User-input dependence analysis via graph reachability

Authors:
Bernhard Scholz;Chenyi Zhang;Cristina Cifuentes
Affiliations:
Sun Microsystems Laboratories, Brisbane, Australia;Sun Microsystems Laboratories, Brisbane, Australia;Sun Microsystems Laboratories, Brisbane, Australia
Venue:
User-input dependence analysis via graph reachability
Year:
2008

Citing 20
Cited 6

The program dependence graph and its use in optimization

ACM Transactions on Programming Languages and Systems (TOPLAS)
The program dependence web: a representation supporting control-, data-, and demand-driven interpretation of imperative languages

PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Efficiently computing static single assignment form and the control dependence graph

ACM Transactions on Programming Languages and Systems (TOPLAS)
The transitive closure of control dependence: the iterated join

ACM Letters on Programming Languages and Systems (LOPLAS)
Precise interprocedural dataflow analysis via graph reachability

POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Efficient building and placing of gating functions

PLDI '95 Proceedings of the ACM SIGPLAN 1995 conference on Programming language design and implementation
A theory of type qualifiers

Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation
Global Data Flow Analysis and Iterative Algorithms

Journal of the ACM (JACM)
A static analyzer for finding dynamic programming errors

Software—Practice & Experience
Certification of programs for secure information flow

Communications of the ACM
The SLAM project: debugging system software via static analysis

POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ESP: path-sensitive program verification in polynomial time

PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Extended static checking for Java

PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Inside the Slammer Worm

IEEE Security and Privacy
LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation

Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization
Efficient path conditions in dependence graphs for software safety analysis

ACM Transactions on Software Engineering and Methodology (TOSEM)
Sound and precise analysis of web applications for injection vulnerabilities

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Checking system rules using system-specific, programmer-written compiler extensions

OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Dytan: a generic dynamic taint analysis framework

Proceedings of the 2007 international symposium on Software testing and analysis

Parfait: designing a scalable bug checker

Proceedings of the 2008 workshop on Static analysis
Tainted flow analysis on e-SSA-form programs

CC'11/ETAPS'11 Proceedings of the 20th international conference on Compiler construction: part of the joint European conferences on theory and practice of software
Towards fully automatic placement of security sanitizers and declassifiers

POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Divergence analysis

ACM Transactions on Programming Languages and Systems (TOPLAS)
Automatic mediation of privacy-sensitive resource access in smartphone applications

SEC'13 Proceedings of the 22nd USENIX conference on Security
Efficient static checker for tainted variable attacks

Science of Computer Programming

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security vulnerabilities are software bugs that are exploited by an attacker. Systems software is at high risk of exploitation: attackers commonly exploit security vulnerabilities to gain control over a system, remotely, over the internet. Bug-checking tools have been used with fair success in recent years to automatically find bugs in software. However, for finding software bugs that can cause security vulnerabilities, a bug checking tool must determine whether the software bug can be controlled by user-input. In this paper we introduce a static program analysis for computing user-input dependencies. This analysis is used as a pre-processing filter to our static bug checking tool, currently under development, to identify bugs that can be exploited as security vulnerabilities. Runtime speed and scalability of the user-input dependence analysis is of key importance if the analysis is used for large commercial systems software. Our user-input dependency analysis takes both data and control dependencies into account. We extend Static Single Assignment (SSA) form by augmenting phi-nodes with control dependencies of its arguments. A formal definition of user-input dependency is expressed in a dataflow analysis framework as a Meet-Over-all-Paths (MOP) solution. We reduce the equation system to a sparse equation system exploiting the properties of SSA. The sparse equation system is solved as a reachability problem that results in a fast algorithm for computing user- input dependencies. We have implemented a call-insensitive and a call-sensitive version of the analysis. The paper compares their efficiency and effectiveness for various systems codes.