Null pointer dereference, which may allow attackers to bypass security logic or reveal sensitive information in operating system, is a common programming bug in C/C++ programs and therefore has been an important research subject in computer security. Many (automatic) analysis tools have been proposed to detect this bug. However, all these tools run on the source code. Many commercial softwares come with no source code, and these tools running on the source code cannot detect null pointer dereferences in them. Some null pointer dereference defects are introduced by the compiling configurations or the compiler's optimizations and the tools running on the source code cannot detect them as well. So it is necessary to develop tools that can detect null pointer dereference directly on the binaries. One advantage of null pointer dereference detection on the binaries is that the library code will be included in the analysis and the source code based detections usually use crafted summaries for the library function which may lower the precision and recall. In this paper, we present and implement NPtrChecker, the first analysis tool for null pointer dereferences detection, which accepts binary programs as inputs, outputs the location where null pointers come from, where dereferences occur and the corresponding path conditions. One difficulty of null pointer dereferences detection on the binaries is that the information about pointer type and structure type is missing in binaries. Without these information, the detection can have bad performance on accuracy. However, it is hard to recover the data structure definitions from the binaries. We propose a memory model to differentiate different fields of data structures without restoring the data structures and type information. This memory model is the basis of our field sensitive pointer analysis for null pointer dereference analysis. We continue to design a context sensitive dataflow analysis algorithm based on the function summary techniques, and the algorithm improves the precision of the analysis. To reduce false positives as many as possible, we also leverage weakest precondition to filter out the unreachable paths reported by dataflow analysis. The report will be removed if the path conditions from source to the sink that dereferences the pointer cannot be satisfied. We apply NPtrChecker to 11 programs in the SPEC2000 benchmark and 37 suspicious null pointer dereference defects are reported. Among them 22 reports are proved to be true defects by manual examinations. In contrast, the tool Saturn reports 92 defects and only 13 are true positive and LUKE reports 3 defects and only 2 are true positive. This shows that our method can detects more null pointer dereferences and keep the false positive at low level.

• 单位
  中国科学院大学