Marple: a demand-driven path-sensitive buffer overflow detector

Despite increasing efforts in detecting and managing software security vulnerabilities, the number of security attacks is still rising every year. As software becomes more complex, security vulnerabilities are more easily introduced into a system and more difficult to eliminate. Even though buffer overflow detection has been studied for more than 20 years, it is still the most commonly exploited vulnerability. In this paper, we develop a static analyzer for detecting and helping diagnose buffer overflows with the key idea of categorizing program paths as they relate to vulnerability. We combine path-sensitivity with a demand-driven analysis for precision and scalability. We first develop a vulnerability model for buffer overflow and then use the model in the development of the demand-driven path-sensitive analyzer. We detect and identify categories of paths including infeasible, safe, vulnerable, overflow-input-independent and don't-know. The categorization enables priorities to be set when searching for root causes of vulnerable paths. We implemented our analyzer, Marple, and compared its performance with existing tools. Our experiments show that Marple is able to detect buffer overflows that other tools cannot, and being path-sensitive with prioritization, Marple produces only 1 false positive out of 72 reported overflows. We also show that Marple scales to 570,000 lines of code, the largest benchmark we had.

[1]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[2]  Youssef Hamadi,et al.  Disolver : A Distributed Constraint Solver , 2003 .

[3]  Rajiv Gupta,et al.  A demand-driven analyzer for data flow testing at the integration level , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[4]  Benjamin Livshits,et al.  Tracking pointers with path and context sensitivity for bug detection in C programs , 2003, ESEC/FSE-11.

[5]  Yuanyuan Zhou,et al.  BugBench: Benchmarks for Evaluating Bug Detection Tools , 2005 .

[6]  Radu Rugina,et al.  Memory Leak Analysis by Contradiction , 2006, SAS.

[7]  Mary Lou Soffa,et al.  Refining buffer overflow detection via demand-driven path-sensitive analysis , 2007, PASTE '07.

[8]  Zhe Yang,et al.  Modular checking for buffer overflows in the large , 2006, ICSE.

[9]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[10]  Eugene H. Spafford,et al.  A failure to learn from the past , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.

[12]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[13]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[14]  Rajiv Gupta,et al.  Refining data flow information using infeasible paths , 1997, ESEC '97/FSE-5.

[15]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[16]  Rajiv Gupta,et al.  A practical framework for demand-driven interprocedural data flow analysis , 1997, TOPL.

[17]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.