Space efficient conservative garbage collection. DieHard: probabilistic memory safety for unsafe languages. Program analysis and specialization for the C programming language. Cling: a memory allocator to mitigate dangling pointers. Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti.The results show that Tac is effective (in terms of finding 5 known CVE vulnerabilities, 1 known bug, and 8 new bugs with a low false alarm rate) and scalable (in terms of analyzing a large codebase with 2,098 KLOC in just over 4 hours). We have implemented Tac in LLVM-3.8.0 and evaluated it using a set of eight open-source C/C++ programs.
Despite its unsoundness, Tac represents a practical typestate analysis approach for UAF detection. Tac learns the correlations between program features and UAF-related aliases by using a Support Vector Machine (SVM) and applies this knowledge to further disambiguate the UAF-related aliases reported imprecisely by the pointer analysis so that only the ones validated by its SVM classifier are further investigated by the typestate analysis. We introduce Tac, a static UAF detector that bridges the gap between typestate and pointer analyses by machine learning. Thus, the usefulness of typestate analysis for heap-intensive clients, like UAF detection, becomes rather limited, in practice. Due to a sound over-approximation of the points-to information, a large number of spurious aliases will be reported conservatively, causing the corresponding typestate analysis to report a large number of false alarms. For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, recursion cycles, loops, arrays, and linked lists. Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF).
0 kommentar(er)
