Irbis: static taint analyzer for vulnerabilities detection in C/C++

Static taint analysis can be used to find various security weaknesses and vulnerabilities in programs by discovering dataflow paths from taint sources to taint sinks. In most cases the data is called ”tainted” if it was obtained from an untrusted source without proper sanitization. In this paper we present a static taint analyzer Irbis. It implements analysis based on IFDS (Interprocedural Finite Distributive Subset) dataflow problem, as well as various extensions aimed at improving accuracy and completeness of the analysis. It supports different definitions of tainted data, which enables it to find such weaknesses as out of buffer access, use of freed memory, hardcoded passwords, data leaks and discover dataflow paths between user-defined sources and sinks. All sources, sinks and propagators definitions are stored in JSON format and can be adjusted to meet the users’ needs. We compare analysis results on Juliet Test Suite for C/C++ with several other analyzers, such as Infer, Clang Static Analyzer and Svace. Irbis manages to demonstrate 100% coverage on taint-related subset of tests for implemented CWEs, while suppressing all the false positives using heuristics. We also show performance and false positive rate on real projects, with examples of real vulnerabilities, which can be detected by Irbis.

1. CVE - CVE-2014-0160. Available at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160, accessed 01.11.2022.

2. Heartbleed bug. Available at: https://nvd.nist.gov/vuln/detail/CVE-2014-0160, accessed 01.11.2022.

3. Nethercote N., Seward J. Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Notices, vol. 42, issue 6. 2007, pp. 89-100.

4. Haldar V., Chandra D., Franz M. Dynamic taint propagation for java. In Proc. of the 21st Annual Computer Security Applications Conference (ACSAC’05), 2005, pp. 303-311.

5. Newsome J., Song D.X. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of the Network and Distributed System Security Symposium, 2005, 17 p.

6. Sutton M., Greene A., Amini P. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 2007, 576 p.

7. American fuzzy lop. Available at: https://lcamtuf.coredump.cx/afl/, accessed 01.11.2022.

8. Godefroid P., Levin M.Y., Molnar D. SAGE: whitebox fuzzing for security testing: SAGE has had a remarkable impact at Microsoft. Queue, vol. 10, issue 1, 2012, pp. 20-27.

9. Cadar C., Dunbar D., Engler D. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proc. of the 8th USENIX Conference on Operating Systems Design and Implementation, 2008, pp. 209-224.

10. Chipounov V., Kuznetsov V., Candea G. S2E: a platform for in-vivo multi-path analysis of software systems. SIGPLAN Notices, vol. 46, issue 3, 2011, pp.:265-278.

11. Cha S.K., Avgerinos T. et al. Unleashing mayhem on binary code. In Proc. of the IEEE Symposium on Security and Privacy, 2012, pp. 380-394.

12. Arzt S., Rasthofer S. et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Notices, vol. 49, issue 6, 2014, pp 259-269.

13. Бородин А.Е., Горемыкин А.В. и др. Поиск уязвимостей небезопасного использования помеченных данных в статическом анализаторе Svace. Труды ИСП РАН, том 33, вып. 1, 2021 г., стр. 7-32. DOI: 10.15514/ISPRAS–2021–33(1)–1 / Borodin A., Goremykin A. et al. Searching for Taint Vulnerabilities with Svace Static Analysis Tool. Programming and Computer Software, vol. 47, issue 6, 2021, pp. 466-481.

14. Schubert P.D., Hermann B., Bodden E. PhASAR: an inter-procedural static analysis framework for C/C++. Lecture Notes in Computer Science, vol. 11428, 2019, pp. 393-410.

15. D’Silva V., Kroening D., Weissenbacher G. A survey of automated techniques for formal software verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 27, issue 7, 2008, pp. 1165-1178.

16. Иванников В.П., Белеванцев А.А. и др. Статический анализатор Svace для поиска дефектов в исходном коде программ. Труды ИСП РАН, том 26, вып. 1, 2014 г., стр. 231-250. DOI: 10.15514/ISPRAS-2014-26(1)-7 / Ivannikov V.P., Belevantsev A.A. et al. Static analyzer Svace for finding defects in a source program code. Programming and Computer Software, vol. 40, issue 5, 2014, pp. 265-275.

17. Arroyo M., Chiotta F., Bavera F. An user configurable clang static analyzer taint checker. In Proc. of the 35th International Conference of the Chilean Computer Science Society (SCCC), 2016, pages 1-12.

18. Calcagno C, Distefano D. Infer: an automatic program verifier for memory safety of C programs. Lecture Notes in Computer Science, vol. 6617, 2011, pp. 459-465.

19. Беляев М.В., Шимчик Н.В. и др. Сравнительный анализ двух подходов к статическому анализу помеченных данных. Труды ИСП РАН, том 29, вып. 3, 2017 г., стр. 99-116. DOI: 10.15514/ISPRAS-2017-29(3)-7 / Belyaev M.V., Shimchik N.V. et al. Comparative analysis of two approaches to static taint analysis. Programming and Computer Software, vol. 44, issue 6, 2018, pp. 459-466.

20. Bodden E. Inter-procedural data-flow analysis with IFDS/IDE and Soot. In Procю of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, 2012, pp. 3-8.

21. Reps T., Horwitz S., Sagiv M. Precise interprocedural dataflow analysis via graph reachability. In Proc. of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1995, pp. 49-61.

22. Кошелев В.К., Игнатьев В.Н., Борзилов А.И. Инфраструктура статического анализа программ на языке C#. Труды ИСП РАН, том 28, вып. 1, 2016 г., стр. 21-40. DOI: 10.15514/ISPRAS-2016-28(1)-2 / Koshelev V.K., Ignatiev V.N. et al. SharpChecker: Static analysis tool for C# programs. Programming and Computer Software, vol. 43, issue 4, 2017, pp. 268—276.

23. Lattner C., Adve V. LLVM: a compilation framework for lifelong program analysis & transformation. In Proc. of the International Symposium on Code Generation and Optimization, 2004, pp. 75–86.

24. Reps T., Horwitz S., Sagiv M. Precise interprocedural dataflow analysis via graph reachability. In Proc. of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1995, pp. 49-61.

25. Shimchik N.V., Ignatyev V.N. Vulnerabilities Detection via Static Taint Analysis. Trudy ISP RAN/Proc. ISP RAS, vol. 31, issue 3, 2019. pp. 177-190. DOI: 10.15514/ISPRAS-2019-31(3)-14.

26. Shimchik N., Ignatyev V., Belevantsev A. Improving accuracy and completeness of source code static taint analysis. In Proc. of the 2021 Ivannikov Ispras Open Conference (ISPRAS), 2021, pp. 61-–68.

27. A wrapper script to build whole-program LLVM bitcode files. Available at: https://github.com/travitch/whole-program-llvm, accessed 01.11.2022.

28. Juliet C/C++ 1.3. Available at: https://samate.nist.gov/SARD/test-suites/112, accessed 01.11.2022.