Institute of Software Chinese Academy of Sciences

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Institute of Software Chinese Academy of Sciences</title> <link href="../../../images/style_en.css" rel="stylesheet" type="text/css"> </head> <body> <div id="main_container"> <div id="header"> <div id="logo"> <a href="#"><img src="http://english.is.cas.cn/images/en_logo.png" width="341" height="58" border="0" /></a> </div> <div class="banner_adds"> <ul> <li><a href="http://english.is.cas.cn">Home</a></li> <li><a href="http://english.is.cas.cn/sitemap/">Sitemap</a></li> <li><a href="http://english.is.cas.cn/au/ct/">Contact</a></li> <li><a href="http://www.is.cas.cn/" target="_blank">中文</a></li> <li style="border:none"><a href="http://english.cas.cn/" target="_blank">CAS</a></li> </ul> </div> <div class="menu"> <ul> <li><a href="http://english.is.cas.cn/au/">About us</a>   <ul> <li><a href="http://english.is.cas.cn/au/bi/">Brief Introduction</a></li> <li><a href="http://english.is.cas.cn/au/hy/">History</a></li> <li><a href="http://english.is.cas.cn/au/ds/">Director</a></li> <li><a href="http://english.is.cas.cn/au/aftd/">Address from the Director</a></li> <li><a href="http://english.is.cas.cn/au/an/">Organization</a></li> <li><a href="http://english.is.cas.cn/au/ct/">Contact</a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/rh/">Research</a>    <ul> <li><a href="http://english.is.cas.cn/rh/rd/">Research Divisions</a></li> <li><a href="http://english.is.cas.cn/rh/rp/">Research Progress</a></li> <li><a href="http://english.is.cas.cn/rh/as/">Achievements</a></li> <li><a href="http://english.is.cas.cn/rh/rps/">Research Programs</a></li> <li><a href="http://english.is.cas.cn/rh/tt/">Technology Transfer</a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/pe/">People</a>    <ul> <li><a href="http://english.is.cas.cn/pe/fas/">Faculty and Staff</a></li> <li><a href="http://english.is.cas.cn/pe/LT/">Managing Team</a></li> <li><a href="http://english.is.cas.cn/pe/cm/">CAS Members</a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/ic/">International Cooperation</a>    <ul> <li><a href="http://english.is.cas.cn/ic/in/">Introduction</a></li> <li><a href="http://english.is.cas.cn/ic/ip/">International Projects </a></li> <li><a href="http://english.is.cas.cn/ic/ic/">International Conferences </a></li> <li><a href="http://english.is.cas.cn/ic/ios/">International Organizations </a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/ns/">News</a>    <ul> <li><a href="http://english.is.cas.cn/ns/es/">Events </a></li> <li><a href="http://english.is.cas.cn/ns/icn/">Int’l Cooperation News </a></li> <li><a href="http://english.is.cas.cn/ns/ue/">Upcoming Events</a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/rs/">Resources</a>    <ul> <li><a href="http://english.is.cas.cn/rs/ma/">Multimedia</a></li> <li><a href="http://english.is.cas.cn/rs/fs/">Facilities</a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/et/">Education & Training</a>    <ul> <li><a href="http://english.is.cas.cn/et/education_intro/">Introduction</a></li> <li><a href="http://english.is.cas.cn/et/Enrollment/">Enrollment </a></li> <li><a href="http://english.is.cas.cn/et/Fellowship_Scholarship/">Fellowship&Scholarship </a></li> </ul>  </li> <li><a href="http://english.is.cas.cn/ju/">Join Us</a></li> <li><a href="http://english.is.cas.cn/sp/">Societies & Publications</a></li> <li><a href="http://english.is.cas.cn/ls/">Links</a></li> </ul> </div> </div>  <div id="main_content">  <div class="column1">  <div class="left_box"> <div class="top_left_box"> </div> <div class="center_left_box"> <div class="box_title"><span>Research</span> :</div> <div class="box_text"> <p><img src="../../../images/bit02.gif" width="11" height="7" alt="" class="dot" /><a href="../../rd/">Research Divisions</a></p> <p><img src="../../../images/bit02.gif" width="11" height="7" alt="" class="dot" /><a href="../">Research Progress</a></p> <p><img src="../../../images/bit02.gif" width="11" height="7" alt="" class="dot" /><a href="../../as/">Achievements</a></p> <p><img src="../../../images/bit02.gif" width="11" height="7" alt="" class="dot" /><a href="../../rps/">Research Programs</a></p> <p><img src="../../../images/bit02.gif" width="11" height="7" alt="" class="dot" /><a href="../../tt/">Technology Transfer</a></p> </div> </div> <div class="bottom_left_box"> </div> </div>   <div class="left_box"> <div class="top_left_box"> </div> <div class="center_left_box"> <div class="box_title"><span>Find</span> information:</div> <div class="form"> <div class="form_row"> <label class="left">Search: </label> <input type="text" class="form_input" /> </div> <div style="float:right; padding:10px 25px 10px 0;"> <input type="image" src="../../../images/go.gif" /> </div> </div> </div> <div class="bottom_left_box"> </div> </div>  </div>   <div class="column_right_2"> <div class="column5"> <div class="small_title" style="color:#000000"><a href="../../../" title="Home" class="CurrChnlCls">Home</a> > <a href="../../" title="Research" class="CurrChnlCls">Research</a> > <a href="../" title="Research Progress" class="CurrChnlCls">Research Progress</a></div> <div class="main_text_box"> <div class="main_text_box_5"> <p class="main_text_box_5_title">Researchers Propose an Effective Method for Detecting Concurrency Memory Corruption Vulnerabilities <br /><br /> <span>Date:2019-12-03</span> </p> <div class=TRS_Editor><div style="text-align: justify"><p class="MsoNormal"><font face="Times New Roman">Memory corruption vulnerabilities can occur in multithreaded executions, known as concurrency vulnerabilities. They are extremely harmful and can be frequently exploited to launch severe attacks. Unfortunately, it’s very difficult to detect them due to non-determination multithreaded executions,</font></p><p class="MsoNormal"> </p><p class="MsoNormal"><font face="Times New Roman">One straightforward detection approach would be to explore all possible thread interleaving (e.g., model checking approaches); however, the executions of multithreaded programs suffer from interleaving space explosion problem. Some researchers tried to apply data race detectors to detect concurrency vulnerabilities, which is actually ineffective due to the difference between data race and concurrency vulnerabilities. Recent techniques based via constraints soling tends to miss concurrency vulnerabilities in practice.</font></p><p class="MsoNormal"> </p><p class="MsoNormal"><font face="Times New Roman">Recently, a research team led by Prof. CAI Yan from the State Key Laboratory of Computer Science, Institute of Software of the Chinese Academy of Sciences (ISCAS), presented a novel detection method. This method focused on three kinds of concurrency vulnerabilities involving memory corruptions (i.e., UAF: Use-After-Free, NPD: Null-Pointer-Dereference and DF: Double Free), which are mostly considered to be caused by orders. For example, Figure 1 shows two threads: a thread t1 dereference a pointer via p->test(), and a second thread t2 frees the same pointer free(p). A concurrency UAF can occur if thread t2 executes free(p) before thread t1.</font></p><p class="MsoNormal"> </p><p class="MsoNormal"><font face="Times New Roman">The insight is that, the key to detect concurrency vulnerabilities is to determine whether two or more out of a set of memory operation events in a given execution are exchangeable. Based on this, a new concept of <b>Exchangeable Events</b> is proposed to determine whether the orders of two events can be probably reversed. Given two ordered events, if there exists a third events (eany in Figure 2) that satisfied a set of relationship (see Figure 2) with the given two events (e1 and e2), there will be a high probability for the two events to be exchangeable events. Intuitively, if their distance between the two given events is smaller, there will be a higher probability to reverse the execution order of the two events. The team thus proposed an evaluation on the distance based on a third event, as shown in Figure 2. Exchangeable events are defined across synchronizations; hence, they have larger coverage. The research team further designed three algorithms to detect these three kinds of concurrency vulnerabilities from correct executions based on exchangeable events. </font></p><p class="MsoNormal"> </p><p class="MsoNormal"><font face="Times New Roman">This method has been evaluated to be significantly effective on detecting concurrency vulnerabilities even in large-scale programs.</font></p><p class="MsoNormal"> </p><p class="MsoNormal"><font face="Times New Roman">The study entitled “<a href="http://Memory corruption vulnerabilities can occur in multithreaded executions, known as concurrency vulnerabilities. They are extremely harmful and can be frequently exploited to launch severe attacks. Unfortunately, it’s very difficult to detect them due to non-determination multithreaded executions, One straightforward detection approach would be to explore all possible thread interleaving (e.g., model checking approaches); however, the executions of multithreaded programs suffer from interleaving space explosion problem. Some researchers tried to apply data race detectors to detect concurrency vulnerabilities, which is actually ineffective due to the difference between data race and concurrency vulnerabilities. Recent techniques based via constraints soling tends to miss concurrency vulnerabilities in practice. Recently, a research team led by Prof. CAI Yan from the State Key Laboratory of Computer Science, Institute of Software of the Chinese Academy of Sciences (ISCAS), presented a novel detection method. This method focused on three kinds of concurrency vulnerabilities involving memory corruptions (i.e., UAF: Use-After-Free, NPD: Null-Pointer-Dereference and DF: Double Free), which are mostly considered to be caused by orders. For example, Figure 1 shows two threads: a thread t1 dereference a pointer via p->test(), and a second thread t2 frees the same pointer free(p). A concurrency UAF can occur if thread t2 executes free(p) before thread t1. The insight is that, the key to detect concurrency vulnerabilities is to determine whether two or more out of a set of memory operation events in a given execution are exchangeable. Based on this, a new concept of Exchangeable Events is proposed to determine whether the orders of two events can be probably reversed. Given two ordered events, if there exists a third events (eany in Figure 2) that satisfied a set of relationship (see Figure 2) with the given two events (e1 and e2), there will be a high probability for the two events to be exchangeable events. Intuitively, if their distance between the two given events is smaller, there will be a higher probability to reverse the execution order of the two events. The team thus proposed an evaluation on the distance based on a third event, as shown in Figure 2. Exchangeable events are defined across synchronizations; hence, they have larger coverage. The research team further designed three algorithms to detect these three kinds of concurrency vulnerabilities from correct executions based on exchangeable events. This method has been evaluated to be significantly effective on detecting concurrency vulnerabilities even in large-scale programs. The study entitled “Detecting Concurrency Memory Corruption Vulnerabilities” has been published in the 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE2019).">Detecting Concurrency Memory Corruption Vulnerabilities</a>” has been published in the 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE2019). </font></p><div><font face="Times New Roman"><br /></font></div><div style="text-align: center"><font face="Times New Roman"><img style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-top-width: 0px" alt="" oldsrc="W020191205490077015241.jpg" src="./W020191205490077015241.jpg" /><br /></font></div><p class="MsoNormal" style="text-align: center"> </p><p align="center" class="MsoNormal" style="text-align: center"><span lang="EN-US" style="font-family: "Times New Roman",serif">Figure 1. A concurrency vulnerability caused by orders</span></p><p align="center" class="MsoNormal" style="text-align: center"><span lang="EN-US" style="font-family: "Times New Roman",serif"><br /></span></p><p align="center" class="MsoNormal" style="text-align: center"><span lang="EN-US" style="font-family: "Times New Roman",serif"><img style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-top-width: 0px" alt="" oldsrc="W020191205487610472686.jpg" src="./W020191205487610472686.jpg" /><br /></span></p><p align="center" class="MsoNormal" style="text-align: center"><span lang="EN-US" style="font-family: "Times New Roman",serif"><br /></span></p></div><div style="text-align: center"><span lang="EN-US" style="font-size: 10.5pt; font-family: "Times New Roman",serif">Figure 2. Illustration on exchangeable events</span></div><div style="text-align: center"><span lang="EN-US" style="font-size: 10.5pt; font-family: "Times New Roman",serif"><br /></span></div><div style="text-align: center"> </div></div> </div> </div> </div> </div>  </div>   <div id="footer"> <div id="copyright"> <div>©2011 Institute of Software, CAS. All rights reserved.info(at)iscas.ac.cn</div> </div> </div> </div>  </div> </body> </html>

CINXE.COM

Institute of Software Chinese Academy of Sciences