A Null Pointer Reference Mining System Based on Data Flow Tracing

doi:10.3969/j.issn.1671-1122.2022.09.005

Abstract

Abstract:

Null pointer dereference is a common defect in programming, which often causes the program crash or abnormal exit. At the same time, attackers can also use null pointer dereference to complete arbitrary read and write operations, leading to information disclosure. Java is a widely used language, and also suffers from null pointer dereference due to insufficient checks on dereference. In order to avoid the potential risk, this paper proposed a null pointer dereference detection system based on data flow analysis and designed a static analysis tool jvd. This tool implemented analysis on Jimple and covered multiple container propagation cases, especially in containers by special treatment, which effectively reduced the false negative rate in complex scenarios. This paper completed the experiment and compared jvd with several popular tools like SpotBugs and Infer on CWE476 test dataset in Juliet Test Suite, which shows that jvd could be used in multiple null pointer transmission and achieved excellent performance in high accuracy situation.

Key words: data flow analysis, null pointer dereference, Jimple, container propagation

CLC Number:

TP309

WEN Weiping, LIU Chengjie, SHI Lin. A Null Pointer Reference Mining System Based on Data Flow Tracing[J]. Netinfo Security, 2022, 22(9): 40-45.

Figures/Tables 7

References 18

[1]	MITRE. 2022 CWE Top 25 Most Dangerous Software Weaknesses[EB/OL]. (2022-05-03)[2022-05-12]. https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html.
[2]	ZHIOUA Z, SHORT S, ROUDIER Y. Static Code Analysis for Software Security Verification: Problems and Approaches[C]// IEEE. 2014 IEEE 38th International Computer Software and Applications Conference Workshops. New York: IEEE, 2014: 102-109.
[3]	SHAO Lin, ZHANG Xiaosong, SU Enbiao. New Method of Software Vulnerability Detection Based on Fuzzing[J]. Application Research of Computers, 2009, 26(3): 1086-1088.
	邵林, 张小松, 苏恩标. 一种基于fuzzing技术的漏洞发掘新思路[J]. 计算机应用研究, 2009, 26(3): 1086-1088.
[4]	VALLEE-RAI R, HENDREN L J. Jimple: Simplifying Java Bytecode for Analyses and Transformations[EB/OL]. (2004-01-01)[2022-03-25]. https://www.researchgate.net/publication/243776080_Jimple_Simplifying_Java_Bytecode_for_Analyses_and_Transformations.
[5]	WANG Ruiqiang. Null Pointer Reference Pattern Detection Based on Judgment Logic[D]. Beijing: Beijing University of Posts and Telecommunications, 2015.
	王锐强. 基于判断逻辑的空指针引用模式检测[D]. 北京: 北京邮电大学, 2015.
[6]	NANDA M G, SINHA S. Accurate Interprocedural Null-Dereference Analysis for Java[C]// IEEE. 2009 IEEE 31st International Conference on Software Engineering. New York: IEEE, 2009: 133-143.
[7]	MA Sen, ZHAO Wen, XI Xiangyu, et al. Null Pointer Dereference Detection Based on Value Dependences Analysis[J]. Acta Electronica Sinica, 2015, 43(4): 647-651.
	马森, 赵文, 习翔宇, 等. 基于值依赖分析的空指针解引用检测[J]. 电子学报, 2015, 43(4): 647-651.
[8]	BAI Yang, WANG Yuping. Multiple Sensitive Static Method of Detecting Null Pointer Reference Bug[J]. China Sciencepaper, 2014, 9(10): 1131-1136.
	白杨, 王瑀屏. 一种多敏感空指针引用错误的静态检测方法[J]. 中国科技论文, 2014, 9(10): 1131-1136.
[9]	DUAN Jing, JIANG Shujuan, YU Qiao, et al. An Automatic Localization Tool for Null Pointer Exceptions[J]. IEEE Access, 2019(7): 153453-153465.
[10]	JIN Wenhui, ULLAH S, YOO D, et al. NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary[J]. IEEE Access, 2021(9): 90153-90169.
[11]	BRUMLEY D, JAGER I, AVGERINOS T, et al. BAP: A Binary Analysis Platform[C]// Springer. International Conference on Computer Aided Verification. Heidelberg: Springer, 2011: 463-469.
[12]	VALLÉE-RAI R, CO P, GAGNON E, et al. Soot: A Java Bytecode Optimization Framework[C]// ACM. CASCON First Decade High Impact Papers(CASCON’10). New York: ACM, 2010: 214-224.
[13]	NIST. Juliet 1.3 Test Suite: Changes from 1.2[EB/OL]. (2018-06-14)[2022-05-21]. https://doi.org/10.6028/NIST.TN.1995.
[14]	Spotbugs. Find Bugs in Java Programs[EB/OL]. (2022-03-22)[2022-05-08]. https://spotbugs.github.io/.
[15]	TOMASSI D A. Bugs in the Wild: Examining the Effectiveness of Static Analyzers at Finding Real-World Bugs[C]// ACM. 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. New York: ACM, 2018: 980-982.
[16]	Facebook. A Tool to Detect Bugs in Java and C/C++/Objective-C Code Before it Ships[EB/OL]. (2021-11-23)[2022-01-12]. https://fbinfer.com/.
[17]	University of Maryland. FindBugs-Find Bugs in Java Programs[EB/OL]. (2021-05-11)[2022-01-12]. http://findbugs.sourceforge.net/.
[18]	AL-AMEEN M N, HASAN M M, HAMID A. Making Findbugs More Powerful[C]// IEEE. 2011 IEEE 2nd International Conference on Software Engineering and Service Science. New York: IEEE, 2011: 705-708.

语句类型	语句内容
Java语句	String s = null
Java语句	s.length()
原始Jimple语句	r1 = new java.lang.NullPointerException
	specialinvoke r1.<java.lang.NullPointerException: void <init>(java.lang.String)>(“This statement would have triggered an Exception: $stack2 = virtualinvoke s.<java.lang.String: int length()>()")
	throw r1
修改后Jimple语句	r1 = null
修改后Jimple语句	virtualinvoke r1.<java.lang.String: int length()>()

语句	转换方式	转换后	语句解释
a = b	替换	null==b	赋值
a = null	替换	null==null	空赋值
a =@parameter	替换	null==@parameter	参数传递
a = new A()	替换	null==new Expr	构造对象
a = x.y	替换	null==x.y	域引用
if(c= =d)	添加	null==a&&c==d	条件语句
goto:	保留	null==a	跳转语句
a = b+c	删除	\	运算语句
a = x[index]	替换	null==x:index	数组运算
return a	保留	null==a	返回值
a = call()	递归处理	视情况而定	函数调用
a = v.call()	替换	null==v:tag	序列容器
a = m.call()	替换	null==m:key	关联性容器
throw r1	保留	null==a	抛出异常
a =(cast_expr)b	替换	null==b	类型转换

容器类型	容器操作
Array	Array[index] = val
Array	val = Array[index]
Vector	void add(int index, E element)
	boolean add(E element)
	boolean remove(E element)
	E remove(int index)
LinkedList	void add(int index, E element)
	boolean add(E element)
	E remove(int index)
	E remove()
	boolean offer(E element)
HashMap	V put(K Key, V Value)
HashMap	V get(K Key)
Stack	E push(E)
	E pop()
	E peek()

工具	空指针类型	真实报告数/个	缺陷总数/个	漏报率	用时/s
SpotBugs	Integer	6	19	68.4%	5
	StringBuilder	6	19	68.4%	7
	Array	7	18	61.1%	5
	String	6	19	68.4%	5
Infer	Integer	11	19	42.1%	12
	StringBuilder	11	19	42.1%	12
	Array	11	18	38.9%	12
	String	9	19	52.6%	12
jvd	Integer	18	19	5.3%	219
	StringBuilder	18	19	5.3%	228
	Array	17	18	5.6%	186
	String	18	19	5.3%	214