Missing checks for untrusted inputs used in security-sensitive operations is one of the major causes of various vulnerabilities. Efficiently detecting and repairing missing checks are essential for prognosticating potential vulnerabilities and improving code reliability. We propose a systematic static analysis approach to detect missing checks for manipulable data used in security-sensitive operations of C/C++ programs and recommend repair references. First, customized securitysensitive operations are located by lightweight static analysis. Then, the assailability of sensitive data used in securitysensitive operations is determined via taint analysis. And, the existence and the risk degree of missing checks are assessed. Finally, the repair references for high-risk missing checks are recommended. We implemented the approach into an automated and cross-platform tool named Vanguard based on Clang/LLVM 3.6.0. Large-scale experimental evaluation on open-source projects has shown its effectiveness and efficiency. Furthermore, Vanguard has helped us uncover five known vulnerabilities and 12 new bugs.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price excludes VAT (USA)
Tax calculation will be finalised during checkout.
Piromsopa K, Enbody R J. Survey of protections from buffer-overflow attacks. Engineering Journal, 2011, 15(2): 31-52.
Sipser M. Introduction to the Theory of Computation (2nd edition). Course Technology, 2006.
Gao F, Wang L, Li X. BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities. In Proc. the 31st Int. Conference on Automated Software Engineering, September 2016, pp.786-791.
Chen G, Jin H, Zou D, Zhou B, Liang Z, Zheng W, Shi X. SafeStack: Automatically patching stack-based buffer overflow vulnerabilities. IEEE Trans. Dependable and Secure Computing, 2013, 10(6): 368-379.
Wang T, Wei T, Lin Z, Zou W. IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In Proc. the 16th Network and Distributed System Security Symposium, February 2009, Article No. 17.
Dietz W, Li P, Regehr J, Adve V. Understanding integer overflow in C/C++. ACM Trans. Software Engineering and Methodology, 2015, 25(1): Article No. 2.
Lee B, Song C, Jang Y et al. Preventing use-after-free with Dangling pointers nullification. In Proc. the 22th Annual Network and Distributed System Security Symposium, February 2015, Article No. 21.
Yan H, Sui Y, Chen S, Xue J. Spatio-temporal context reduction: A pointer-analysis-based static approach for detecting use-after-free vulnerabilities. In Proc. the 40th Int. Software Conference on Engineering, May 2018, pp.327-337.
Li M, Chen Y, Wang L, Xu G. Dynamically validating static memory leak warnings. In Proc. the 22nd Int. Symposium on Software Testing and Analysis, July 2013, pp.112-122.
Sui Y, Ye D, Xue J. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Trans. Software Engineering, 2014, 40(2): 107-122.
Szekeres L, Payer M, Wei T, Dawn S. SoK: Eternal war in memory. In Proc. the 34th Int. IEEE Symposium on Security and Privacy, May 2013, pp.48-62.
Das A, Lal A. Precise null pointer analysis through global value numbering. In Proc. the 15th Int. Symposium on Automated Technology for Verification and Analysis, October 2017, pp.25-41.
Akritidis P, Costa M, Castro M, Hand S. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proc. the 18th USENIX Security Symposium, August 2009, pp.51-66.
Kim D, Nam J, Song J et al. Automatic patch generation learned from human-written patches. In Proc. the 35th Int. Conference on Software Engineering, May 2013, pp.802-811.
Li P, Cui B. A comparative study on software vulnerability static analysis techniques and tools. In Proc. the 2010 International Conference on Information Theory and Information Security, Dec. 2010, pp.521-524.
Wagner D A, Foster J S, Brewer E A, Aiken A. A first step towards automated detection of buffer overrun vulnerabilities. In Proc. the 7th Network and Distributed System Security Symposium, February 2000, Article No. 1.
Situ L, Zou L, Wang L, Liu Y, Mao B, Li X. Detecting missing checks for identifying insufficient attack protections. In Proc. the 40th Int. Conference on Software Engineering, May 2018, pp.238-239.
Ming J,Wu D, Xiao G,Wang J, Liu P. TaintPipe: Pipelined symbolic taint analysis. In Proc. the 24th USENIX Security Symposium, August 2015, pp.65-80.
Cadar C, Sen K. Symbolic execution for software testing: Three decades later. Commun. ACM, 2013, 56(2): 82-90.
Li Y, Su Z, Wang L, Li X. Steering symbolic execution to less traveled paths. In Proc. the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, October 2013, pp.19-32.
Majumdar R, Sen K. Hybrid concolic testing. In Proc. the 29th Int. Conference on Software Engineering, May 2007, pp.416-426.
Seo H, Kim S. How we get there: A context-guided search strategy in concolic testing. In Proc. the 22nd Int. Symposium on Foundations of Software Engineering, November 2014, pp.413-424.
Bérard B, Bidoit M, Finkel A, Laroussinie F, Petit A, Petrucci L, Schnoebelen P, McKenzie P. Systems and Software Verification: Model-Checking Techniques and Tools. Springer, 2001.
Situ L, Zhao L. CSP bounded model checking of preprocessed CTL extended with events using answer set programming. In Proc. the 2015 Asia-Pacific Software Engineering Conference, December 2015, pp.16-23.
Sutton M, Greene A, Amini P. Fuzzing: Brute Force Vulnerability Discovery (1st edition). Addison-Wesley Professional, 2007.
Stephens N, Grosen J, Salls C et al. Driller: Augmenting fuzzing through selective symbolic execution. In Proc. the 23rd Annual Network and Distributed System Security Symposium, February 2016, Article No. 28.
Yamaguchi F, Wressnegger C, Gascon H et al. Chucky: Exposing missing checks in source code for vulnerability discovery. In Proc. the 2013 ACM SIGSAC Conference on Computer & Communications Security, November 2013, pp.499-510.
Son S, McKinley K S, Shmatikov V. RoleCast: Finding missing security checks when you do not know what checks are. In Proc. the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, October 2011, pp.1069-1084.
Lattner C. LLVM and Clang: Next generation compiler technology. https://clvm.org, July 2019.
Ryder B G. Constructing the call graph of a program. IEEE Trans. Software Engineering, 1979, 5(3): 216-226.
Stanier J, Watson D. Intermediate representations in imperative compilers: A survey. ACM Computing Surveys, 2013, 45(3): Article No. 26.
Pendleton M, Garcia-Lebron R, Cho J H, Xu S. A survey on systems security metrics. ACM Computing Surveys, 2017, 49(4): Article No. 62.
Gao F, Chen T, Wang Y, Situ L, Wang L, Li X. Carraybound: Static array bounds checking in C programs based on taint analysis. In Proc. the 8th Int. Asia-Pacific Symposium on Internetware, September 2016, pp.81-90.
Ceara D, Potet M L, Ensimag G I, Mounier, L. Detecting software vulnerabilities-static taint analysis. https://docplayer.net/18105375-Detecting-software-vulnerabilities-static-taint-analysis.html, July 2019.
Lalande J F, Heydemann K, Berthomé P. Software countermeasures for control flow integrity of smart card C codes. In Proc. the 19th European Symposium on Research in Computer Security, Sept. 2014, pp.200-2018.
Kang M G, McCamant S, Poosankam P, Dawn S. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proc. the 18th Network and Distributed System Security Symposium, February 2011, Article No. 15.
Li L, Bartel A, Klein J, Traon Y L, Arzt S, Rasthofer S, Bodden E, Octeau D, Mcdaniel P. I know what leaked in your pocket: Uncovering privacy leaks on Android Apps with static taint analysis. arXiv:1404.7431, 2014. https://arxiv.org/pdf/1404.7431.pdf, June 2019.
Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. the 31st IEEE Symposium on Security and Privacy, May 2010, pp.317-331.
Clause J, Li W, Orso A. Dytan: A generic dynamic taint analysis framework. In Proc. the 16th ACM/SIGSOFT Int. Symposium on Software Testing and Analysis, July 2007, pp.196-206.
Jovanovic N, Krüegel C, Kirda E. Pixy: A static analysis tool for detectingWeb application vulnerabilities (Short Paper). In Proc. the 27th IEEE Symposium on Security and Privacy, May 2006, pp.258-263.
Chang R, Jiang G, Ivancic F, Sankaranarayanan S, Shmatikov V. Inputs of coma: Static detection of denial-of-service vulnerabilities. In Proc. the 22nd IEEE Computer Security Foundations Symposium, July 2009, pp.186-199.
Kremenek T, Engler D. Z-Ranking: Using statistical analysis to counter the impact of static analysis approximations. In Proc. the 10th Int. Symposium on Static Analysis, June 2003, pp.295-315.
Kim S, Ernst M D. Prioritizing warning categories by analyzing software history. In Proc. the 4th Workshop on Mining Software Repositories, May 2007, pp.27-31.
Ha J, Rossbach C J, Davis J V, Roy I, Ramadan H E, Porter D E, Chen D L, Witchel E. Improved error reporting for software that uses black-box components. In Proc. the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2007, pp.101-111.
Situ L, Wang L, Liu Y, Mao B, Li X. Vanguard: Detecting missing checks for prognosing potential vulnerabilities. In Proc. the 10th Asia-Pacific Symposium on Internetware, September 2018, Article No. 5.
Goues L C, Nguyen T V, Forrest S et al. GenProg: A generic method for automatic software repair. IEEE Trans. Software Engineering, May 2011, 38(1): 54-72.
Qi Y, Mao X, Lei Y, Dai Z,Wang C. The strength of random search on automated program repair. In Proc. the 36th Int. Conference on Software Engineering, May 2014, pp.254-265.
Xiong Y, Wang J, Yan R, Zhang J, Han S, Huang G, Zhang L. Precise condition synthesis for program repair. In Proc. the 39th Int. Conference on Software Engineering, May 2017, pp.416-426.
Tan S H, Roychoudhury A. Relifix: Automated repair of software regressions. In Proc. the 37th IEEE/ACM International Conference on Software Engineering, May 2015, pp.471-482.
Nguyen H D T, Qi D, Roychoudhury A, Chandra S. Sem-Fix: Program repair via semantic analysis. In Proc. the 35th Int. Conference on Software Engineering, May 2013, pp.772-781.
Mechtaev S, Yi J, Roychoudhury A. Angelix: Scalable multiline program patch synthesis via symbolic analysis. In Proc. the 38th Int. Conference on Software Engineering, May 2016, pp.691-701.
Le X B D, Chu D H, Lo D, Le G C, Visser W. JFIX: Semantics-based repair of Java programs via symbolic PathFinder. In Proc. the 26th ACM SIGSOFT Int. Symposium on Software Testing and Analysis, July 2017, pp.376-379.
Gupta R, Pal S, Kanade A, Shevade S. DeepFix: Fixing common C language errors by deep learning. In Proc. the 31st AAAI Conference on Artificial Intelligence, February 2017, pp.1345-1351.
Wang C, Jiang Y, Zhao X, Song X, Gu M. Weak-Assert: A weakness-oriented assertion recommendation toolkit for program analysis. In Proc. the 40th Int. Conference on Software Engineering, May 2018, pp.69-72.
Electronic supplementary material
About this article
Cite this article
Situ, LY., Wang, LZ., Liu, Y. et al. Automatic Detection and Repair Recommendation for Missing Checks. J. Comput. Sci. Technol. 34, 972–992 (2019). https://doi.org/10.1007/s11390-019-1955-3