Skip to main content
SpringerLink
Log in

VANDALIR: Vulnerability Analyses Based on Datalog and LLVM-IR

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13358))

Abstract

While modern-day static analysis tools are capable of finding standard vulnerabilities as well as complex patterns, implementing those tools is expensive regarding both development time and runtime performance. During the last years, domain specific languages like Datalog have gained popularity as they simplify the development process of analyses and rule sets dramatically. Similarly, intermediate representations like LLVM-IR are used to facilitate static source code analysis. In this paper, we present VANDALIR, a vulnerability analyzer and detector based on Datalog and LLVM-IR. VANDALIR is a static source code analyzer that allows to define and customize detection rules in a high-level, declarative way. We implement VANDALIR as a comprehensive static analysis tool, aiming to simplify vulnerability detection by a new combination of modern technologies. Besides the novel design of VANDALIR, we present a predefined detection rule set covering stack-based memory corruption, double free and format string vulnerabilities. As we show, our rule set achieves a detection rate of over 90% on test cases from the Juliet Test Suite, outperforming well-established vulnerability scanners such as the Clang Static Analyzer. Furthermore, we evaluated VANDALIR on open source projects and could reproduce existing vulnerabilities as well as identify previously unknown vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, Citeseer (1994)

    Google Scholar 

  2. Antoniadis, T., Triantafyllou, K., Smaragdakis, Y.: Porting doop to soufflé: a tale of inter-engine portability for datalog-based analyses. In: Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis, pp. 25–30 (2017)

    Google Scholar 

  3. Arusoaie, A., Ciobâca, S., Craciun, V., Gavrilut, D., Lucanu, D.: A comparison of open-source static analysis tools for vulnerability detection in c/c++ code. In: 2017 19th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 161–168. IEEE (2017)

    Google Scholar 

  4. Balatsouras, G., Smaragdakis, Y.: Structure-sensitive points-to analysis for C and C++. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 84–104. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53413-7_5

    Chapter  Google Scholar 

  5. Criswell, J., Johnson, E., Pronovost, C.: Tutorial: Llvm for security practitioners. In: IEEE Secure Development Conference (2020)

    Google Scholar 

  6. Dhir, A.: Open TFTP Server - Project Website (2019). https://sourceforge.net/projects/tftp-server/, Accessed 22 May 2021

  7. Dillig, I., Dillig, T., Aiken, A.: Sail: static analysis intermediate language with a two-level representation. Technical report (2009)

    Google Scholar 

  8. Gao, Y., Chen, L., Shi, G., Zhang, F.: A comprehensive detection of memory corruption vulnerabilities for c/c++ programs. In: 2018 IEEE International Conference on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom), pp. 354–360. IEEE (2018)

    Google Scholar 

  9. Garmany, B.: Mentalese-an architecture-agnostic analysis framework for binary executables (2021)

    Google Scholar 

  10. Garmany, B., Stoffel, M., Gawlik, R., Holz, T.: Static detection of uninitialized stack variables in binary code. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 68–87. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_4

    Chapter  Google Scholar 

  11. Green, T.J., Huang, S.S., Loo, B.T., Zhou, W., et al.: Datalog and Recursive Query Processing. Now Publishers, Norwell (2013)

    MATH  Google Scholar 

  12. Jain, A.: CVE-2021-3156: heap-based buffer overflow in sudo (baron samedit) (2021). https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit, Accessed 21 Apr 2021

  13. Kaur, A., Nayyar, R.: A comparative study of static code analysis tools for vulnerability detection in c/c++ and java source code. Procedia Comput. Sci. 171, 2023–2029 (2020)

    Article  Google Scholar 

  14. Kowalski, R.A.: Logic programming. Comput. Logic 9, 523–569 (2014)

    Article  Google Scholar 

  15. Lattner, C.: Llvm. In: Brown, A., Wilson, G. (eds.) The Architecture of Open Source Applications: Elegance, Evolution, and a Few Fearless Hacks, vol. 1. Lulu. com (2011)

    Google Scholar 

  16. Lifschitz, V.: Datalog programs and their stable models. In: de Moor, O., Gottlob, G., Furche, T., Sellers, A. (eds.) Datalog 2.0 2010. LNCS, vol. 6702, pp. 78–87. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24206-9_5

    Chapter  Google Scholar 

  17. Marjamäki, D.: Cppcheck - a tool for static C/C++ code analysis (2021). http://cppcheck.sourceforge.net/, Accessed 17 July 2021

  18. Miller, T.C.: Buffer overflow in command line unescaping (2021). Accessed 12 Mar 2021

    Google Scholar 

  19. Mishra, D.: GattLib 0.2 - stack buffer overflow. https://www.exploit-db.com/exploits/46215, Accessed 21 June 2021

  20. Open Source Software of Telefonaktiebolaget LM Ericsson: CodeChecker Website (2021). https://codechecker.readthedocs.io/en/latest/, Accessed 17 July 2021

  21. Part, L.A.: GattLib - GitHub repository. Lab A Part. https://github.com/labapart/gattlib, Accessed 21 June 2021

  22. Project, L.: LLVM Language Reference Manual - LLVM 12 documentation. LLVM Project (2021). https://llvm.org/docs/LangRef.html, Accessed 21 Jan 2021

  23. Project, S.: Soufflé. A Datalog Synthesis Tool for Static Analysis. Soufflé Project. https://souffle-lang.github.io/, Accessed 22 Jan 2021

  24. llvmlite Project, T.: A Lightweight LLVM Python Binding for Writing JIT Compilers - GitHub repository. The llvmlite Project. https://github.com/numba/llvmlite, Accessed 07 Feb 2021

  25. Project, T.C.: Clang Static Analyzer. The Clang Project (2021). https://clang-analyzer.llvm.org/, Accessed 17 July 2021

  26. Project, T.C.: Clang-Tidy. The Clang Project (2021). https://clang.llvm.org/extra/clang-tidy/, Accessed 17 July 2021

  27. Psallida, E.I., Balatsouras, G.: Relational representation of the LLVM intermediate language. Ph.D. thesis, BS Thesis, University of Athens (2014)

    Google Scholar 

  28. Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762 (2018). https://doi.org/10.1109/ICMLA.2018.00120

  29. Scholz, B., Jordan, H., Subotić, P., Westmann, T.: On fast large-scale program analysis in datalog. In: Proceedings of the 25th International Conference on Compiler Construction, pp. 196–206 (2016)

    Google Scholar 

  30. Schubert, P.D., Hermann, B., Bodden, E.: Phasar: an inter-procedural static analysis framework for c/c++. In: TACAS, vol. 2, pp. 393–410 (2019)

    Google Scholar 

  31. Shiraishi, S., Mohan, V., Marimuthu, H.: Test suites for benchmarks of static analysis tools. In: 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 12–15 (2015). https://doi.org/10.1109/ISSREW.2015.7392027

  32. Smaragdakis, Y., Bravenboer, M.: Using datalog for fast and easy program analysis. In: de Moor, O., Gottlob, G., Furche, T., Sellers, A. (eds.) Datalog 2.0 2010. LNCS, vol. 6702, pp. 245–251. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24206-9_14

    Chapter  Google Scholar 

  33. St Amour, L.: Interactive synthesis of code level security rules. Northeastern University Boston United States, Technical report (2017)

    Google Scholar 

  34. N.I., Technology of Standards: Juliet Test Suite v1.2for C/C++User Guide. National Institute of Standards and Technology (2012). Accessed 12 June 2021

    Google Scholar 

  35. Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in llvm. In: Proceedings of the 25th International Conference on Compiler Construction, pp. 265–266 (2016)

    Google Scholar 

  36. Tsankov, P.: Security analysis of smart contracts in datalog. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11247, pp. 316–322. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03427-6_24

    Chapter  Google Scholar 

  37. Wagner, A., Sametinger, J.: Using the juliet test suite to compare static security scanners. In: 2014 11th International Conference on Security and Cryptography (SECRYPT), pp. 1–9. IEEE (2014)

    Google Scholar 

  38. Wheeler, D.A.: Flawfinder - Project Website (2021). https://dwheeler.com/flawfinder/, Accessed 17 July 2021

Download references

Acknowledgments

We would like to thank Behrad Garmany for his support during the creation of VANDALIR, as well as Sam L. Thomas, and the anonymous reviewers for helping us improve this paper.

Author information

Authors and Affiliations

  1. Friedrich -Alexander -Universität Erlangen -Nürnberg, Erlangen, Germany

    Joschua Schilling

  2. Hof University of Applied Sciences, Hof, Germany

    Tilo Müller

Authors
  1. Joschua Schilling
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tilo Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joschua Schilling .

Editor information

Editors and Affiliations

  1. University College London, London, UK

    Lorenzo Cavallaro

  2. Graz University of Technology, Graz, Austria

    Daniel Gruss

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schilling, J., Müller, T. (2022). VANDALIR: Vulnerability Analyses Based on Datalog and LLVM-IR. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09484-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09483-5

  • Online ISBN: 978-3-031-09484-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation