Abstract
While modern-day static analysis tools are capable of finding standard vulnerabilities as well as complex patterns, implementing those tools is expensive regarding both development time and runtime performance. During the last years, domain specific languages like Datalog have gained popularity as they simplify the development process of analyses and rule sets dramatically. Similarly, intermediate representations like LLVM-IR are used to facilitate static source code analysis. In this paper, we present VANDALIR, a vulnerability analyzer and detector based on Datalog and LLVM-IR. VANDALIR is a static source code analyzer that allows to define and customize detection rules in a high-level, declarative way. We implement VANDALIR as a comprehensive static analysis tool, aiming to simplify vulnerability detection by a new combination of modern technologies. Besides the novel design of VANDALIR, we present a predefined detection rule set covering stack-based memory corruption, double free and format string vulnerabilities. As we show, our rule set achieves a detection rate of over 90% on test cases from the Juliet Test Suite, outperforming well-established vulnerability scanners such as the Clang Static Analyzer. Furthermore, we evaluated VANDALIR on open source projects and could reproduce existing vulnerabilities as well as identify previously unknown vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, Citeseer (1994)
Antoniadis, T., Triantafyllou, K., Smaragdakis, Y.: Porting doop to soufflé: a tale of inter-engine portability for datalog-based analyses. In: Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis, pp. 25–30 (2017)
Arusoaie, A., Ciobâca, S., Craciun, V., Gavrilut, D., Lucanu, D.: A comparison of open-source static analysis tools for vulnerability detection in c/c++ code. In: 2017 19th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 161–168. IEEE (2017)
Balatsouras, G., Smaragdakis, Y.: Structure-sensitive points-to analysis for C and C++. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 84–104. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53413-7_5
Criswell, J., Johnson, E., Pronovost, C.: Tutorial: Llvm for security practitioners. In: IEEE Secure Development Conference (2020)
Dhir, A.: Open TFTP Server - Project Website (2019). https://sourceforge.net/projects/tftp-server/, Accessed 22 May 2021
Dillig, I., Dillig, T., Aiken, A.: Sail: static analysis intermediate language with a two-level representation. Technical report (2009)
Gao, Y., Chen, L., Shi, G., Zhang, F.: A comprehensive detection of memory corruption vulnerabilities for c/c++ programs. In: 2018 IEEE International Conference on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom), pp. 354–360. IEEE (2018)
Garmany, B.: Mentalese-an architecture-agnostic analysis framework for binary executables (2021)
Garmany, B., Stoffel, M., Gawlik, R., Holz, T.: Static detection of uninitialized stack variables in binary code. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 68–87. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_4
Green, T.J., Huang, S.S., Loo, B.T., Zhou, W., et al.: Datalog and Recursive Query Processing. Now Publishers, Norwell (2013)
Jain, A.: CVE-2021-3156: heap-based buffer overflow in sudo (baron samedit) (2021). https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit, Accessed 21 Apr 2021
Kaur, A., Nayyar, R.: A comparative study of static code analysis tools for vulnerability detection in c/c++ and java source code. Procedia Comput. Sci. 171, 2023–2029 (2020)
Kowalski, R.A.: Logic programming. Comput. Logic 9, 523–569 (2014)
Lattner, C.: Llvm. In: Brown, A., Wilson, G. (eds.) The Architecture of Open Source Applications: Elegance, Evolution, and a Few Fearless Hacks, vol. 1. Lulu. com (2011)
Lifschitz, V.: Datalog programs and their stable models. In: de Moor, O., Gottlob, G., Furche, T., Sellers, A. (eds.) Datalog 2.0 2010. LNCS, vol. 6702, pp. 78–87. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24206-9_5
Marjamäki, D.: Cppcheck - a tool for static C/C++ code analysis (2021). http://cppcheck.sourceforge.net/, Accessed 17 July 2021
Miller, T.C.: Buffer overflow in command line unescaping (2021). Accessed 12 Mar 2021
Mishra, D.: GattLib 0.2 - stack buffer overflow. https://www.exploit-db.com/exploits/46215, Accessed 21 June 2021
Open Source Software of Telefonaktiebolaget LM Ericsson: CodeChecker Website (2021). https://codechecker.readthedocs.io/en/latest/, Accessed 17 July 2021
Part, L.A.: GattLib - GitHub repository. Lab A Part. https://github.com/labapart/gattlib, Accessed 21 June 2021
Project, L.: LLVM Language Reference Manual - LLVM 12 documentation. LLVM Project (2021). https://llvm.org/docs/LangRef.html, Accessed 21 Jan 2021
Project, S.: Soufflé. A Datalog Synthesis Tool for Static Analysis. Soufflé Project. https://souffle-lang.github.io/, Accessed 22 Jan 2021
llvmlite Project, T.: A Lightweight LLVM Python Binding for Writing JIT Compilers - GitHub repository. The llvmlite Project. https://github.com/numba/llvmlite, Accessed 07 Feb 2021
Project, T.C.: Clang Static Analyzer. The Clang Project (2021). https://clang-analyzer.llvm.org/, Accessed 17 July 2021
Project, T.C.: Clang-Tidy. The Clang Project (2021). https://clang.llvm.org/extra/clang-tidy/, Accessed 17 July 2021
Psallida, E.I., Balatsouras, G.: Relational representation of the LLVM intermediate language. Ph.D. thesis, BS Thesis, University of Athens (2014)
Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762 (2018). https://doi.org/10.1109/ICMLA.2018.00120
Scholz, B., Jordan, H., Subotić, P., Westmann, T.: On fast large-scale program analysis in datalog. In: Proceedings of the 25th International Conference on Compiler Construction, pp. 196–206 (2016)
Schubert, P.D., Hermann, B., Bodden, E.: Phasar: an inter-procedural static analysis framework for c/c++. In: TACAS, vol. 2, pp. 393–410 (2019)
Shiraishi, S., Mohan, V., Marimuthu, H.: Test suites for benchmarks of static analysis tools. In: 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 12–15 (2015). https://doi.org/10.1109/ISSREW.2015.7392027
Smaragdakis, Y., Bravenboer, M.: Using datalog for fast and easy program analysis. In: de Moor, O., Gottlob, G., Furche, T., Sellers, A. (eds.) Datalog 2.0 2010. LNCS, vol. 6702, pp. 245–251. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24206-9_14
St Amour, L.: Interactive synthesis of code level security rules. Northeastern University Boston United States, Technical report (2017)
N.I., Technology of Standards: Juliet Test Suite v1.2for C/C++User Guide. National Institute of Standards and Technology (2012). Accessed 12 June 2021
Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in llvm. In: Proceedings of the 25th International Conference on Compiler Construction, pp. 265–266 (2016)
Tsankov, P.: Security analysis of smart contracts in datalog. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11247, pp. 316–322. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03427-6_24
Wagner, A., Sametinger, J.: Using the juliet test suite to compare static security scanners. In: 2014 11th International Conference on Security and Cryptography (SECRYPT), pp. 1–9. IEEE (2014)
Wheeler, D.A.: Flawfinder - Project Website (2021). https://dwheeler.com/flawfinder/, Accessed 17 July 2021
Acknowledgments
We would like to thank Behrad Garmany for his support during the creation of VANDALIR, as well as Sam L. Thomas, and the anonymous reviewers for helping us improve this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Schilling, J., Müller, T. (2022). VANDALIR: Vulnerability Analyses Based on Datalog and LLVM-IR. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-09484-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09483-5
Online ISBN: 978-3-031-09484-2
eBook Packages: Computer ScienceComputer Science (R0)