Article

Tracking pointers with path and context sensitivity for bug detection in C programs

Authors:
V. Benjamin Livshits

Stanford University, Stanford, CA

Stanford University, Stanford, CA
View Profile

,
Monica S. Lam

Stanford University, Stanford, CA

Stanford University, Stanford, CA
View Profile

ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineeringSeptember 2003Pages 317–326https://doi.org/10.1145/940071.940114

Published:01 September 2003Publication History

ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

Pages 317–326

ABSTRACT

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively manipulated pointers held in local variables and parameters accurately with path and context sensitivity and handles pointers stored in recursive data structures less precisely but efficiently. We make the unsound assumption that pointers passed into a procedure, in parameters, global variables, and locations reached by applying simple access paths to parameters and global variables, are all distinct from each other and from any other locations. This assumption matches the semantics of many functions, reduces spurious aliases and speeds up the analysis.We present a program representation, called IPSSA, which captures intraprocedural and interprocedural definition-use relationships of directly and indirectly accessed memory locations. This representation makes it easy to create demand-driven path-sensitive and context-sensitive analyses.We demonstrate how a program checker based on IPSSA can be used to find security violations. Our checker, when applied to 10 programs, found 6 new violations and 8 previously reported ones. The checker generated only one false warning, suggesting that our approach is effective in creating practical and easy-to-use bug detection tools.

References

R. A. Ballance, A. B. Maccabe, and K. J. Ottenstein. The program dependence web: A representation supporting control-, data-, and demand-driven interpretation of imperative languages. In Proceedings of the ACM SIGPLAN '90 Conference on Programming Language Design and Implementation, pages 257--271, 1990. Google ScholarDigital Library
W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. In Proceedings of Software Practice and Experience, pages 775--802, 2000. Google ScholarDigital Library
D. R. Chase, M. Wegma, and F. K. Zadeck. Analysis of pointers and structures. In Proceedings of the ACM SIGPLAN '90 Conference on Programming Language Design and Implementation, pages 296--310, 1990. Google ScholarDigital Library
A. Chou, B. Chelf, D. Engler, and M. Heinrich. Using meta-level compilation to check FLASH protocol code. In Proceedings of Architectural Support or Programming Languages and Operating Systems, pages 59--70, 2000. Google ScholarDigital Library
F. C. Chow, S. Cha, S.-M. Liu, R. Lo, and M. Streich. Effective representation of aliases and indirect memory operations in SSA form. In Proceedings of the Sixth International Conference on Compiler Construction, pages 253--267, 1996. Google ScholarDigital Library
Cigital. ITS4: Software security tool. http://www.cigital.com/its4/.Google Scholar
R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Effciently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4):451--490, October 1991. Google ScholarDigital Library
R. Cytro and R. Gershbein. Effcient accomodation of may-alias information in SSA form. In Proceedings of the SIGPLAN '93 Conference on Programming Language Design and Implementation, pages 253--267, June 1993. Google ScholarDigital Library
A. DeKok. PScan: A limited problem scanner for C source files. http://www.striker.ottawa.on.ca/~aland/pscan/.Google Scholar
R. DeLine and M. Fahndrich. Enforcing high-level protocols in low-level software. In Proceedings of the ACM SIGPLAN '01 Conference on Programming Language Design and Implementation, pages 59--69, 2001. Google ScholarDigital Library
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the ACM Conference on Operating Systems Design and Implementation, pages 1--16, 2000. Google ScholarDigital Library
D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42--51, 2002. Google ScholarDigital Library
Nevin Heintze and Olivier Tardieu. Ultra-fast aliasing analysis using CLA: A million lines of C code. In Proceedings of the ACM SIGPLAN '01 Conference on Programming Language Design and Implementation, pages 146--161, 2001. Google ScholarDigital Library
C. Lapkowski and L. J. Hendre. Extended SSA numbering: Introducing SSA properties to language with multi-level pointers. In Proceedings of the Seventh International Conference on Compiler Construction, pages 128--143, 1998. Google ScholarDigital Library
S.-W. Liao, A. Diwa, R. P. Bosch, A. Ghuloum, and M. Lam. SUIF explorer: An interactive and interprocedural parallelizer. In Proceedings of the 26th Annual ACM Symposium on Principles of Programming Languages, pages 37--48, 1999. Google ScholarDigital Library
A. Pinkus. Yacas manual. http://www.xs4all.nl/~apinkus/manindex.htmlGoogle Scholar
S. Sagiv, T. W. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proceedings of the 26th Annual ACM Symposium on Principles of Programming Languages, pages 105--118, 1999. Google ScholarDigital Library
U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201--220, 2001. Google ScholarDigital Library
Secure Software. RATS, a scanning tool. http://www.securesoftware.com/rats.Google Scholar
B. Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23th Annual ACM Symposium on Principles of Programming Languages, pages 32--41, 1996. Google ScholarDigital Library
P. Tu and D. Padua. Efficient building and placing of gating functions. In Proceedings of the ACM SIGPLAN '95 Conference on Programming Language Design and Implementation, pages 47--55, 1995. Google ScholarDigital Library
P. Tu and D. Padua. Gated SSA-based demand-drive symbolic analysis for parallelizing compilers. In Proceedings of the 1995 ACM International Conference on Supercomputing, pages 414--423, 1995. Google ScholarDigital Library
D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, pages 3--17, 2000.Google Scholar
J. Whaley and M. Rinard. Compositional pointer and escape analysis for Java programs. In Proceedings of Object-oriented Programming, Systems, Languages, and Applications, pages 187--206, 1999. Google ScholarDigital Library
R. P. Wilson. Efficient, Context-Sensitive Pointer Analysis for C Programs. PhD thesis, Stanford University, 1998. Google ScholarDigital Library
R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN '90 Conference on Programming Language Design and Implementation, pages 1--12, 1995. Google ScholarDigital Library

Index Terms

Tracking pointers with path and context sensitivity for bug detection in C programs
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software notations and tools

Recommendations

Tracking pointers with path and context sensitivity for bug detection in C programs

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Read More
Context transformations for pointer analysis
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation

Points-to analysis for Java benefits greatly from context sensitivity. CFL-reachability and k-limited context strings are two approaches to obtaining context sensitivity with different advantages: CFL-reachability allows local reasoning about data-value ...
Read More
Improving software security with a C pointer analysis
ICSE '05: Proceedings of the 27th international conference on Software engineering

This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C and uses the analysis to detect and prevent security vulnerabilities in programs. In addition to a conservative analysis, we propose an optimistic ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
September 2003
394 pages
ISBN:1581137435
DOI:10.1145/940071
General Chair:
Jukka Paakki
University of Helsinki, Finland
,
Program Chair:
Paola Inverardi
University of L'Aquila, Italy
ACM SIGSOFT Software Engineering Notes Volume 28, Issue 5
September 2003
382 pages
ISSN:0163-5948
DOI:10.1145/949952
Issue’s Table of Contents
Copyright © 2003 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 September 2003
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
SSA representation
buffer overruns
context-sensitive analysis
error detection
path-sensitive analysis
pointer analysis
program analysis
program representation
security flaws
software security
Qualifiers
- Article
Conference

Acceptance Rates
ESEC/FSE-11 Paper Acceptance Rate33of168submissions,20%Overall Acceptance Rate112of543submissions,21%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 73
  Total Citations
  View Citations
- 820
  Total Downloads
- Downloads (Last 12 months)21
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Tracking pointers with path and context sensitivity for bug detection in C programs

ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Tracking pointers with path and context sensitivity for bug detection in C programs

Context transformations for pointer analysis

Improving software security with a C pointer analysis