Practical and Accurate Low-Level Pointer Analysis

Guo, Bolei; Bridges, Matthew J.; Triantafyllis, Spyridon; Ottoni, Guilherme; Raman, Easwaran; August, David I.

doi:10.1109/cgo.2005.27

Cited by 24 publications

(6 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Alaska's overheads could be further improved with memory analysis [29,37,44,47], which can say when a value is definitely a handle or not. This would allow the compiler to completely eliminate the conditional check and branch before translation.…”

Section: Overhead Varies But Is Overall Lowmentioning

confidence: 99%

Getting a Handle on Unmanaged Memory

Wanninger,

McMichen,

Campanoni

et al. 2024

Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems,

View full text Add to dashboard Cite

The inability to relocate objects in unmanaged languages brings with it a menagerie of problems. Perhaps the most impactful is memory fragmentation, which has long plagued applications such as databases and web servers. These issues either fester or require Herculean programmer effort to address on a per-application basis because, in general, heap objects cannot be moved in unmanaged languages. In contrast, managed languages like C# cleanly address fragmentation through the use of compacting garbage collection techniques built upon heap object movement. In this work, we bridge this gap between unmanaged and managed languages through the use of handles, a level of indirection allowing heap object movement. Handles open the door to seamlessly employing runtime features from managed languages in existing, unmodified code written in unmanaged languages. We describe a new compiler and runtime system, Alaska, that acts as a drop-in replacement for malloc. Without any programmer effort, the Alaska compiler transforms pointer-based code to utilize handles, with optimizations to minimize performance impact. A codesigned runtime system manages this new level of indirection and exploits heap object movement via an extensible service interface. We investigate the overheads of Alaska on large benchmarks and applications spanning multiple domains. To show the power and extensibility of handles, we use Alaska to eliminate fragmentation on the heap through defragmentation, reducing memory usage by up to 40% in Redis.

show abstract

Section: Overhead Varies But Is Overall Lowmentioning

confidence: 99%

Getting a Handle on Unmanaged Memory

Wanninger,

McMichen,

Campanoni

et al. 2024

Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems,

View full text Add to dashboard Cite

show abstract

“…Binary Memory Dependence Analysis. There has been a long history of efforts to approach the problem of analyzing memory dependencies in executables [5,6,11,16,22,34,35,71,96]. Debray et al [22] and Cifuentes et al [16] pioneered this field by using abstract interpretation to propagate the abstract domain along the registers of each instruction.…”

Section: Related Workmentioning

confidence: 99%

“…Over the last two decades, researchers have made numerous attempts to improve the accuracy and performance of binary memory dependence analysis [5,6,11,16,22,34,71]. The most common approach often involves statically computing and propagating an over-approximated set of values that each register and memory address can contain at each program point using abstract interpretation.…”

Section: Introductionmentioning

confidence: 99%

NeuDep: neural binary memory dependence analysis

Pei

She

Wang

et al. 2022

Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Enginee

View full text Add to dashboard Cite

Determining whether multiple instructions can access the same memory location is a critical task in binary analysis. It is challenging as statically computing precise alias information is undecidable in theory. The problem aggravates at the binary level due to the presence of compiler optimizations and the absence of symbols and types. Existing approaches either produce significant spurious dependencies due to conservative analysis or scale poorly to complex binaries.We present a new machine-learning-based approach to predict memory dependencies by exploiting the model's learned knowledge about how binary programs execute. Our approach features (i) a self-supervised procedure that pretrains a neural net to reason over binary code and its dynamic value flows through memory addresses, followed by (ii) supervised finetuning to infer the memory dependencies statically. To facilitate efficient learning, we develop dedicated neural architectures to encode the heterogeneous inputs (i.e., code, data values, and memory addresses from traces) with specific modules and fuse them with a composition learning strategy.We implement our approach in NeuDep and evaluate it on 41 popular software projects compiled by 2 compilers, 4 optimizations, and 4 obfuscation passes. We demonstrate that NeuDep is more precise (1.5×) and faster (3.5×) than the current state-of-the-art. Extensive probing studies on security-critical reverse engineering tasks suggest that NeuDep understands memory access patterns, learns function signatures, and is able to match indirect calls. All

show abstract

“…The static single assignment-assignment (SSA) form [18] has been used in many studies to overcome such difficulties. Therefore, similar to vllpa [19], we converted the binary to an SSA form, as shown in Fig. 2(c).…”

Section: B Null Pinter Dereference In Binarymentioning

confidence: 99%

“…Pointer aliasing is a key challenge in binary NPD detection. VLLPA [19] proposed an IR-level alias analysis. They first presented context-sensitive and partially flow-sensitive points for a lowlevel analysis.…”

Section: B Alias Analysis In Binarymentioning

confidence: 99%

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

et al. 2021

View full text Add to dashboard Cite

Null pointer dereference (NPD) is a widespread vulnerability that occurs whenever an executing program attempts to dereference a null pointer. NPD vulnerability can be exploited by hackers to maliciously crash a process to cause a denial of service or execute an arbitrary code under specific conditions. This typical taintstyle vulnerability requires an accurate data dependency analysis to trace whether a source is propagated to a sensitive sink without proper sanitization. The primary challenge in data dependency analysis is pointer aliasing, which may significantly affect the vulnerability detection accuracy. Although there have been many studies and open-source tools, they still have limitations when detecting a real-world binary. In this paper, we propose a static binary analysis approach to detect an NPD vulnerability. To improve detection accuracy and practicality, we first identify two challenges that affect the accuracy of binary NPD detection: (i) pointer aliasing, and (ii) untrusted source identification. Then we implement a prototype of the proposed approach, NPDHunter, and evaluate it against 318 test cases provided by Juliet Test Suite v1.3. For the Juliet dataset, NPDHunter is accurate in detecting NPDs and generates 0% false negatives; as compared to bap-toolkit and cwe_checker, which have false-negative rates of 70.89% and 89.81%, respectively. We also evaluate NPDHunter for real-world binaries which recently reported NPD vulnerability. We have analyzed XNU kernel (large-scale), Redis, Bitlbee, libredwg, and libvncserver binaries and NPDHunter can detect all NPD cases, which justifies its usefulness for real-world binaries; compiled for x86_64 architecture.

show abstract

Practical and Accurate Low-Level Pointer Analysis

Cited by 24 publications

References 18 publications

Getting a Handle on Unmanaged Memory

Getting a Handle on Unmanaged Memory

NeuDep: neural binary memory dependence analysis

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

Contact Info

Product

Resources

About