Concretely Mapped Symbolic Memory Locations for Memory Error Detection

IF 6.5 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING IEEE Transactions on Software Engineering Pub Date : 2024-04-30 DOI:10.1109/TSE.2024.3395412

Haoxin Tu;Lingxiao Jiang;Jiaqi Hong;Xuhua Ding;He Jiang

{"title":"Concretely Mapped Symbolic Memory Locations for Memory Error Detection","authors":"Haoxin Tu;Lingxiao Jiang;Jiaqi Hong;Xuhua Ding;He Jiang","doi":"10.1109/TSE.2024.3395412","DOIUrl":null,"url":null,"abstract":"Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., \n<italic>buffer overflow\n and \n<italic>use-after-free\n) can have catastrophic consequences. Symbolic execution-based approaches have been used to detect such memory errors, benefiting from their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines still suffer from fundamental limitations in modeling dynamic memory layouts; they either represent the locations of memory objects as concrete addresses and thus limit their analyses only to specific address layouts and miss errors that may only occur when the objects are located at special addresses, or represent the locations as simple symbolic variables without sufficient constraints and thus suffer from memory state explosion when they execute read/write operations involving symbolic addresses. Such limitations hinder the existing symbolic execution engines from effectively detecting certain memory errors. In this study, we propose \n<sc>SymLoc\n, a symbolic execution-based approach that uses concretely mapped symbolic memory locations to alleviate the limitations mentioned above. Specifically, a new integration of three techniques is designed in \n<sc>SymLoc\n: (1) the symbolization of addresses and encoding of symbolic addresses into path constraints, (2) the symbolic memory read/write operations using a symbolic-concrete memory map, and (3) the automatic tracking of the uses of symbolic memory locations. We build \n<sc>SymLoc\n on top of the well-known symbolic execution engine KLEE and demonstrate its benefits in terms of memory error detection and code coverage capabilities. Our evaluation results show that: for address-specific spatial memory errors, \n<sc>SymLoc\n can detect 23 more errors in \n<monospace>GNU Coreutils</monospace>\n, \n<monospace>Make</monospace>\n, and \n<monospace>m4</monospace>\n programs that are difficult for other approaches to detect, and cover 15% and 48% more unique lines of code in the programs than two baseline approaches; for temporal memory errors, \n<sc>SymLoc\n can detect 8%-64% more errors in the Juliet Test Suite than various existing state-of-the-art memory error detectors. We also present two case studies to show sample memory errors detected by \n<sc>SymLoc\n along with their root causes and implications.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"50 7","pages":"1747-1767"},"PeriodicalIF":6.5000,"publicationDate":"2024-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10510589/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free ) can have catastrophic consequences. Symbolic execution-based approaches have been used to detect such memory errors, benefiting from their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines still suffer from fundamental limitations in modeling dynamic memory layouts; they either represent the locations of memory objects as concrete addresses and thus limit their analyses only to specific address layouts and miss errors that may only occur when the objects are located at special addresses, or represent the locations as simple symbolic variables without sufficient constraints and thus suffer from memory state explosion when they execute read/write operations involving symbolic addresses. Such limitations hinder the existing symbolic execution engines from effectively detecting certain memory errors. In this study, we propose SymLoc , a symbolic execution-based approach that uses concretely mapped symbolic memory locations to alleviate the limitations mentioned above. Specifically, a new integration of three techniques is designed in SymLoc : (1) the symbolization of addresses and encoding of symbolic addresses into path constraints, (2) the symbolic memory read/write operations using a symbolic-concrete memory map, and (3) the automatic tracking of the uses of symbolic memory locations. We build SymLoc on top of the well-known symbolic execution engine KLEE and demonstrate its benefits in terms of memory error detection and code coverage capabilities. Our evaluation results show that: for address-specific spatial memory errors, SymLoc can detect 23 more errors in GNU Coreutils , Make , and m4 programs that are difficult for other approaches to detect, and cover 15% and 48% more unique lines of code in the programs than two baseline approaches; for temporal memory errors, SymLoc can detect 8%-64% more errors in the Juliet Test Suite than various existing state-of-the-art memory error detectors. We also present two case studies to show sample memory errors detected by SymLoc along with their root causes and implications.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

用于内存错误检测的具体映射符号内存位置

在许多编程语言中，内存分配是管理内存对象的基本操作。滥用已分配的内存对象（如缓冲区溢出和使用后释放）可能会造成灾难性后果。基于符号执行的方法已被用于检测此类内存错误，并受益于其自动路径探索和测试用例生成的功能。然而，现有的符号执行引擎在对动态内存布局建模时仍存在根本性的限制；它们要么将内存对象的位置表示为具体地址，从而将分析局限于特定的地址布局，错过了只有当对象位于特殊地址时才可能发生的错误；要么将位置表示为简单的符号变量，没有足够的约束，从而在执行涉及符号地址的读/写操作时出现内存状态爆炸。这些限制妨碍了现有的符号执行引擎有效地检测某些内存错误。在本研究中，我们提出了 SymLoc，这是一种基于符号执行的方法，它使用具体映射的符号内存位置来缓解上述限制。具体来说，SymLoc设计了三种技术的新集成：(1) 地址符号化和将符号地址编码为路径约束；(2) 使用符号-具体内存映射进行符号内存读/写操作；(3) 自动跟踪符号内存位置的使用。我们在著名的符号执行引擎 KLEE 的基础上构建了 SymLoc，并展示了它在内存错误检测和代码覆盖能力方面的优势。我们的评估结果表明：对于特定地址的空间内存错误，SymLoc可以在GNU Coreutils、Make和m4程序中多检测出23个其他方法难以检测到的错误，与两种基线方法相比，SymLoc可以多覆盖程序中15%和48%的独特代码行；对于时间内存错误，SymLoc可以在Juliet测试套件中比现有的各种最先进的内存错误检测器多检测出8%-64%的错误。我们还介绍了两个案例研究，展示了SymLoc检测到的内存错误样本及其根本原因和影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.