Null pointer dereference,which may allow attackers to bypass security logic or reveal sensitive information in operating system,is a common programming bug in C/C++ programs and therefore has been an important research subject in computer security.Many (automatic) analysis tools have been proposed to detect this bug.However,all these tools run on the source code.Many commercial softwares come with no source code,and these tools running on the source code cannot detect null pointer dereferences in them.Some null pointer dereference defects are introduced by the compiling configurations or the compiler's optimizations and the tools running on the source code cannot detect them as well.So it is necessary to develop tools that can detect null pointer dereference directly on the binaries.One advantage of null pointer dereference detection on the binaries is that the library code will be included in the analysis and the source code based detections usually use crafted summaries for the library function which may lower the precision and recall.In this paper,we present and implement NPtrChecker,the first analysis tool for null pointer dereferences detection,which accepts binary programs as inputs,outputs the location where null pointers come from,where dereferences occur and the corresponding path conditions.One difficulty of null pointer dereferences detection on the binaries is that the information about pointer type and structure type is missing in binaries.Without these information,the detection can have bad performance on accuracy.However,it is hard to recover the data structure definitions from the binaries.We propose a memory model to differentiate different fields of data structures without restoring the data structures and type information.This memory model is the basis of our field sensitive pointer analysis for null pointer dereference analysis.We continue to design a context sensitive dataflow analysis algorithm based on the function summary techniques,and the algorithm improves the precision of the analysis.To reduce false positives as many as possible,we also leverage weakest precondition to filter out the unreachable paths reported by dataflow analysis.The report will be removed if the path conditions from source to the sink that dereferences the pointer cannot be satisfied.We apply NPtrChecker to 11 programs in the SPEC2000 benchmark and 37 suspicious null pointer dereference defects are reported.Among them 22 reports are proved to be true defects by manual examinations.In contrast,the tool Saturn reports 92 defects and only 13 are true positive and LUKE reports 3 defects and only 2 are true positive.This shows that our method can detects more null pointer dereferences and keep the false positive at low level.%空指针解引用是C/C++程序中常见的一类程序错误,它可让攻击者旁路安全机制或窥探操作系统敏感信息,一直是计算机安全领域的重要研究课题之一.目前已有很多(自动)分析工具对其进行检测,然而它们都在源代码层面上进行检测.大量的商业软件不公开源代码,因此基于源代码的工具无法对这类软件中空指针解引用进行检测.此外,一些空指针解引用无法在源代码层面检测,因为这些缺陷由编译选项和编译优化不当引入.因此进行基于二进制的空指针解引用检测非常必要.基于二进制的空指针解引用检测的一个优势是可以包含库函数的代码,而基于源代码的分析通常采用人工构造的库函数摘要,从而影响检测的准确性和召回率.该文首次提出并实现了面向二进制程序的空指针解引用静态检测工具NPtrChecker,直接接受二进制程序进行分析,并给出代码中出现空指针的来源和解引用的位置以及对应的路径条件.在二进制上进行空指针解引用检测的一个重要难点是二进制程序中缺少指针类型、结构体类型等相关数据类型信息.如果缺乏这类信息,会导致分析结果的准确率大大降低.但是从二进制中恢复类型、数据结构本身是非常困难的问题.针对上述问题,我们提出了一种内存模型,区分来自同一数据结构的不同域的引用,实现了针对空指针解引用检测的域敏感指针分析.为了进一步提高分析的准确率,文章在此基础上设计实现了一套基于函数摘要的上下文敏感的数据流分析算法.此外,工具采用最弱前置条件对数据流分析结果进行验证,检查从指针来源到解引用点的路径条件是否可以被满足,以降低误报率.我们应用NPtrChecker分析了SPEC2000中的11个程序,总共报告了37个可疑空指针解引用,通过人工确认,其中22个是真实的程序错误.相对于Saturn报告的92个,仅13个为真;LUKE报告的3个,2个为真,而文中的工具检测出了更多的空指针解引用错误,同时保持了较低的误报率.
展开▼
