Concretely mapped symbolic memory locations for memory error detection
Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free) can lead to catastrophic consequences. Symbolic execution-based approaches are often used to detect such memory errors,...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2024
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9890 https://ink.library.smu.edu.sg/context/sis_research/article/10890/viewcontent/TSE2024SymLoc.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-10890 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-108902025-01-02T09:08:14Z Concretely mapped symbolic memory locations for memory error detection TU, Haoxin JIANG, Lingxiao HONG, Jiaqi DING, Xuhua JIANG, He Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free) can lead to catastrophic consequences. Symbolic execution-based approaches are often used to detect such memory errors, leveraging their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines face significant limitations in modeling dynamic memory layouts. These engines either represent memory object locations as concrete addresses, limiting analyses to specific address layouts and missing errors that occur at special addresses, or represent locations as simple symbolic variables without sufficient constraints, resulting in memory state explosion during read/write operations involving symbolic addresses. These challenges hinder effective detection of certain memory errors.In this study, we propose SYMLOC, a symbolic execution-based approach that employs concretely mapped symbolic memory locations to address these limitations. SYMLOC integrates three novel techniques: (1) symbolizing addresses and encoding symbolic addresses into path constraints, (2) performing symbolic memory read/write operations using a symbolic-concrete memory map, and (3) automatically tracking the use of symbolic memory locations. Built on the KLEE symbolic execution engine, SYMLOC demonstrates improved memory error detection and code coverage capabilities.Evaluation results show that SYMLOC detects 23 additional address-specific spatial memory errors in GNU Coreutils, Make, and m4 programs compared to other approaches and achieves 15%-48% higher unique code coverage. For temporal memory errors, SYMLOC detects 8%-64% more errors in the Juliet Test Suite than various state-of-the-art detectors. Additionally, two case studies illustrate memory errors detected by SYMLOC, their root causes, and implications. 2024-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9890 info:doi/10.1109/TSE.2024.3395412 https://ink.library.smu.edu.sg/context/sis_research/article/10890/viewcontent/TSE2024SymLoc.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Software Reliability Software Security Memory Errors Program Analysis Symbolic Execution Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Software Reliability Software Security Memory Errors Program Analysis Symbolic Execution Software Engineering |
| spellingShingle |
Software Reliability Software Security Memory Errors Program Analysis Symbolic Execution Software Engineering TU, Haoxin JIANG, Lingxiao HONG, Jiaqi DING, Xuhua JIANG, He Concretely mapped symbolic memory locations for memory error detection |
| description |
Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free) can lead to catastrophic consequences. Symbolic execution-based approaches are often used to detect such memory errors, leveraging their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines face significant limitations in modeling dynamic memory layouts. These engines either represent memory object locations as concrete addresses, limiting analyses to specific address layouts and missing errors that occur at special addresses, or represent locations as simple symbolic variables without sufficient constraints, resulting in memory state explosion during read/write operations involving symbolic addresses. These challenges hinder effective detection of certain memory errors.In this study, we propose SYMLOC, a symbolic execution-based approach that employs concretely mapped symbolic memory locations to address these limitations. SYMLOC integrates three novel techniques: (1) symbolizing addresses and encoding symbolic addresses into path constraints, (2) performing symbolic memory read/write operations using a symbolic-concrete memory map, and (3) automatically tracking the use of symbolic memory locations. Built on the KLEE symbolic execution engine, SYMLOC demonstrates improved memory error detection and code coverage capabilities.Evaluation results show that SYMLOC detects 23 additional address-specific spatial memory errors in GNU Coreutils, Make, and m4 programs compared to other approaches and achieves 15%-48% higher unique code coverage. For temporal memory errors, SYMLOC detects 8%-64% more errors in the Juliet Test Suite than various state-of-the-art detectors. Additionally, two case studies illustrate memory errors detected by SYMLOC, their root causes, and implications. |
| format |
text |
| author |
TU, Haoxin JIANG, Lingxiao HONG, Jiaqi DING, Xuhua JIANG, He |
| author_facet |
TU, Haoxin JIANG, Lingxiao HONG, Jiaqi DING, Xuhua JIANG, He |
| author_sort |
TU, Haoxin |
| title |
Concretely mapped symbolic memory locations for memory error detection |
| title_short |
Concretely mapped symbolic memory locations for memory error detection |
| title_full |
Concretely mapped symbolic memory locations for memory error detection |
| title_fullStr |
Concretely mapped symbolic memory locations for memory error detection |
| title_full_unstemmed |
Concretely mapped symbolic memory locations for memory error detection |
| title_sort |
concretely mapped symbolic memory locations for memory error detection |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2024 |
| url |
https://ink.library.smu.edu.sg/sis_research/9890 https://ink.library.smu.edu.sg/context/sis_research/article/10890/viewcontent/TSE2024SymLoc.pdf |
| _version_ |
1821237275929870336 |