论文信息 - User-Input Dependence Analysis via Graph Reachability

User-Input Dependence Analysis via Graph Reachability

Bug-checking tools have been used with some success in recent years to find bugs in software. For finding bugs that can cause security vulnerabilities, bug checking tools require a program analysis which determines whether a software bug can be controlled by user-input. In this paper we introduce a static program analysis for computing user-input dependencies. This analysis can be used as a pre-processing filter to a static bug checking tool for identifying bugs that can potentially be exploited as security vulnerabilities. In order for the analysis to be applicable to large commercial software in the millions of lines of code, runtime speed and scalability of the user-input dependence analysis is of key importance. Our user-input dependence analysis takes both data and control dependencies into account. We extend static single assignment (SSA) form by augmenting phi-nodes with control dependencies. A formal definition of user-input dependence is expressed in a dataflow analysis framework as a meet-over-all-paths (MOP) solution. We reduce the equation system to a sparse equation system exploiting the properties of SSA. The sparse equation system is solved as a reachability problem that results in a fast algorithm for computing user-input dependencies. We have implemented a call-insensitive and a call-sensitive analysis. The paper gives preliminary results on the comparison of their efficiency for various benchmarks.

[1] Peter Schachte,et al. Un-Kleene Boolean equation Solving , 2007, Int. J. Found. Comput. Sci..

[2] Arthur B. Maccabe,et al. The program dependence web: a representation supporting control-, data-, and demand-driven interpretation of imperative languages , 1990, PLDI '90.

[3] Alain Deutsch,et al. STATIC VERIFICATION OF DYNAMIC PROPERTIES , 2003 .

[4] Gregor Snelting,et al. Efficient path conditions in dependence graphs for software safety analysis , 2006, TSEM.

[5] Robert E. Tarjan,et al. Fast Algorithms for Solving Path Problems , 1981, JACM.

[6] Mark N. Wegman,et al. Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[7] Mark Lillibridge,et al. Extended static checking for Java , 2002, PLDI '02.

[8] David A. Padua,et al. Efficient building and placing of gating functions , 1995, PLDI '95.

[9] Zhendong Su,et al. Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[10] Alexander Aiken,et al. A theory of type qualifiers , 1999, PLDI '99.

[11] Cristina Cifuentes,et al. Parfait: designing a scalable bug checker , 2008, SAW '08.

[12] Sorin Lerner,et al. ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[13] Frank Tip,et al. A survey of program slicing techniques , 1994, J. Program. Lang..

[14] William R. Bush,et al. A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[15] Andrew C. Myers,et al. Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[16] Jeffrey D. Ullman,et al. Introduction to Automata Theory, Languages and Computation , 1979 .

[17] Gregor Snelting,et al. Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[18] William R. Bush,et al. A static analyzer for finding dynamic programming errors , 2000 .

[19] Wei Xu,et al. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[20] Alessandro Orso,et al. Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[21] Cristina Cifuentes. Parfait - A Scalable Bug Checker for C Code , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[22] Joe D. Warren,et al. The program dependence graph and its use in optimization , 1984, TOPL.

[23] James Newsome,et al. Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[24] Vikram S. Adve,et al. LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[25] Thomas W. Reps,et al. Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[26] Marco Pistoia,et al. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[27] Peter J. Denning,et al. Certification of programs for secure information flow , 1977, CACM.

[28] Stefan Savage,et al. Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[29] Michael Weiss. The transitive closure of control dependence: the iterated join , 1992, LOPL.

[30] Jeffrey D. Ullman,et al. Global Data Flow Analysis and Iterative Algorithms , 1976, J. ACM.

[31] Sriram K. Rajamani,et al. The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[32] D. Elliott Bell,et al. Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[33] Dawson R. Engler,et al. Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.