CN116431492A - Method for detecting Use-After-Free loopholes in Rust program based on pointer analysis - Google Patents
Method for detecting Use-After-Free loopholes in Rust program based on pointer analysis Download PDFInfo
- Publication number
- CN116431492A CN116431492A CN202310360354.6A CN202310360354A CN116431492A CN 116431492 A CN116431492 A CN 116431492A CN 202310360354 A CN202310360354 A CN 202310360354A CN 116431492 A CN116431492 A CN 116431492A
- Authority
- CN
- China
- Prior art keywords
- program
- function
- control flow
- analyzing
- rust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 87
- 238000000034 method Methods 0.000 title claims abstract description 84
- JEIPFZHSYJVQDO-UHFFFAOYSA-N iron(III) oxide Inorganic materials O=[Fe]O[Fe]=O JEIPFZHSYJVQDO-UHFFFAOYSA-N 0.000 title claims abstract description 51
- 230000006870 function Effects 0.000 claims abstract description 171
- 238000010586 diagram Methods 0.000 claims description 16
- 230000001419 dependent effect Effects 0.000 claims description 8
- 230000003068 static effect Effects 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 4
- 238000001514 detection method Methods 0.000 description 6
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000009225 memory damage Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/3604—Analysis of software for verifying properties of programs
- G06F11/3612—Analysis of software for verifying properties of programs by runtime analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/3604—Analysis of software for verifying properties of programs
- G06F11/3608—Analysis of software for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/362—Debugging of software
- G06F11/3624—Debugging of software by performing operations on the source code, e.g. via a compiler
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis. The source code of the Rust program is taken as input, and the Use-After-Free loopholes in the program are detected as output. In order to detect Use-After-Free loopholes in a Rust program, firstly, calling a related API of a Rust compiler to compile a source program to obtain a high-level intermediate representation (HIR) and a middle-level intermediate representation (MIR) of the program, and constructing a control flow graph and a function call graph of the program based on the intermediate representation; then, carrying out pointer analysis on the program according to the control flow graph and the function call graph, and gradually analyzing each function by using pointer analysis methods in the process and among the processes to obtain a pointing set of variables when the interior of the function reaches each program point; and finally, analyzing the control flow graph from top to bottom according to the obtained pointer analysis result, and searching whether the situation that the same memory is used again After the memory is released exists in the program, so as to detect the Use-After-Free loopholes in the program. The method has the advantages of accuracy and high efficiency, and can comprehensively and efficiently detect the Use-After-Free loopholes in the Rust program.
Description
Technical Field
The invention belongs to the field of program analysis and test, and particularly relates to a method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis.
Background
Rust is a programming language aimed at building efficient, secure underlying software. The main idea is to inherit most of the characteristics of the C language and good runtime performance, but to eliminate the security problems present in the C language by strict compile-time checks, rust has become more popular in the last few years, especially in building low-level software such as operating systems and browsers. However, the current design of Rust still has side effects, and the adopted onsafe Rust can cause potential memory security holes, and a large number of errors are found in real projects. In the existing memory security hole, the Use-After-Free hole poses serious threat to the program, and serious consequences such as program crash, memory damage, data leakage and random code execution can be caused. Therefore, the tester should pay attention to the detection of Use-After-Free loopholes in the Rust program.
Currently, UAF vulnerabilities in Rust are difficult to detect and debug because they may not immediately result in a crash. Manually discovering UAF vulnerabilities is very time consuming and cannot be extended to large programs. In analyzing code associated with a heap, a developer must know very much how a pointer propagates throughout the code base. Although code associated with the heap may only occupy a small portion of the overall program, there are many possible allocation and release sequences, and UAF bug errors may only occur in a small portion of these sequences. And Rust adopts the resource management system based on ownership, the unused resources are forcedly and automatically released under the condition of not using a garbage collector, so that a developer is less likely to find when the resources are released in the process of checking, and the difficulty of detection is increased intangibly.
Although many research works have proposed a method for detecting security holes in the memory of a Rust program, most of existing methods and tools for detecting holes in a Rust program are universal detectors, and have a certain limitation in detecting use-after-free holes in the program. Most of the analysis among the processes is imperfect, and the processing function call is deficient, so that a considerable part of pointer analysis results are lost in the analysis process, thereby omitting relevant loopholes in detection, and a considerable part of existing tools are converted from the tools for C/C++ detection, so that the unique characteristics of Rust cannot be well supported, and therefore, relevant loopholes are omitted.
Disclosure of Invention
The invention aims to provide a method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis, which is used for efficiently and comprehensively detecting the Use-After-Free vulnerability in the Rust program.
The technical scheme for realizing the purpose of the invention is as follows: a method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis comprises the following specific steps:
and 3, analyzing the control flow graph from top to bottom according to the variable pointing result obtained by the pointer analysis algorithm, and searching whether the situation that the same memory is used again After the memory is released exists in the program, so as to detect the Use-After-Free loopholes in the program and output positioning information corresponding to the loopholes.
Preferably, in step 1, the source code of the program to be detected is compiled by using an API related to a Rust compiler to obtain a high-level intermediate representation (HIR) and a middle-level intermediate representation (MIR) of the program, and a control flow graph and a function call graph of the program are constructed according to the obtained intermediate representation, which specifically comprises the following steps:
step 1-1, compiling source codes by using a Rust compiler, calling an API related to the compiler to obtain the HIR and the MIR of the program, wherein the obtained HIR and MIR are two intermediate representation forms of the source codes of the Rust program;
step 1-2, calling MIR of the compiler related API traversal program to acquire the intermediate representation forms of the functions one by one, analyzing to obtain the control flow of the functions, and constructing a control flow graph of the functions by taking basic blocks in the MIR as nodes;
step 1-3, analyzing the obtained HIR to obtain a calling relation between functions, combining information in the MIR to obtain a position of a corresponding function call in a program, taking an ID of the function in the HIR as node information, and taking the position of the function call as information of an edge to generate a function call diagram of the program;
preferably, in step 2, static analysis is performed on the program-based control flow graph and the function call graph, and the pointer analysis method in the application process gradually analyzes basic blocks of each function control flow graph according to the control flow to obtain pointing results of variables when each function reaches each program point, and when there is a function call, the method is combined with the control flow graph of the function according to the function call graph, and the pointer analysis method in the process is used to analyze to obtain pointing results of corresponding variables, and the method specifically includes the following steps:
step 2-1: the method comprises the steps that an algorithm for analyzing pointers in a process is executed based on a control flow diagram of a program, basic blocks in the control flow diagram are sequentially analyzed according to the control flow of the program, and a final pointing result of each variable when reaching each basic block is obtained;
step 2-2: analyzing the functions represented by the nodes in the graph one by one according to the function call graph of the program and adopting the idea of topological sorting, analyzing the pointer in the process of the functions to obtain the alias relation between the shape parameters and the return values, and storing the alias relation;
step 2-3: and gradually analyzing each function by using an intra-process pointer analysis algorithm and an inter-process pointer analysis algorithm to obtain a pointing set of the time-phase dependent variable of the time phase dependent variable reaching each program point in the function, and storing the pointing set.
Preferably, the inputs of the in-process pointer analysis algorithm are a control flow graph of the function and MIRs corresponding to the function, and the following steps are executed from an entry basic block of the function:
(1) Sequentially analyzing the code statement sequence represented in the middle in the basic block, analyzing the owner variable of the value and the transfer and borrowing of ownership among the variables according to the ownership rule of Rust in the analysis process, so as to obtain the alias relation between the left value and the right value of each statement, and deriving the final pointing set of the left value variable according to the pointing result of the right value;
(2) Obtaining a subsequent basic block according to the control flow information, continuously analyzing sentences in the basic block according to the step (1), when a function call exists, obtaining an alias relation between a return value and a real parameter according to an alias relation between parameters of the called function and the return value, and combining a mapping relation of the real parameter to obtain the alias relation between the return value and the real parameter, and deducing a pointing result of the return value according to a pointing result of the real parameter, and deducing a final pointing of a left value variable in the function call sentence;
(3) And (3) gradually analyzing each basic block according to the step (1) and the step (2) until all basic blocks of the function are analyzed or the preset analysis step number algorithm is finished.
Preferably, the input of the in-process pointer analysis on the function is a control flow graph of the program and an MIR corresponding to the function, and the specific steps are as follows:
(1) Traversing the function call graph to obtain the output degree of each function node, finding out the node with zero degree, and obtaining the corresponding function represented by the node for analysis;
(2) Analyzing the function represented by the node with zero degree of output by using pointer analysis in the process to obtain the alias relation between the function parameters and the return values thereof, and subtracting one degree of output of all corresponding functions calling the function after the analysis is completed;
(3) And (3) continuously analyzing according to the step (1) and the step (2) according to the function call graph of the program until the analysis of the functions represented by all the nodes in the function call graph is completed.
Preferably, in step 3, the control flow graph is analyzed from top to bottom according to the pointing set of the variables obtained by pointer analysis, and whether the same memory is reused After the memory is released in the program is searched, so as to detect a Use-After-Free bug in the program and output positioning information corresponding to the bug, and the specific steps are as follows:
step 3-1, traversing operations of releasing values in MIR of the program to obtain all released values in the program and positions in the control flow;
step 3-2, performing reachability analysis on the control flow graph according to the pointing set of the variable obtained by pointer analysis, and analyzing backwards from the released position according to the control flow graph, wherein the method specifically comprises the following steps: analyzing whether the variable points to the released value according to the point set of the variable when each program point is reached, judging whether the corresponding variable is used again, and detecting the Use-After-Free loopholes in the program;
and 3-3, when a Use-After-Free vulnerability exists in the detection program, sequentially storing the released value and the position thereof and the position accessed again, and outputting all detected vulnerability information.
Compared with the prior art, the invention has the remarkable advantages that: (1) The method improves the inter-process analysis in the static analysis process, and can effectively and comprehensively detect the Use-After-Free loopholes in the Rust program; (2) The invention has the advantages of automating the detection process and detecting in the compiling process of the source program without affecting the efficiency of the program in running.
Drawings
FIG. 1 is a flow chart of a method provided by the present invention.
FIG. 2 is a source code example diagram of a Rust program with a Use-After-Free vulnerability.
FIG. 3 is an exemplary diagram of the results of the intermediate representation HIR component obtained by compilation.
FIG. 4 is an exemplary diagram of intermediate representation MIR partial results obtained by compilation.
FIG. 5 is an exemplary diagram of the results of a constructed function call graph.
Fig. 6 is a partial exemplary diagram of the results of the pointer analysis.
FIG. 7 is an exemplary diagram of diagnostic information given by the detection of a Use-After-Free vulnerability.
Detailed Description
The invention discloses a method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis. The source file of the Rust program is taken as input, and the Use-After-Free loopholes in the program are detected as output. The overall flow is shown in fig. 1. The specific implementation steps are as follows:
step 1: compiling source codes of a program to be detected by using an API (application program interface) related to a Rust compiler to obtain a high-level intermediate representation (HIR) and a middle-level intermediate representation (MIR) of the program, and constructing a control flow graph and a function call graph of the program according to the obtained intermediate representations, wherein the specific steps are as follows:
step 1-1, compiling source codes by using a Rust compiler, calling an API related to the compiler to obtain the HIR and the MIR of the program, wherein the obtained HIR and MIR are two intermediate representation forms of the source codes of the Rust program;
step 1-2, calling MIR of the compiler related API traversal program to acquire the intermediate representation forms of the functions one by one, analyzing to obtain the control flow of the functions, and constructing a control flow graph of the functions by taking basic blocks in the MIR as nodes;
step 1-3, analyzing the obtained HIR to obtain a calling relation between functions, combining information in MIR to obtain a position of a corresponding function call in a program, taking an ID of the function in the HIR as node information, and taking the position of the function call as information of an edge to generate a function call diagram of the program;
3. step 2: the method comprises the following steps of performing static analysis based on a control flow graph of a program and a function call graph, gradually analyzing basic blocks of each function control flow graph according to the control flow by using pointer analysis in a process to obtain a pointing set of variables when each function reaches each program point, combining the control flow graph of the function according to the function call graph when function call exists, and analyzing by using a pointer analysis method among the processes to obtain the pointing set of corresponding variables, wherein the method specifically comprises the following steps:
step 2-1: the method comprises the steps of executing an in-process pointer analysis algorithm based on a control flow graph of a program, sequentially analyzing basic blocks in the control flow graph according to the control flow of the program, and accordingly obtaining a pointing result of a variable when reaching each basic block, wherein the in-process pointer analysis algorithm is as follows;
inputting a control flow graph of a function and MIR corresponding to the function, analyzing from an entry basic block of the function, and executing the following steps:
(1) And sequentially analyzing the code statement sequence represented in the middle in the basic block, analyzing the owner variable of the value and the transfer and borrowing of ownership among the variables according to the ownership rule of Rust in the analysis process, so as to obtain the alias relation between the left value and the right value of each statement, and deriving the final pointing set of the left value variable according to the pointing result of the right value.
(2) And (3) obtaining a subsequent basic block according to the control flow information, continuously analyzing sentences in the basic block according to the step (1), when a function call exists, obtaining the alias relation between the return value and the real parameter according to the alias relation between the parameter of the called function and the return value, and combining the mapping relation of the real parameter to obtain the alias relation between the return value and the real parameter, and deducing the pointing result of the return value according to the pointing result of the real parameter, so that the final pointing of the left value variable in the function call sentence can be deduced.
(3) And (3) gradually analyzing each basic block according to the step (1) and the step (2) until all basic blocks of the function are analyzed or the preset analysis step number algorithm is finished.
Step 2-2: according to a function call graph of a program and adopting the idea of topological ordering, analyzing functions represented by nodes in the graph one by one, analyzing the pointer in the process of the functions to obtain the alias relation between the shape parameters and the return values, and storing the alias relation. The process-to-process pointer analysis algorithm is as follows:
the input is the control flow graph of the program and the MIR corresponding to the function, the following steps are executed
(1) Traversing the function call graph to obtain the output degree of each function node, then searching out the node with zero degree, and obtaining the corresponding function represented by the node for analysis.
(2) And analyzing the function represented by the node with zero degree by using an in-process pointer analysis method, so as to obtain the alias relation between the function parameter and the return value thereof. And subtracting one from the degree of all corresponding functions calling the function after analysis is completed.
(3) And (3) continuously analyzing the function call graph based on the program according to the step (1) and the step (2) until the functions represented by all the nodes in the function call graph are analyzed.
Step 2-3: gradually analyzing each function by using pointer analysis algorithms in and among the processes to obtain a pointing set of the time-phase dependent variable of the time phase of reaching each program point in the function, and storing the pointing set;
step 3: analyzing the control flow graph from top to bottom according to the variable pointing result obtained by pointer analysis, searching whether the situation that the same memory is used again After the memory is released exists in the program, detecting the Use-After-Free loopholes in the program and outputting positioning information corresponding to the loopholes. The method comprises the following specific steps:
step 3-1, traversing operations of releasing values in MIR of the program to obtain all released values in the program and positions in the control flow;
and 3-2, performing reachability analysis on the control flow graph according to the pointing set of the variable obtained by static analysis. Analyzing backward according to the position of the control flow graph from which the value is released, firstly analyzing whether the variable in the control flow graph points to the released value according to the point set of the variable when each program point is reached, and then judging whether the corresponding variable is used again so as to detect the Use-After-Free loopholes in the program;
and 3-3, when a Use-After-Free vulnerability exists in the detection program, sequentially storing the released value, the released value and the position and the revisited position, and finally outputting all detected vulnerability information.
Examples
The invention relates to a method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis, which takes a source file of the Rust program as input and detects the Use-After-Free vulnerability in the program as output. In order to detect a Use-After-Free vulnerability in a Rust program, firstly inputting a source code of the Rust program, compiling to obtain a related intermediate representation, and constructing a control flow diagram and a function call diagram of the program; then, gradually analyzing each function according to the alias analysis methods in the control flow graph and the function call graph application process and among the processes to obtain a pointing set of variables when the interior of the function reaches each program point; and finally, according to the variable pointing result obtained by analysis, searching whether the situation that the same memory is used again After the memory is released exists in the program, so as to detect whether a Use-After-Free vulnerability exists in the program.
In combination with an example, the method includes:
step 1: calling a compiler rustc-related API to compile source code of a Rust program is converted into two intermediate representations specific to the Rust program: a high level intermediate representation (HIR) and a middle level intermediate representation (MIR), and building a control flow graph and a function call graph of the program based on the two intermediate representations, the specific steps are as follows:
step 1-1, calling a related API for converting and constructing intermediate representation in a compiler rustc to compile a program source code, and converting the program source code into two specific intermediate representations HIR and MIR, wherein FIGS. 2, 3 and 4 show code examples of a source code form, an HIR form and an MIR form respectively;
step 1-2, traversing MIRs obtained through compiling to obtain intermediate representation forms of functions one by one, taking Basic blocks (Basic blocks) in the MIRs as nodes for each function, analyzing control flows in the Basic blocks to obtain corresponding subsequent nodes and establishing edges, and thus constructing a control flow graph corresponding to each function;
step 1-3, analyzing the compiled HIRs to obtain call relations among functions, taking IDs corresponding to each function in the HIRs as nodes, obtaining functions called in the functions according to the obtained call relations and taking the functions as subsequent nodes, and then obtaining positions of corresponding function calls in the program according to information in MIRs and taking the positions of the corresponding function calls as information of edges, so as to generate a function call diagram of the program, wherein an example of the function call diagram is shown in FIG. 5;
step 2: the pointer analysis in the process is utilized to gradually analyze basic blocks of the control flow graph of each function according to the control flow so as to obtain a pointing set of variables when each function reaches each program point, when the function call exists, the control flow graph of the function is combined according to the function call graph, the pointer analysis method among the processes is utilized to analyze so as to obtain a pointing result of the corresponding variables, and the method specifically comprises the following steps:
step 2-1: based on the algorithm of pointer analysis in the control flow graph execution process, the pointing set of variables in the function reaching each program point is obtained. The specific steps are as follows:
(1) Analyzing sentences in each function basic block of middle layer intermediate representation (MIR), analyzing transfer and borrowing relations of ownership between the left value and the right value in each assignment sentence, and pushing out the pointing result of the left value according to the pointing result of the right value. When the right value is operated as ownership transfer, the pointing result of the left value is the right value pointing result, and the right value pointing result is deleted. When its right value is operated as ownership borrowing or variable copy operation, then its left value's pointing result is its right value pointing result. When the right value is operated as the address taking operation, the pointing result of the left value is the right value.
(2) The use of the Storagelive () and StorageDead () functions in MIR indicates the existence and end of a variable, so that the pointing result of its corresponding variable is deleted when the StorageDead () function is encountered during analysis.
Step 2-2: according to the function call graph and the thought of topological ordering, analyzing the functions represented by the nodes in the graph one by one, carrying out in-process pointer analysis on the functions, and analyzing to obtain the alias relation between the return value and the shape parameter when the analysis reaches the return statement. When analyzing a function call corresponding statement, if the return value and the shape parameter have an alias relation, deducing a pointing result of the return value according to a mapping relation between the real parameter and the shape parameter transferred during the call according to a pointing result of the corresponding real parameter; if the alias relation does not exist, the pointing result of the return value obtained by pointer analysis is the final pointing result. The pointing result of the corresponding variable assigned to the return value of the function call is then further obtained.
Step 2-3: gradually analyzing each function by using pointer analysis algorithms in and among the processes to obtain and store a pointing set of the time-phase dependent variable of each program point reached by the interior of each function, and displaying a part of pointer analysis result examples in FIG. 6;
step 3: and analyzing the control flow graph according to the obtained variable pointing set, searching whether the situation that the same memory is used again After the memory is released exists in the program, detecting the Use-After-Free loopholes in the program, and outputting positioning information corresponding to the loopholes. The method comprises the following specific steps:
step 3-1, releasing the corresponding value by using a Drop () function in the MIR of the program, so that traversing and searching the Drop () function in the MIR to obtain all the released values in the program and the positions in the control flow;
step 3-2, performing reachability analysis on the control flow graph according to the pointing set of the variable obtained by pointer analysis, analyzing whether the variable in the control flow graph points to the released value according to the pointing set of the variable when the control flow graph reaches the program point, marking the variable as a suspended pointer if the variable points to the released value exists, judging whether the corresponding variable is used again, judging that a Use-After-Free loophole is generated if the corresponding variable is used again, and continuing to analyze the variable pointing set when the corresponding variable reaches the next program point backwards if the corresponding variable is not used; if all variables in the set of points of the variable are not directed to the released value, then continuing to analyze the set of points of the variable at the time the next program point is reached.
And 3-3, when the existence of the Use-After-Free loopholes in the program is detected, sequentially storing the released values, the positions thereof and the positions accessed again, and finally outputting all detected loophole information as shown in fig. 7.
Claims (6)
1. A method for detecting a Use-After-Free vulnerability in a Rust program based on pointer analysis is characterized by comprising the following specific steps:
step 1, compiling source codes of a program to be detected by using an API (application program interface) related to a Rust compiler to obtain a high-level intermediate representation (HIR) and a middle-level intermediate representation (MIR) of the program, and constructing a control flow graph and a function call graph of the program according to the obtained intermediate representations;
step 2, performing static analysis based on a control flow graph of a program and a function call graph, gradually analyzing basic blocks of each function control flow graph according to the control flow by using pointer analysis in a process to obtain a pointing set of time phase dependent variable reaching each program point in each function, combining the function control flow graph according to the function call graph when the function call exists, and analyzing by using a pointer analysis method among processes to obtain the pointing set of corresponding variables;
and 3, analyzing the control flow graph from top to bottom according to the variable pointing result obtained by the pointer analysis algorithm, and searching whether the situation that the same memory is used again After the memory is released exists in the program, so as to detect the Use-After-Free loopholes in the program and output positioning information corresponding to the loopholes.
2. The method for detecting a Use-After-Free vulnerability in a Rust program according to claim 1, wherein the method comprises the following steps: in step 1, the source code of the program to be detected is compiled by using an API related to a Rust compiler to obtain a high-level intermediate representation (HIR) and a middle-level intermediate representation (MIR) of the program, and a control flow graph and a function call graph of the program are constructed according to the obtained intermediate representations, which specifically comprises the following steps:
step 1-1, compiling source codes by using a Rust compiler, calling an API related to the compiler to obtain the HIR and the MIR of the program, wherein the obtained HIR and MIR are two intermediate representation forms of the source codes of the Rust program;
step 1-2, calling MIR of the compiler related API traversal program to acquire the intermediate representation forms of the functions one by one, analyzing to obtain the control flow of the functions, and constructing a control flow graph of the functions by taking basic blocks in the MIR as nodes;
and 1-3, analyzing the obtained HIR to obtain a call relation between functions, combining information in the MIR to obtain a position of a corresponding function call in the program, and generating a function call graph of the program by taking the ID of the function in the HIR as node information and the position of the function call as information of an edge.
3. The method for detecting a Use-After-Free vulnerability in a Rust program according to claim 1, wherein in step 2, static analysis is performed on the program-based control flow graph and function call graph, a pointer analysis method in an application process gradually analyzes basic blocks of each function control flow graph according to a control flow to obtain a pointing result of a variable when each function reaches each program point, and when a function call exists, the method combines the control flow graph of the function according to the function call graph, and uses an inter-process pointer analysis method to perform analysis to obtain the pointing result of the corresponding variable, and specifically comprises the following steps:
step 2-1: the method comprises the steps that an algorithm for analyzing pointers in a process is executed based on a control flow diagram of a program, basic blocks in the control flow diagram are sequentially analyzed according to the control flow of the program, and a final pointing result of each variable when reaching each basic block is obtained;
step 2-2: analyzing the functions represented by the nodes in the graph one by one according to the function call graph of the program and adopting the idea of topological sorting, analyzing the pointer in the process of the functions to obtain the alias relation between the shape parameters and the return values, and storing the alias relation;
step 2-3: and gradually analyzing each function by using an intra-process pointer analysis algorithm and an inter-process pointer analysis algorithm to obtain a pointing set of the time-phase dependent variable of the time phase dependent variable reaching each program point in the function, and storing the pointing set.
4. A method for detecting a Use-After-Free vulnerability in a Rust program according to claim 3, wherein the input of the in-process pointer analysis algorithm is a control flow graph of the function and an MIR corresponding to the function, and the following steps are performed starting from an entry basic block of the function:
(1) Sequentially analyzing the code statement sequence represented in the middle in the basic block, analyzing the owner variable of the value and the transfer and borrowing of ownership among the variables according to the ownership rule of Rust in the analysis process, so as to obtain the alias relation between the left value and the right value of each statement, and deriving the final pointing set of the left value variable according to the pointing result of the right value;
(2) Obtaining a subsequent basic block according to the control flow information, continuously analyzing sentences in the basic block according to the step (1), when a function call exists, obtaining an alias relation between a return value and a real parameter according to an alias relation between parameters of the called function and the return value, and combining a mapping relation of the real parameter to obtain the alias relation between the return value and the real parameter, and deducing a pointing result of the return value according to a pointing result of the real parameter, and deducing a final pointing of a left value variable in the function call sentence;
(3) And (3) gradually analyzing each basic block according to the step (1) and the step (2) until all basic blocks of the function are analyzed or the preset analysis step number algorithm is finished.
5. The method for detecting a Use-After-Free vulnerability in a Rust program according to claim 3, wherein the input of the in-process pointer analysis of the function is a control flow graph of the program and an MIR corresponding to the function, and the specific steps are as follows:
(1) Traversing the function call graph to obtain the output degree of each function node, finding out the node with zero degree, and obtaining the corresponding function represented by the node for analysis;
(2) Analyzing the function represented by the node with zero degree of output by using pointer analysis in the process to obtain the alias relation between the function parameters and the return values thereof, and subtracting one degree of output of all corresponding functions calling the function after the analysis is completed;
(3) And (3) continuously analyzing according to the step (1) and the step (2) according to the function call graph of the program until the analysis of the functions represented by all the nodes in the function call graph is completed.
6. The method for detecting a Use-After-Free vulnerability in a Rust program according to claim 1, wherein the method comprises the following steps: in step 3, the control flow graph is analyzed from top to bottom according to the pointing set of the variables obtained by pointer analysis, and whether the same memory is reused After the memory is released in the program is searched, so as to detect the Use-After-Free loopholes in the program and output the positioning information corresponding to the loopholes, and the specific steps are as follows:
step 3-1, traversing operations of releasing values in MIR of the program to obtain all released values in the program and positions in the control flow;
step 3-2, performing reachability analysis on the control flow graph according to the pointing set of the variable obtained by pointer analysis, and analyzing backwards from the released position according to the control flow graph, wherein the method specifically comprises the following steps: analyzing whether the variable points to the released value according to the point set of the variable when each program point is reached, judging whether the corresponding variable is used again, and detecting the Use-After-Free loopholes in the program;
and 3-3, when a Use-After-Free vulnerability exists in the detection program, sequentially storing the released value and the position thereof and the position accessed again, and outputting all detected vulnerability information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310360354.6A CN116431492A (en) | 2023-04-06 | 2023-04-06 | Method for detecting Use-After-Free loopholes in Rust program based on pointer analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310360354.6A CN116431492A (en) | 2023-04-06 | 2023-04-06 | Method for detecting Use-After-Free loopholes in Rust program based on pointer analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116431492A true CN116431492A (en) | 2023-07-14 |
Family
ID=87080935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310360354.6A Pending CN116431492A (en) | 2023-04-06 | 2023-04-06 | Method for detecting Use-After-Free loopholes in Rust program based on pointer analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116431492A (en) |
-
2023
- 2023-04-06 CN CN202310360354.6A patent/CN116431492A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10394694B2 (en) | Unexplored branch search in hybrid fuzz testing of software binaries | |
| US7971193B2 (en) | Methods for performining cross module context-sensitive security analysis | |
| Sui et al. | Value-flow-based demand-driven pointer analysis for C and C++ | |
| CN111104335B (en) | C language defect detection method and device based on multi-level analysis | |
| CN110059006B (en) | Code auditing method and device | |
| CN111488579B (en) | Vulnerability detection method, vulnerability detection device, electronic equipment and computer readable storage medium | |
| CN104899147A (en) | Code static analysis method oriented to security check | |
| Arzt et al. | Using targeted symbolic execution for reducing false-positives in dataflow analysis | |
| CN110363004B (en) | Code vulnerability detection method, device, medium and equipment | |
| CN113419960B (en) | Seed generation method and system for kernel fuzzy test of trusted operating system | |
| CN104573503A (en) | Method and device for detecting memory access overflow | |
| CN115794629A (en) | Software component detection method, electronic device, and computer-readable storage medium | |
| US8752007B2 (en) | Automatic generation of run-time instrumenter | |
| Perez et al. | Generating predicate callback summaries for the android framework | |
| CN108897678B (en) | Static code detection method, static code detection system and storage device | |
| Hall et al. | Establishing the source code disruption caused by automated remodularisation tools | |
| Saumya et al. | Xstressor: Automatic generation of large-scale worst-case test inputs by inferring path conditions | |
| CN116431492A (en) | Method for detecting Use-After-Free loopholes in Rust program based on pointer analysis | |
| CN114840856B (en) | State-aware Internet of things trusted execution environment fuzzy test method and system | |
| US9489284B2 (en) | Debugging method and computer program product | |
| CN114462043A (en) | Java anti-serialization vulnerability detection system and method based on reinforcement learning | |
| CN113688403A (en) | Intelligent contract vulnerability detection method and device based on symbolic execution verification | |
| Yousaf et al. | Efficient Identification of Race Condition Vulnerability in C code by Abstract Interpretation and Value Analysis | |
| Singh et al. | Design and implementation of testing tool for code smell rectification using c-mean algorithm | |
| Nakagawa et al. | How compact will my system be? A fully-automated way to calculate Loc reduced by clone refactoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |