Multi-layer Type Analysis

Reference 1

C++ and Casting

Pointer to virtual function tables is frequently cast to general types such as char*, rendering the type match ineffective.

MLTA: a mechanism to precisely connect VTables to the corresponding classes and to keep track of class casting.

Similar work 2 3: a virtual function call can only invoke the virtual functions implemented in the current class or its derived class, but not others. Use an expanded single-layer type for finding targets.

MLTA outperforms them:

  • when an object pointer is recursively stored into an object of a different class;
  • precisely tracks type casting.

==> virtual functions of a derived class become valid icall targets of a base class only when an actual cast exists.

LLM: why only when an actual cast exists? Will it improve the precision? does it mean if function not called, then MLTA will not include into CFG but other will?

Formal proof

Goal: no more false negatives than FLTA (first-layer type analysis).

Assembly code

Chapter 8: Supporting MLTA in assembly or binary is out of the scope of this work.

  • Crix: Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences

    • Reference 1 Inter-procedural, semantic- and context-aware analysis. Modeling and cross-checking of the semantics of conditional statements in the peer slices of critical variables infer their criticalness. Use criticalness to detect missing-check bugs. 278 new missing-check bugs in Linux kernel that can cause security issues. 151 accepted by Linux maintainers. Missing Check Example /* Linux: net/smc/smc_ib.c */ static void smc_ib_remove_dev(struct ib_device *ibdev...) { struct smc_ib_device *smcibdev; /* ib_get_client_data may fail and return NULL */ smcibdev = ib_get_client_data(ibdev, &smc_ib_client); // ERROR1: NULL-pointer deference list_del_init(&smcibdev->list); /* ERROR2: device cannot be removed or unregistered */ smc_pnet_remove_by_ibdev(smcibdev); ib_unregister_event_handler(&smcibdev->event_handler); /* ERROR3: memory leak */ kfree(smcibdev); /* No return value: caller cannot know the errors */ } From NVD: 59.

  • Read

    • Reference 1 Graph in GlobalContext: // file: // crix/analyzer/src/lib/Analyzer.h typedef DenseMap<Function*, CallInstSet> CallerMap; typedef DenseMap<CallInst *, FuncSet> CalleeMap; struct GlobalContext { // ... // Map a callsite to all potential callee functions. CalleeMap Callees; // Map a function to all potential caller instructions. CallerMap Callers; // ... } Github ↩

  1. Where Does it Go? Refining Indirect-Call Targets with Multi-layer Type Analysis. By Kangjie Lu, Hong Hu. CCS (Best Paper). 2019. ↩
  2. SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks. By D. Jang, Z. Tatlock, and S. Lerner. In Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2014. ↩
  3. VTrust: Regaining Trust on Virtual Calls. C. Zhang, D. Song, S. A. Carr, M. Payer, T. Li, Y. Ding, and C. Song. In Proceedings of the 2016 Annual Network andDistributed System Security Symposium (NDSS), San Diego, CA, Feb. 2016. ↩
Created Nov 23, 2019 // Last Updated Jun 23, 2021

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?