Static Checking of Array Index out of Bounds Defects in C Programs Based on Taint Analysis

被引：0

作者：

Gao F.-J. ^{[1
,2
]}

Wang Y. ^{[1
,2
]}

Chen T.-J. ^{[1
,2
]}

Situ L.-Y. ^{[1
,2
]}

Wang L.-Z. ^{[1
,2
]}

Li X.-D. ^{[1
,2
]}

机构：

[1] Department of Computer Science and Technology, Nanjing University, Nanjing

[2] State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing

来源：

Ruan Jian Xue Bao/Journal of Software | 2020年 / 31卷 / 10期

关键词：

Array index out-of-bounds; Buffer overflow; Constraint solving; Static analysis;

D O I：

10.13328/j.cnki.jos.006063

中图分类号：

学科分类号：

摘要：

During the rapid development of mobile computing, IoT, cloud computing, artificial intelligence, etc, many new programming languages and compilers are emerging. Even so, C/C++ language is still one of the most popular languages. And array is one of the most important data structures of C language. It is necessary to check whether the index is within the boundary of the array when using it to access the element of an array in a program. Otherwise, array index out-of-bounds will happen unexpectedly. When there are array index out-of-bounds defects existing in programs, some serious errors may occur during execution, such as system crash. It is even worse that array index out-of-bounds defects open the doors for attackers to take control of the server and execute arbitrary malicious code by carefully constructing input and intercepting the control flow of the programs. Existing static methods for array boundary checking cannot achieve high accuracy and deal with complex constraints and expressions, which lead to too many false positives. And it will increase the burden of developers. In this study, a static checking method is proposed based on taint analysis. First, a flow-sensitive, context-sensitive, and on-demand pointer analysis is proposed to analyze the range of array length. Then, an on-demand taint analysis is performed for all array indices and array length expressions. Finally, the rules are defined for checking array index out of bounds defects and the checking is realized based on backward data ﬂow analysis. During the analysis, in order to deal with complex constraints and expressions, it is proposed to check the satisfiability of the conditions by invoking the constraint solver. If none statement for avoiding array index out-of-bound is found in the program, an array index out-of-bound warning will be reported. An automatic static analysis tool, Carray bound have been implemented, and the experimental results show that Carraybound can work effectively and efficiently. © Copyright 2020, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

引用

页码：2983 / 3003

页数：20

共 52 条

[1] Improper validation of array index
[2] Cowan C, Pu C, Maier D, Walpole J, Bakke P, Beattie S, Grier A, Wagle P, Zhang Q, Hinton H., Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks, Proc. of the USENIX Security Symp, 98, pp. 63-78, (1998)
[3] Ye T, Zhang L, Wang L, Li X., An empirical study on detecting and fixing buffer overflow bugs, Proc. of the IEEE Int'l Conf. on Software Testing, Verification and Validation (ICST), pp. 91-101, (2016)
[4] Gao F, Wang L, Li X., BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities, Proc. of the 31st IEEE/ACM Int'l Conf. on Automated Software Engineering (ASE), pp. 786-791, (2016)
[5] Bao T, Gao F, Zhou Y, Li Y, Wang L, Li X., Automatically validating static buffer overflow warnings based on guided symbolic execution, Journal of Cyber Security, 2, pp. 46-60, (2016)
[6] Wang L, Li F, Li L, Feng XB., Principle and practice of taint analysis, Ruan Jian Xue Bao/Journal of Software, 28, 4, pp. 860-882, (2017)
[7] Chimdyalwar B., Survey of array out of bound access checkers for C code, Proc. of the 5th India Software Engineering Conf. ACM, pp. 45-48, (2012)
[8] Ming J, Wu D, Xiao G, Wang J, Liu P., TaintPipe: Pipelined symbolic taint analysis, Proc. of the 24th {USENIX} Security Symp. ({USENIX} Security 15), pp. 65-80, (2015)
[9] Newsome J, Song DX., Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software, Proc. of the Network and Distributed System Security Symp. (NDSS), 5, pp. 3-4, (2005)
[10] Khedker U, Sanyal A, Sathe B., Data Flow Analysis: Theory and Practice, (2009)

← 1 2 3 4 5 6 →