基于数据流追溯的空指针引用挖掘系统

doi:10.3969/j.issn.1671-1122.2022.09.005

摘要/Abstract

摘要：

空指针异常引用是系统运行过程中的一种常见问题，该问题会引起程序崩溃或者异常退出，同时攻击者也可以利用空指针解引用来完成任意读写操作，导致信息泄露。Java作为一种广泛使用的语言，也存在空指针引用问题，主要原因是对引用变量的指向检查不足。文章提出一种基于数据流追溯的空指针引用检测系统，并设计了静态分析工具jvd。该工具通过特化追踪空指针在容器中的传播，使得空指针变量不会在容器中传播丢失，在中间语言Jimple层面上完成检测并覆盖多种空指针容器传播场景，有效降低复杂场景下的漏报率。在Juliet Test Suite的CWE476号测试集上，将文章所设计的jvd与SpotBugs、Infer等工具进行对比实验。实验结果表明，jvd能够在多种空指针传播场景下使用，在高精度场景下能够取得比其他工具更好的效果。

关键词: 数据流分析, 空指针解引用, Jimple, 容器传播

Abstract:

Null pointer dereference is a common defect in programming, which often causes the program crash or abnormal exit. At the same time, attackers can also use null pointer dereference to complete arbitrary read and write operations, leading to information disclosure. Java is a widely used language, and also suffers from null pointer dereference due to insufficient checks on dereference. In order to avoid the potential risk, this paper proposed a null pointer dereference detection system based on data flow analysis and designed a static analysis tool jvd. This tool implemented analysis on Jimple and covered multiple container propagation cases, especially in containers by special treatment, which effectively reduced the false negative rate in complex scenarios. This paper completed the experiment and compared jvd with several popular tools like SpotBugs and Infer on CWE476 test dataset in Juliet Test Suite, which shows that jvd could be used in multiple null pointer transmission and achieved excellent performance in high accuracy situation.

Key words: data flow analysis, null pointer dereference, Jimple, container propagation

中图分类号:

TP309

文伟平, 刘成杰, 时林. 基于数据流追溯的空指针引用挖掘系统[J]. 信息网络安全, 2022, 22(9): 40-45.

WEN Weiping, LIU Chengjie, SHI Lin. A Null Pointer Reference Mining System Based on Data Flow Tracing[J]. Netinfo Security, 2022, 22(9): 40-45.

图/表 7

图1

图2

表1

表2

表3

表4

表5

参考文献 18

[1]	MITRE. 2022 CWE Top 25 Most Dangerous Software Weaknesses[EB/OL]. (2022-05-03)[2022-05-12]. https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html.
[2]	ZHIOUA Z, SHORT S, ROUDIER Y. Static Code Analysis for Software Security Verification: Problems and Approaches[C]// IEEE. 2014 IEEE 38th International Computer Software and Applications Conference Workshops. New York: IEEE, 2014: 102-109.
[3]	SHAO Lin, ZHANG Xiaosong, SU Enbiao. New Method of Software Vulnerability Detection Based on Fuzzing[J]. Application Research of Computers, 2009, 26(3): 1086-1088.
	邵林, 张小松, 苏恩标. 一种基于fuzzing技术的漏洞发掘新思路[J]. 计算机应用研究, 2009, 26(3): 1086-1088.
[4]	VALLEE-RAI R, HENDREN L J. Jimple: Simplifying Java Bytecode for Analyses and Transformations[EB/OL]. (2004-01-01)[2022-03-25]. https://www.researchgate.net/publication/243776080_Jimple_Simplifying_Java_Bytecode_for_Analyses_and_Transformations.
[5]	WANG Ruiqiang. Null Pointer Reference Pattern Detection Based on Judgment Logic[D]. Beijing: Beijing University of Posts and Telecommunications, 2015.
	王锐强. 基于判断逻辑的空指针引用模式检测[D]. 北京: 北京邮电大学, 2015.
[6]	NANDA M G, SINHA S. Accurate Interprocedural Null-Dereference Analysis for Java[C]// IEEE. 2009 IEEE 31st International Conference on Software Engineering. New York: IEEE, 2009: 133-143.
[7]	MA Sen, ZHAO Wen, XI Xiangyu, et al. Null Pointer Dereference Detection Based on Value Dependences Analysis[J]. Acta Electronica Sinica, 2015, 43(4): 647-651.
	马森, 赵文, 习翔宇, 等. 基于值依赖分析的空指针解引用检测[J]. 电子学报, 2015, 43(4): 647-651.
[8]	BAI Yang, WANG Yuping. Multiple Sensitive Static Method of Detecting Null Pointer Reference Bug[J]. China Sciencepaper, 2014, 9(10): 1131-1136.
	白杨, 王瑀屏. 一种多敏感空指针引用错误的静态检测方法[J]. 中国科技论文, 2014, 9(10): 1131-1136.
[9]	DUAN Jing, JIANG Shujuan, YU Qiao, et al. An Automatic Localization Tool for Null Pointer Exceptions[J]. IEEE Access, 2019(7): 153453-153465.
[10]	JIN Wenhui, ULLAH S, YOO D, et al. NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary[J]. IEEE Access, 2021(9): 90153-90169.
[11]	BRUMLEY D, JAGER I, AVGERINOS T, et al. BAP: A Binary Analysis Platform[C]// Springer. International Conference on Computer Aided Verification. Heidelberg: Springer, 2011: 463-469.
[12]	VALLÉE-RAI R, CO P, GAGNON E, et al. Soot: A Java Bytecode Optimization Framework[C]// ACM. CASCON First Decade High Impact Papers(CASCON’10). New York: ACM, 2010: 214-224.
[13]	NIST. Juliet 1.3 Test Suite: Changes from 1.2[EB/OL]. (2018-06-14)[2022-05-21]. https://doi.org/10.6028/NIST.TN.1995.
[14]	Spotbugs. Find Bugs in Java Programs[EB/OL]. (2022-03-22)[2022-05-08]. https://spotbugs.github.io/.
[15]	TOMASSI D A. Bugs in the Wild: Examining the Effectiveness of Static Analyzers at Finding Real-World Bugs[C]// ACM. 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. New York: ACM, 2018: 980-982.
[16]	Facebook. A Tool to Detect Bugs in Java and C/C++/Objective-C Code Before it Ships[EB/OL]. (2021-11-23)[2022-01-12]. https://fbinfer.com/.
[17]	University of Maryland. FindBugs-Find Bugs in Java Programs[EB/OL]. (2021-05-11)[2022-01-12]. http://findbugs.sourceforge.net/.
[18]	AL-AMEEN M N, HASAN M M, HAMID A. Making Findbugs More Powerful[C]// IEEE. 2011 IEEE 2nd International Conference on Software Engineering and Service Science. New York: IEEE, 2011: 705-708.

语句类型	语句内容
Java语句	String s = null
Java语句	s.length()
原始Jimple语句	r1 = new java.lang.NullPointerException
	specialinvoke r1.<java.lang.NullPointerException: void <init>(java.lang.String)>(“This statement would have triggered an Exception: $stack2 = virtualinvoke s.<java.lang.String: int length()>()")
	throw r1
修改后Jimple语句	r1 = null
修改后Jimple语句	virtualinvoke r1.<java.lang.String: int length()>()

语句	转换方式	转换后	语句解释
a = b	替换	null==b	赋值
a = null	替换	null==null	空赋值
a =@parameter	替换	null==@parameter	参数传递
a = new A()	替换	null==new Expr	构造对象
a = x.y	替换	null==x.y	域引用
if(c= =d)	添加	null==a&&c==d	条件语句
goto:	保留	null==a	跳转语句
a = b+c	删除	\	运算语句
a = x[index]	替换	null==x:index	数组运算
return a	保留	null==a	返回值
a = call()	递归处理	视情况而定	函数调用
a = v.call()	替换	null==v:tag	序列容器
a = m.call()	替换	null==m:key	关联性容器
throw r1	保留	null==a	抛出异常
a =(cast_expr)b	替换	null==b	类型转换

容器类型	容器操作
Array	Array[index] = val
Array	val = Array[index]
Vector	void add(int index, E element)
	boolean add(E element)
	boolean remove(E element)
	E remove(int index)
LinkedList	void add(int index, E element)
	boolean add(E element)
	E remove(int index)
	E remove()
	boolean offer(E element)
HashMap	V put(K Key, V Value)
HashMap	V get(K Key)
Stack	E push(E)
	E pop()
	E peek()

工具	空指针类型	真实报告数/个	缺陷总数/个	漏报率	用时/s
SpotBugs	Integer	6	19	68.4%	5
	StringBuilder	6	19	68.4%	7
	Array	7	18	61.1%	5
	String	6	19	68.4%	5
Infer	Integer	11	19	42.1%	12
	StringBuilder	11	19	42.1%	12
	Array	11	18	38.9%	12
	String	9	19	52.6%	12
jvd	Integer	18	19	5.3%	219
	StringBuilder	18	19	5.3%	228
	Array	17	18	5.6%	186
	String	18	19	5.3%	214