Efficient Flow-Sensitive Pointer Analysis on Full-Sparse Memory SSA

Pointer analysis is a fundamental research topic in computer science. It statically determines the potential runtime targets of pointers. Many clients benefit from this information, including compiler optimization, bug detection, security analysis and change impact analysis, etc. As a key dimension in pointer analysis, flow-sensitivity improves its precision by considering program execution order. Ideally, flow-sensitive pointer analysis should be performed by analyzing each program path independently. However, even ignoring the branch conditions, such solution remains intractable and extremely expensive for whole program analysis due to potentially unbounded program paths. Finding the right balance between precision and efficiency in flow-sensitive pointer analysis lies at the heart of pointer analysis. In this thesis, we first introduce an efficient inter-procedural full-sparse memory SSA construction algorithm. Then we improve flow-sensitive pointer analysis based on the memory SSA with the following two contributions: First, Selfs, a region-based selective flow-sensitive pointer analysis, is proposed to allow precision and efficiency trade-offs to be made according to region partitioning. By maintaining flow-sensitivity between regions instead of statements, Selfs is faster than the state-of-the-art full-sparse flow-sensitive analysis while achieving the same precision when used for alias queries. Second, Spas explores the intra-procedural path correlations on top of sparse flow-sensitive and context-sensitive pointer analysis. By using binary decision diagrams to represent the compact path conditions, Spas improves the precision of pointer analysis while only introducing a small overhead

CONFLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code

We present an instrumenting compiler for enforcing data confidentiality in low-level applications (e.g. those written in C) in the presence of an active adversary. In our approach, the programmer marks secret data by writing lightweight annotations on top-level definitions in the source code. The compiler then uses a static flow analysis coupled with efficient runtime instrumentation, a custom memory layout, and custom control-flow integrity checks to prevent data leaks even in the presence of low-level attacks. We have implemented our scheme as part of the LLVM compiler. We evaluate it on the SPEC micro-benchmarks for performance, and on larger, real-world applications (including OpenLDAP, which is around 300KLoC) for programmer overhead required to restructure the application when protecting the sensitive data such as passwords. We find that performance overheads introduced by our instrumentation are moderate (average 12% on SPEC), and the programmer effort to port OpenLDAP is only about 160 LoC.Comment: Technical report for CONFLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code, appearing at EuroSys 201

ProbeGuard:Mitigating Probing Attacks Through Reactive Program Transformations

Many modern defenses against code reuse rely on hiding sensitive data such as shadow stacks in a huge memory address space. While much more efficient than traditional integritybased defenses, these solutions are vulnerable to probing attacks which quickly locate the hidden data and compromise security. This has led researchers to question the value of information hiding in real-world software security. Instead, we argue that such a limitation is not fundamental and that information hiding and integrity-based defenses are two extremes of a continuous spectrum of solutions. We propose a solution, ProbeGuard, that automatically balances performance and security by deploying an existing information hiding based baseline defense and then incrementally moving to more powerful integrity-based defenses by hotpatching when probing attacks occur. ProbeGuard is efficient, provides strong security, and gracefully trades off performance upon encountering more probing primitives

Precise static analysis of untrusted driver binaries

Most closed source drivers installed on desktop systems today have never been exposed to formal analysis. Without vendor support, the only way to make these often hastily written, yet critical programs accessible to static analysis is to directly work at the binary level. In this paper, we describe a full architecture to perform static analysis on binaries that does not rely on unsound external components such as disassemblers. To precisely calculate data and function pointers without any type information, we introduce Bounded Address Tracking, an abstract domain that is tailored towards machine code and is path sensitive up to a tunable bound assuring termination. We implemented Bounded Address Tracking in our binary analysis platform Jakstab and used it to verify API specifications on several Windows device drivers. Even without assumptions about executable layout and procedures as made by state of the art approaches, we achieve more precise results on a set of drivers from the Windows DDK. Since our technique does not require us to compile drivers ourselves, we also present results from analyzing over 300 closed source drivers