
- SPATA: Effective OS Bug Detection with Summary-Based, Alias-Aware, and Path-Sensitive Typestate Analysis
Recommendations
Path-sensitive and alias-aware typestate analysis for detecting OS bugs
ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating SystemsOperating system (OS) is the cornerstone for modern computer systems. It manages devices and provides fundamental service for user-level applications. Thus, detecting bugs in OSes is important to improve reliability and security of computer systems. ...
Flexible pointer analysis using assign-fetch graphs
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingWe propose a new abstraction for pointer analysis that represents reads and writes to memory instead of traditional points-to relations. Compared to points-to graphs, our Assign-Fetch Graph (AFG) leads to concise procedure summaries that can be used in ...
Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceTypestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
Comments
Information & Contributors
Information
Published In
November 2024
162 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 November 2024
Online AM: 06 September 2024
Accepted: 25 July 2024
Revised: 15 May 2024
Received: 09 January 2023
Published in TOCS Volume 42, Issue 3-4
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- CCF-Huawei Populus Grove Fund
- CCF-Tencent Rhino-Bird Open Research Fund
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 386Total Downloads
- Downloads (Last 12 months)386
- Downloads (Last 6 weeks)95
Reflects downloads up to 31 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in