article

Tracking pointers with path and context sensitivity for bug detection in C programs

Authors:

V. Benjamin Livshits,

Monica S. LamAuthors Info & Claims

ACM SIGSOFT Software Engineering Notes, Volume 28, Issue 5

Pages 317 - 326

https://doi.org/10.1145/949952.940114

Published: 01 September 2003 Publication History

Abstract

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively manipulated pointers held in local variables and parameters accurately with path and context sensitivity and handles pointers stored in recursive data structures less precisely but efficiently. We make the unsound assumption that pointers passed into a procedure, in parameters, global variables, and locations reached by applying simple access paths to parameters and global variables, are all distinct from each other and from any other locations. This assumption matches the semantics of many functions, reduces spurious aliases and speeds up the analysis.We present a program representation, called IPSSA, which captures intraprocedural and interprocedural definition-use relationships of directly and indirectly accessed memory locations. This representation makes it easy to create demand-driven path-sensitive and context-sensitive analyses.We demonstrate how a program checker based on IPSSA can be used to find security violations. Our checker, when applied to 10 programs, found 6 new violations and 8 previously reported ones. The checker generated only one false warning, suggesting that our approach is effective in creating practical and easy-to-use bug detection tools.

References

[1]

R. A. Ballance, A. B. Maccabe, and K. J. Ottenstein. The program dependence web: A representation supporting control-, data-, and demand-driven interpretation of imperative languages. In Proceedings of the ACM SIGPLAN '90 Conference on Programming Language Design and Implementation, pages 257--271, 1990.

Digital Library

[2]

W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. In Proceedings of Software Practice and Experience, pages 775--802, 2000.

Digital Library

[3]

D. R. Chase, M. Wegma, and F. K. Zadeck. Analysis of pointers and structures. In Proceedings of the ACM SIGPLAN '90 Conference on Programming Language Design and Implementation, pages 296--310, 1990.

Digital Library

[4]

A. Chou, B. Chelf, D. Engler, and M. Heinrich. Using meta-level compilation to check FLASH protocol code. In Proceedings of Architectural Support or Programming Languages and Operating Systems, pages 59--70, 2000.

Digital Library

[5]

F. C. Chow, S. Cha, S.-M. Liu, R. Lo, and M. Streich. Effective representation of aliases and indirect memory operations in SSA form. In Proceedings of the Sixth International Conference on Compiler Construction, pages 253--267, 1996.

Digital Library

[6]

Cigital. ITS4: Software security tool. http://www.cigital.com/its4/.

[7]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Effciently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, October 1991.

Digital Library

[8]

R. Cytro and R. Gershbein. Effcient accomodation of may-alias information in SSA form. In Proceedings of the SIGPLAN '93 Conference on Programming Language Design and Implementation, pages 253--267, June 1993.

Digital Library

[9]

A. DeKok. PScan: A limited problem scanner for C source files. http://www.striker.ottawa.on.ca/~aland/pscan/.

[10]

R. DeLine and M. Fahndrich. Enforcing high-level protocols in low-level software. In Proceedings of the ACM SIGPLAN '01 Conference on Programming Language Design and Implementation, pages 59--69, 2001.

Digital Library

[11]

D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the ACM Conference on Operating Systems Design and Implementation, pages 1--16, 2000.

Digital Library

[12]

D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42--51, 2002.

Digital Library

[13]

Nevin Heintze and Olivier Tardieu. Ultra-fast aliasing analysis using CLA: A million lines of C code. In Proceedings of the ACM SIGPLAN '01 Conference on Programming Language Design and Implementation, pages 146--161, 2001.

Digital Library

[14]

C. Lapkowski and L. J. Hendre. Extended SSA numbering: Introducing SSA properties to language with multi-level pointers. In Proceedings of the Seventh International Conference on Compiler Construction, pages 128--143, 1998.

Digital Library

[15]

S.-W. Liao, A. Diwa, R. P. Bosch, A. Ghuloum, and M. Lam. SUIF explorer: An interactive and interprocedural parallelizer. In Proceedings of the 26th Annual ACM Symposium on Principles of Programming Languages, pages 37--48, 1999.

Digital Library

[16]

A. Pinkus. Yacas manual. http://www.xs4all.nl/~apinkus/manindex.html

[17]

S. Sagiv, T. W. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proceedings of the 26th Annual ACM Symposium on Principles of Programming Languages, pages 105--118, 1999.

Digital Library

[18]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201--220, 2001.

Digital Library

[19]

Secure Software. RATS, a scanning tool. http://www.securesoftware.com/rats.

[20]

B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23th Annual ACM Symposium on Principles of Programming Languages, pages 32--41, 1996.

Digital Library

[21]

P. Tu and D. Padua. Efficient building and placing of gating functions. In Proceedings of the ACM SIGPLAN '95 Conference on Programming Language Design and Implementation, pages 47--55, 1995.

Digital Library

[22]

P. Tu and D. Padua. Gated SSA-based demand-drive symbolic analysis for parallelizing compilers. In Proceedings of the 1995 ACM International Conference on Supercomputing, pages 414--423, 1995.

Digital Library

[23]

D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3--17, 2000.

[24]

J. Whaley and M. Rinard. Compositional pointer and escape analysis for Java programs. In Proceedings of Object-oriented Programming, Systems, Languages, and Applications, pages 187--206, 1999.

Digital Library

[25]

R. P. Wilson. Efficient, Context-Sensitive Pointer Analysis for C Programs. PhD thesis, Stanford University, 1998.

Digital Library

[26]

R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN '90 Conference on Programming Language Design and Implementation, pages 1--12, 1995.

Digital Library

Cited By

Zhang JWang XZhang HSun HLiu XHu CLiu YJust RFraser G(2023)Detecting Condition-Related Bugs with Control Flow Graph Neural NetworkProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598142(1370-1382)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598142
Lu FTang MBao YWang X(2022)A Survey of Detection Methods for Software Use-After-Free VulnerabilityData Science10.1007/978-981-19-5209-8_19(272-297)Online publication date: 10-Aug-2022
https://doi.org/10.1007/978-981-19-5209-8_19
Xue YMa MLin YSui YYe JPeng TGrundy JLe Goues CLo D(2020)Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contractsProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416553(1029-1040)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416553
Show More Cited By

Index Terms

Tracking pointers with path and context sensitivity for bug detection in C programs
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software notations and tools

Recommendations

Tracking pointers with path and context sensitivity for bug detection in C programs
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Context transformations for pointer analysis
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation

Points-to analysis for Java benefits greatly from context sensitivity. CFL-reachability and k-limited context strings are two approaches to obtaining context sensitivity with different advantages: CFL-reachability allows local reasoning about data-value ...
Improving software security with a C pointer analysis
ICSE '05: Proceedings of the 27th international conference on Software engineering

This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C and uses the analysis to detect and prevent security vulnerabilities in programs. In addition to a conservative analysis, we propose an optimistic ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGSOFT Software Engineering Notes

ACM SIGSOFT Software Engineering Notes Volume 28, Issue 5

September 2003

382 pages

ISSN:0163-5948

DOI:10.1145/949952

Issue’s Table of Contents

ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
September 2003
394 pages
ISBN:1581137435
DOI:10.1145/940071
General Chair:
Jukka Paakki
University of Helsinki, Finland
,
Program Chair:
Paola Inverardi
University of L'Aquila, Italy

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2003

Published in SIGSOFT Volume 28, Issue 5

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

75
Total Citations
View Citations
827
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang JWang XZhang HSun HLiu XHu CLiu YJust RFraser G(2023)Detecting Condition-Related Bugs with Control Flow Graph Neural NetworkProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598142(1370-1382)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598142
Lu FTang MBao YWang X(2022)A Survey of Detection Methods for Software Use-After-Free VulnerabilityData Science10.1007/978-981-19-5209-8_19(272-297)Online publication date: 10-Aug-2022
https://doi.org/10.1007/978-981-19-5209-8_19
Xue YMa MLin YSui YYe JPeng TGrundy JLe Goues CLo D(2020)Cross-contract static analysis for detecting practical reentrancy vulnerabilities in smart contractsProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416553(1029-1040)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416553
Wang SBao YLiu XWang PZhang DWu DHeninger NTraynor P(2019)Identifying cache-based side channels through secret-augmented abstract interpretationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361384(657-674)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361384
Bai JLawall JTan WHu SBahar IHerlihy MWitchel ELebeck A(2019)DCNSProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304065(287-299)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304065
Wang YChen GZhou MGu MSun JZimmermann TLawall JMarinov D(2019)TsmartGPProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00129(1170-1173)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00129
Wang YZhou MGu MSun J(2019)Necessity and Capability of Flow, Context, Field and Quasi Path Sensitive Points-to Analysis2019 26th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC48747.2019.00044(268-275)Online publication date: Dec-2019
https://doi.org/10.1109/APSEC48747.2019.00044
Sridevi MSunitha K(2019)A Hybrid Framework for Secure Web ApplicationsICICCT 2019 – System Reliability, Quality Control, Safety, Maintenance and Management10.1007/978-981-13-8461-5_16(140-151)Online publication date: 28-Jun-2019
https://doi.org/10.1007/978-981-13-8461-5_16
Shi QXiao XWu RZhou JFan GZhang C(2018)Pinpoint: fast and precise sparse value flow analysis for million lines of codeACM SIGPLAN Notices10.1145/3296979.319241853:4(693-706)Online publication date: 11-Jun-2018
https://dl.acm.org/doi/10.1145/3296979.3192418
Shi QXiao XWu RZhou JFan GZhang CFoster JGrossman D(2018)Pinpoint: fast and precise sparse value flow analysis for million lines of codeProceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3192366.3192418(693-706)Online publication date: 11-Jun-2018
https://dl.acm.org/doi/10.1145/3192366.3192418
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents