Unleashing the power of type-based call graph construction by using regional pointer information
Article No.: 78, Pages 1383 - 1400
Abstract
When dealing with millions of lines of C code, we still cannot have the cake and eat it: type analysis for call graph construction is scalable yet highly imprecise. We address this precision issue through a practical observation: many function pointers are simple; they are not referenced by other pointers, nor do they derive their values by dereferencing other pointers. As a result, simple function pointers can be resolved with precise and affordable pointer aliasing information. In this work, we advocate KELP with two concerted stages. First, instead of directly using type analysis, KELP performs regional pointer analysis along def-use chains to early and precisely resolve the indirect calls through simple function pointers. Second, KELP then leverages type analysis to handle the remaining indirect calls. The first stage is efficient as KELP selectively reasons about simple function pointers, thereby avoiding prohibitive performance penalties. The second stage is precise as the candidate address-taken functions for checking type compatibility are largely reduced thanks to the first stage. Our experiments on twenty large-scale and popular software programs show that, on average, KELP can reduce spurious callees by 54.2% with only a negligible additional time cost of 8.5% (equivalent to 6.3 seconds) compared to the previous approach. More excitingly, when evaluating the call graphs through the lens of three various downstream clients (i.e., thread-sharing analysis, value-flow bug detection, and directed grey-box fuzzing), KELp can significantly enhance their effectiveness for better vulnerability understanding, hunting, and reproduction.
References
[1]
ALI, K., LAI, X., Luo, Z., LHOTAK, O., DOLBY, J., AND TIP, F. A study of call graph construction for jvm-hosted languages. IEEE Trans. Software Eng. 47, 12 (2021), 2644-2666.
[2]
ALI, K., AND LHOTAK, O. Application-only call graph construction. In ECOOP 2012 - Object-Oriented Programming - 26th European Conference, Beijing, China, June 11-16, 2012. Proceedings (2012), J. Noble, Ed., vol. 7313 of Lecture Notes in Computer Science, Springer, pp. 688-712.
[3]
ALI, K., RAPOPORT, M., LHOTÁK, O., DOLBY, J., AND TIP, F. Type-based call graph construction algorithms for scala. ACM Trans. Softw. Eng. Methodol. 25, 1 (2015), 9:1-9:43.
[4]
ANDERSEN, L. O. Program analysis and specialization for the c programming language. Tech. rep., DIKU, 1994.
[5]
ARZT, S., RASTHOFER, S., FRITZ, C., BODDEN, E., BARTEL, A., KLEIN, J., TRAON, Y. L., OCTEAU, D., AND MCDANIEL, P. D. Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom - June 09-11, 2014 (2014), M. F. P. o'Boyle and K. Pingali, Eds., ACM, pp. 259-269.
[6]
ATKINSON, D. C. Accurate call graph extraction of programs with function pointers using type signatures. In 11th Asia-Pacific Software Engineering Conference (APSEC 2004), 30 November - 3 December 2004, Busan, Korea (2004), IEEE Computer Society, pp. 326-335.
[7]
BAI, J., LAWALL, J., CHEN, Q., AND HU, S. Effective static analysis of concurrency use-after-free bugs in linux device drivers. In 2019 USENIX Annual Technical Conference, USENIX ATC 2019, Renton, WA, USA, July 10-12, 2019 (2019), D. Malkhi and D. Tsafrir, Eds., USENIX Association, pp. 255-268.
[8]
BALAKRISHNAN, G., GRUIAN, R., REPS, T. W., AND TEITEL-BAUM, T. Codesurfer/x86-a platform for analyzing x86 executables. In Compiler Construction, 14th International Conference, CC 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4-8, 2005, Proceedings (2005), R. Bodík, Ed., vol. 3443 of Lecture Notes in Computer Science, Springer, pp. 250-254.
[9]
BALAKRISHNAN, G., AND REPS, T. W. Analyzing memory accesses in x86 executables. in Compiler Construction, 13th International Conference, CC 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29 - April 2, 2004, Proceedings (2004), E. Duesterwald, Ed., vol. 2985 of Lecture Notes in Computer Science, Springer, pp. 5-23.
[10]
BALATSOURAS, G., AND SMARAGDAKIS, Y. Structure- sensitive points-to analysis for C and C++. In Static Analysis - 23rd International Symposium, SAS 2016, Edinburgh, UK, September 8-10, 2016, Proceedings (2016), X. Rival, Ed., vol. 9837 of Lecture Notes in Computer Science, Springer, pp. 84-104.
[11]
BÖHME, M., PHAM, V., NGUYEN, M., AND ROYCHOUDHURY, A. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017 (2017), B. Thuraisingham, D. Evans, T. Malkin, and D. Xu, Eds., ACM, pp. 2329-2344.
[12]
BUROW, N., CARR, S. A., NASH, J., LARSEN, P., FRANZ, M., BRUNTHALER, S., AND PAYER, M. Control-flow integrity: Precision, security, and performance. ACM Comput. Surv. 50, 1 (2017), 16:1-16:33.
[13]
CAI, Y., YAO, P., YE, C., AND ZHANG, C. Place your locks well: understanding and detecting lock misuse bugs. in 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023 (2023), J. A. Calandrino and C. Troncoso, Eds., USENIX Association.
[14]
CAI, Y., YAO, P., AND ZHANG, C. Canary: practical static detection of inter-thread value-flow bugs. In PLDI '21: 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (2021), S. N. Freund and E. Yahav, Eds., ACM, pp. 1126-1140.
[15]
CAI, Y., YE, C., SHI, Q., AND ZHANG, C. Peahen: fast and precise static deadlock detection via context reduction. in Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022, Singapore, Singapore, November 1418, 2022 (2022), A. Roychoudhury, C. Cadar, and M. Kim, Eds., ACM, pp. 784-796.
[16]
CAI, Y., AND ZHANG, C. A cocktail approach to practical call graph construction. Proc. ACM Program. Lang. 7, OOPSLA2 (2023).
[17]
CANAKCI, S., MATYUNIN, N., GRAFFI, K., JOSHI, A., AND EGELE, M. Targetfuzz: using darts to guide directed greybox fuzzers. In ASIA CCS '22: ACM Asia Conference on Computer and Communications Security, Nagasaki, Japan, 30 May 2022 - 3 June 2022 (2022), Y. Suga, K. Sakurai, X. Ding, and K. Sako, Eds., ACM, pp. 561-573.
[18]
CHEN, H., Guo, S., XUE, Y., SUI, Y., ZHANG, C., LI, Y., WANG, H., AND LIU, Y. MuZZ: thread-aware grey-box fuzzing for effective bug hunting in multithreaded programs. in 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020 (2020), S. Capkun and F. Roesner, Eds., uSENIX Association, pp. 2325-2342.
[19]
CHEN, H., XUE, Y., LI, Y., CHEN, B., XIE, X., Wu, X., AND LIU, Y. Hawkeye: Towards a desired directed grey-box fuzzer. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2018), CCS '18, Association for Computing Machinery, pp. 2095-2108.
[20]
CHEN, Y., LI, P., XU, J., Guo, S., ZHOU, R., ZHANG, Y., WEI, T., AND LU, L. SAVIOR: towards bug-driven hybrid testing. in 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020 (2020), IEEE, pp. 1580-1596.
[21]
CHEREM, S., PRINCEHOUSE, L., AND RUGINA, R. Practical memory leak detection using guarded value-flow analysis. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10-13, 2007 (2007), J. Ferrante and K. S. McKinley, Eds., ACM, pp. 480-491.
[22]
CORINA, J., MACHIRY, A., SALLS, C., SHOSHITAISHVILI, Y., HAO, S., KRUEGEL, C., AND VIGNA, G. DIFUZE: interface aware fuzzing for kernel drivers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS (2017), B. Thuraisingham, D. Evans, T. Malkin, and D. Xu, Eds., ACM, pp. 2123-2138.
[23]
DING, R., QIAN, C., SONG, C., HARRIS, W., KIM, T., AND LEE, W. Efficient protection of path-sensitive control security. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017 (2017), E. Kirda and T. Ristenpart, Eds., USENIX Association, pp. 131-148.
[24]
FAN, G., WU, R., SHI, Q., XIAO, X., ZHOU, J., AND ZHANG, C. Smoke: scalable path-sensitive memory leak detection for millions of lines of code. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019 (2019), J. M. Atlee, T. Bultan, and J. Whittle, Eds., IEEE / ACM, pp. 72-82.
[25]
GE, X., CUI, W., AND JAEGER, T. GRIFFIN: guarding control flows using intel processor trace. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi'an, China, April 8-12, 2017 (2017), Y. Chen, O. Temam, and J. Carter, Eds., ACM, pp. 585-598.
[26]
GE, X., TALELE, N., PAYER, M., AND JAEGER, T. Finegrained control-flow integrity for kernel software. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21-24, 2016 (2016), IEEE, pp. 179-194.
[27]
GENS, D., SCHMITT, S., DAVI, L., AND SADEGHI, A. K-miner: Uncovering memory corruption in linux. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018 (2018), The Internet Society.
[28]
GHAVAMNIA, S., PALIT, T., MISHRA, S., AND POLYCHRON-AKIS, M. Temporal system call specialization for attack surface reduction. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020 (2020), S. Capkun and F. Roesner, Eds., USENIX Association, pp. 1749-1766.
[29]
HARDEKOPF, B., AND LIN, C. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10-13, 2007 (2007), J. Ferrante and K. S. McKinley, Eds., ACM, pp. 290-299.
[30]
HARDEKOPF, B., AND LIN, C. Semi-sparse flow-sensitive pointer analysis. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009 (2009), Z. Shao and B. C. Pierce, Eds., ACM, pp. 226-238.
[31]
HARDEKOPF, B., AND LIN, C. Flow-sensitive pointer analysis for millions of lines of code. In Proceedings of the CGO 2011, The 9th International Symposium on Code Generation and Optimization, Chamonix, France, April 2-6, 2011 (2011), IEEE Computer Society, pp. 289-298.
[32]
HIND, M. Pointer analysis: haven't we solved this problem yet? In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering, PASTE'01, Snowbird, Utah, USA, June 18-19, 2001 (2001), J. Field and G. Snelting, Eds., ACM, pp. 54-61.
[33]
HU, H., QIAN, C., YAGEMANN, C., CHUNG, S. P. H., HARRIS, W. R., KIM, T., AND LEE, W. Enforcing unique code target property for control-flow integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018 (2018), D. Lie, M. Mannan, M. Backes, and X. Wang, Eds., ACM, pp. 1470-1486.
[34]
HUANG, H., GUO, Y., SHI, Q., YAO, P., WU, R., AND ZHANG, C. BEACON: directed grey-box fuzzing with provable path pruning. In 43rd IEEE Symposium on Security and Privacy, SP 2022 (2022), IEEE, pp. 36-50.
[35]
HUANG, J. Scalable thread sharing analysis. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016 (2016), L. K. Dillon, W. Visser, and L. A. Williams, Eds., ACM, pp. 1097-1108.
[36]
HUANG, J., ZHANG, C., AND DOLBY, J. CLAP: recording local executions to reproduce concurrency failures. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '13, Seattle, WA, USA, June 16-19, 2013 (2013), H. Boehm and C. Flanagan, Eds., ACM, pp. 141-152.
[37]
JEONG, D. R., KIM, K., SHIVAKUMAR, B., LEE, B., AND SHIN, I. Razzer: Finding kernel race bugs through fuzzing. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019 (2019), IEEE, pp. 754-768.
[38]
KAHLON, V. Bootstrapping: A technique for scalable flow and context-sensitive pointer alias analysis. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2008), PLDI '08, Association for Computing Machinery, pp. 249-259.
[39]
KAHLON, V., YANG, Y., SANKARANARAYANAN, S., AND GUPTA, A. Fast and accurate static data-race detection for concurrent programs. In Computer Aided Verification, 19th International Conference, CAV 2007, Berlin, Germany, July 3-7, 2007, Proceedings (2007), W. Damm and H. Hermanns, Eds., vol. 4590 of Lecture Notes in Computer Science, Springer, pp. 226-239.
[40]
KHANDAKER, M., LIU, W., NASER, A., WANG, Z., AND YANG, J. Origin-sensitive control flow integrity. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019 (2019), N. Heninger and P. Traynor, Eds., USENIX Association, pp. 195-211.
[41]
KHANDAKER, M., NASER, A., LIU, W., WANG, Z., ZHOU, Y., AND CHENG, Y. Adaptive call-site sensitive control flow integrity. In IEEE European Symposium on Security and Privacy, EuroS&P 2019, Stockholm, Sweden, June 17-19, 2019 (2019), IEEE, pp. 95-110.
[42]
KIM, C. H., KIM, T., CHOI, H., GU, Z., LEE, B., ZHANG, X., AND XU, D. Securing real-time microcontroller systems through customized memory view switching. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018 (2018), The Internet Society.
[43]
KIM, S. H., SUN, C., ZENG, D., AND TAN, G. Refining indirect call targets at the binary level. In 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, February 21-25, 2021 (2021), The Internet Society.
[44]
KIM, T., AND ZELDOVICH, N. Making linux protection mechanisms egalitarian with userfs. In 19th USENIX Security Symposium, Washington, DC, USA, August 11-13, 2010, Proceedings (2010), USENIX Association, pp. 13-28.
[45]
LATTNER, C., LENHARTH, A., AND ADVE, V. S. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10-13, 2007 (2007), J. Ferrante and K. S. McKinley, Eds., ACM, pp. 278-289.
[46]
LI, J., TONG, X., ZHANG, F., AND MA, J. Fine-cfi: Finegrained control-flow integrity for operating system kernels. IEEE Trans. Inf. Forensics Secur. 13, 6 (2018), 1535-1550.
[47]
LI, L., CIFUENTES, C., AND KEYNES, N. Boosting the performance of flow-sensitive points-to analysis using value flow. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (New York, NY, USA, 2011), ESEC/FSE '11, Association for Computing Machinery, pp. 343-353.
[48]
LI, Y., TAN, T., MØLLER, A., AND SMARAGDAKIS, Y. A principled approach to selective context sensitivity for pointer analysis. ACM Trans. Program. Lang. Syst. 42, 2 (2020), 10:1-10:40.
[49]
LIU, H., SILVESTRO, S., WANG, W., TIAN, C., AND LIU, T. ireplayer: in-situ and identical record-and-replay for multithreaded applications. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, Philadelphia, PA, USA, June 18-22, 2018 (2018), J. S. Foster and D. Grossman, Eds., ACM, pp. 344-358.
[50]
LU, K., AND HU, H. Where does it go?: Refining indirect-call targets with multi-layer type analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019 (2019), L. Cavallaro, J. Kinder, X. Wang, and J. Katz, Eds., ACM, pp. 1867-1881.
[51]
LYU, Y., FANG, Y., ZHANG, Y., SUN, Q., MA, S., BERTINO, E., LU, K., AND LI, J. Goshawk: Hunting memory corruptions via structure-aware and object-centric memory operation synopsis. in 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022 (2022), IEEE, pp. 2096-2113.
[52]
MACHIRY, A., SPENSKY, C., CORINA, J., STEPHENS, N., KRUEGEL, C., AND VIGNA, G. DR. CHECKER: A soundy analysis for linux kernel drivers. in 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017 (2017), E. Kirda and T. Ristenpart, Eds., USENIX Association, pp. 1007-1024.
[53]
NANDA, M. G., AND RAMESH, S. Interprocedural slicing of multithreaded programs with applications to java. ACM Trans. Program. Lang. Syst. 28, 6 (nov 2006), 1088-1144.
[54]
NIELSEN, B. B., TORP, M. T., AND MØLLER, A. Modular call graph construction for security scanning of node.js applications. In ISSTA '21: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Denmark, July 11-17, 2021 (2021), C. Cadar and X. Zhang, Eds., ACM, pp. 29-41.
[55]
NIU, B., AND TAN, G. Modular control-flow integrity. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom - June 09 - 11, 2014 (2014), M. F. P. O'Boyle and K. Pingali, Eds., ACM, pp. 577-587.
[56]
NIU, B., AND TAN, G. Rockjit: Securing just-in-time compilation using modular control-flow integrity. in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014 (2014), G. Ahn, M. Yung, and N. Li, Eds., ACM, pp. 1317-1328.
[57]
NIU, B., AND TAN, G. Per-input control-flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015 (2015), I. Ray, N. Li, and C. Kruegel, Eds., ACM, pp. 914-926.
[58]
ORENBACH, M., MICHALEVSKY, Y., FETZER, C., AND SILBERSTEIN, M. Cosmix: A compiler-based system for secure memory instrumentation and execution in enclaves. in 2019 USENIX Annual Technical Conference, USENIX ATC 2019, Renton, WA, USA, July 10-12, 2019 (2019), D. Malkhi and D. Tsafrir, Eds., USENIX Association, pp. 555-570.
[59]
PEARCE, D. J., KELLY, P. H., AND HANKIN, C. Efficient field-sensitive pointer analysis of c.
[60]
PEREIRA, F. M. Q., AND BERLIN, D. Wave propagation and deep propagation for pointer analysis. in Proceedings of the 7th Annual IEEE/ACM International Symposium on Code Generation and Optimization (USA, 2009), CGO '09, IEEE Computer Society, pp. 126-135.
[61]
PETRASHKO, D., URECHE, V., LHOTAK, O., AND ODERSKY, M. Call graphs for languages with parametric polymorphism. in Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2016, part of SPLASH 2016, Amsterdam, The Netherlands, October 30 - November 4, 2016 (2016), E. Visser and Y. Smaragdakis, Eds., ACM, pp. 394-409.
[62]
REIF, M., EICHBERG, M., HERMANN, B., LERCH, J., AND MEZINI, M. Call graph construction for java libraries. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (New York, NY, USA, 2016), FSE 2016, Association for Computing Machinery, pp. 474 - 486.
[63]
REPS, T., HORWITZ, S., AND SAGIV, M. Precise interprocedural dataflow analysis via graph reachability. in Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (New York, NY, USA, 1995), POPL '95, Association for Computing Machinery, p. 49-61.
[64]
SAGIV, S., REPS, T. W., AND HORWITZ, S. Precise interprocedural dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167, 1 & 2 (1996), 131-170.
[65]
SALIS, V., SOTIROPOULOS, T., LOURIDAS, P., SPINELLIS, D., AND MITROPOULOS, D. Pycg: Practical call graph generation in python. in 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021, Madrid, Spain, 22-30 May 2021 (2021), IEEE, pp. 1646-1657.
[66]
SANTHIAR, A., AND KANADE, A. Static deadlock detection for asynchronous c# programs. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, June 18-23, 2017 (2017), A. Cohen and M. T. Vechev, Eds., ACM, pp. 292-305.
[67]
SCHUBERT, P., HERMANN, B., AND BODDEN, E. Lossless, persisted summarization of static callgraph, points-to and dataflow analysis. European Conference on Object-Oriented Programming (ECOOP) (2021).
[68]
SHI, Q., WU, R., FAN, G., AND ZHANG, C. Conquering the extensional scalability problem for value-flow analysis frameworks. CoRR abs/1912.06878 (2019).
[69]
SMARAGDAKIS, Y., AND BALATSOURAS, G. Pointer analysis. Found. Trends Program. Lang. 2, 1 (2015), 1-69.
[70]
SMARAGDAKIS, Y., KASTRINIS, G., AND BALATSOURAS, G. introspective analysis: context-sensitivity, across the board. in ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom - June 09 -11, 2014 (2014), M. F. P. O'Boyle and K. Pingali, Eds., ACM, pp. 485-495.
[71]
SOTIROPOULOS, T., AND LIVSHITS, B. Static analysis for asynchronous javascript programs. in 33rd European Conference on Object-Oriented Programming, ECOOP 2019, July 15-19, 2019, London, United Kingdom (2019), A. F. Donaldson, Ed., vol. 134 of LIPIcs, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, pp. 8:1-8:30.
[72]
SPATH, J., DO, L. N. Q., ALI, K., AND BODDEN, E. Boomerang: Demand-driven flow- and context-sensitive pointer analysis for java. in 30th European Conference on Object-Oriented Programming, ECOOP 2016, July 18-22, 2016, Rome, Italy (2016), S. Krishnamurthi and B. S. Lerner, Eds., vol. 56 of LIPIcs, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, pp. 22:1-22:26.
[73]
SRIDHARAN, M., FINK, S. J., AND BODÍK, R. Thin slicing. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10-13, 2007 (2007), J. Ferrante and K. S. McKinley, Eds., ACM, pp. 112-122.
[74]
SRIDHARAN, M., GOPAN, D., SHAN, L., AND BODÍK, R. Demand-driven points-to analysis for java. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2005, October 16-20, 2005, San Diego, CA, USA (2005), R. E. Johnson and R. P. Gabriel, Eds., ACM, pp. 59-76.
[75]
STEENSGAARD, B. Points-to analysis in almost linear time. In Conference Record of POPL'96: The 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Papers Presented at the Symposium, St. Petersburg Beach, Florida, USA, January 21-24, 1996 (1996), H. Boehm and G. L. S. Jr., Eds., ACM Press, pp. 32-41.
[76]
SUI, Y., DI, P., AND XUE, J. Sparse flow-sensitive pointer analysis for multithreaded programs. In Proceedings of the 2016 International Symposium on Code Generation and Optimization, CGO 2016, Barcelona, Spain, March 12-18, 2016 (2016), B. Franke, Y. Wu, and F. Rastello, Eds., ACM, pp. 160-170.
[77]
SUI, Y., AND XUE, J. On-demand strong update analysis via value-flow refinement. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2016, Seattle, WA, USA, November 13-18, 2016 (2016), T. Zimmermann, J. Cleland-Huang, and Z. Su, Eds., ACM, pp. 460-473.
[78]
SUI, Y., AND XUE, J. Svf: interprocedural static value-flow analysis in llvm. In Proceedings of the 25th international conference on compiler construction (2016), ACM, pp. 265-266.
[79]
SUI, Y., AND XUE, J. SVF: interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction, CC 2016, Barcelona, Spain, March 12-18, 2016 (2016), A. Zaks and M. V. Hermenegildo, Eds., ACM, pp. 265-266.
[80]
SUI, Y., AND XUE, J. Value-flow-based demand-driven pointer analysis for C and C++. IEEE Trans. Software Eng. 46, 8 (2020), 812-835.
[81]
SUI, Y., YE, D., AND XUE, J. Static memory leak detection using full-sparse value-flow analysis. In International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15-20, 2012 (2012), M. P. E. Heimdahl and Z. Su, Eds., ACM, pp. 254-264.
[82]
TAN, G., AND JAEGER, T. CFG construction soundness in control-flow integrity. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2017, Dallas, TX, USA, October 30, 2017 (2017), ACM, pp. 3-13.
[83]
THE LLVM PROJECT. LLVM's Analysis and Transform Passes. https://llvm.0rg/d0cs/Passes.html#mem2reg-promote-memory-to-register, 2021. Accessed on october 2, 2023.
[84]
VAN DER VEEN, V., ANDRIESSE, D., GÖKTAS, E., GRAS, B., SAMBUC, L., SLOWINSKA, A., BOS, H., AND GIUFFRIDA, C. Practical context-sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015 (2015), I. Ray, N. Li, and C. Kruegel, Eds., ACM, pp. 927-940.
[85]
WHALEY, J., AND RINARD, M. C. Compositional pointer and escape analysis for java programs. in Proceedings of the 1999 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages & Applications, OOPSLA 1999, Denver, Colorado, USA, November 1-5, 1999 (1999), B. Hailpern, L. M. Northrop, and A. M. Berman, Eds., ACM, pp. 187-206.
[86]
XIAO, X., ZHANG, Q., ZHOU, J., AND ZHANG, C. Persistent pointer information. in ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom - June 09 - 11, 2014 (2014), M. F. P. O'Boyle and K. Pingali, Eds., ACM, pp. 463-474.
[87]
XU, M., KASHYAP, S., ZHAO, H., AND KIM, T. Krace: Data race fuzzing for kernel file systems. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020 (2020), IEEE, pp. 1643-1660.
[88]
XU, M., QIAN, C., LU, K., BACKES, M., AND KIM, T. Precise and scalable detection of double-fetch bugs in OS kernels. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA (2018), IEEE Computer Society, pp. 661-678.
[89]
YAN, H., SUI, Y., CHEN, S., AND XUE, J. Spatio-temporal context reduction: a pointer-analysis-based static approach for detecting use-after-free vulnerabilities. in Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, Gothenburg, Sweden, May 27 - June 03, 2018 (2018), M. Chaudron, I. Crnkovic, M. Chechik, and M. Harman, Eds., ACM, pp. 327-337.
[90]
Yoo, S., PARK, J., KIM, S., KIM, Y., AND KIM, T. In-kernel control-flow integrity on commodity oses using ARM pointer authentication. In 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022 (2022), K. R. B. Butler and K. Thomas, Eds., USENIX Association, pp. 89-106.
[91]
ZENG, B., TAN, G., AND MORRISETT, G. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. in Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 (2011), Y. Chen, G. Danezis, and V. Shmatikov, Eds., ACM, pp. 29-40.
[92]
ZENG, D., NIU, B., AND TAN, G. Mazerunner: Evaluating the attack surface of control-flow integrity policies. in 20th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2021, Shenyang, China, October 20-22, 2021 (2021), IEEE, pp. 810-821.
[93]
ZHANG, H., CHEN, W., HAO, Y., LI, G., ZHAI, Y., ZOU, X., AND QIAN, Z. Statically discovering high-order taint style vulnerabilities in OS kernels. In CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, November 15 - 19, 2021 (2021), Y. Kim, J. Kim, G. Vigna, and E. Shi, Eds., ACM, pp. 811-824.
[94]
ZHANG, T., SHEN, W., LEE, D., JUNG, C., AZAB, A. M., AND WANG, R. Pex: A permission check analysis framework for linux kernel. in 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019 (2019), N. Heninger and P. Traynor, Eds., USENIX Association, pp. 1205-1220.
[95]
ZHANG, Y., LIU, X., SUN, C., ZENG, D., TAN, G., KAN, X., AND MA, S. Recfa: Resilient control-flow attestation. In ACSAC '21: Annual Computer Security Applications Conference, Virtual Event, USA, December 6-10, 2021 (2021), ACM, pp. 311-322.
[96]
ZONG, P., LV, T., WANG, D., DENG, Z., LIANG, R., AND CHEN, K. Fuzzguard: Filtering out unreachable inputs in directed grey-box fuzzing through deep learning. in 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020 (2020), S. Capkun and F. Roesner, Eds., USENIX Association, pp. 2255-2269.
Index Terms
- Unleashing the power of type-based call graph construction by using regional pointer information
Index terms have been assigned to the content through auto-classification.
Recommendations
Interprocedural pointer alias analysis
We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Precise and scalable context-sensitive pointer analysis via value flow graph
ISMM '13: Proceedings of the 2013 international symposium on memory managementIn this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 The USENIX Association.
Sponsors
- Bloomberg Engineering
- Google Inc.
- NSF
- Futurewei Technologies
- IBM
Publisher
USENIX Association
United States
Publication History
Published: 12 August 2024
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 20 Jan 2025