UC Irvine

Static program analysis computes information about a program without executing the program. This can be used to improve software security by determining a security policy based on the program’s semantics, which is then used to implement a run-time protection, or by detecting bugs in the program, which can then be fixed before they are subject to an attack. We present applications of static program analysis to address software exploits that utilize memory corruption.

Memory corruption exploits are one of the most severe forms of program attacks, and occur when an attacker performs invalid memory accesses to hijack a program. This can involve overwriting data to force the program to perform malicious actions, as well as reading sensitive data to leak secrets.

One approach that has been proposed to stop memory corruption attacks is data space randomization (DSR). DSR utilizes static analysis to classify program variables into a set of equivalence classes, and then encrypts variables with a randomly chosen key for each equivalence class. This thwarts memory corruption attacks that introduce illegitimate data flows. However, existing implementations of DSR trade analysis precision for better run-time performance, which leaves attackers sufficient leeway to mount attacks. In this dissertation we present context-sensitive data space randomization, a more precise version of DSR that is able to distinguish a larger number of equivalence classes by using a context-sensitive points- to analysis to construct equivalence classes. We then adapt this analysis and protection to HARD, which shows that context-sensitive DSR can target specialized hardware to provide precise protection with good run-time performance.

We also explored using static analysis to find security critical bugs. Specifically, we developed KALD, a static analysis tool which uses points-to analysis to detect direct address disclosures that can lead to kernel ASLR bypasses. We show that KALD successfully detects several previously unknown direct disclosure vulnerabilities in the Linux kernel.