Towards Vulnerability Discovery Using Staged Program Analysis

TL;DR

This paper introduces Melange, a static analysis framework that effectively detects security vulnerabilities in large C and C++ codebases by combining local and global analyses to assist developers in fixing bugs early.

Contribution

The paper presents Melange, a practical vulnerability assessment tool that performs staged program analysis, including demand-driven global analysis, to identify multiple vulnerability types in real-world software.

Findings

Melange scales to large codebases like Chromium.

It detects multiple vulnerability classes such as type confusion.

Static analysis complements testing tools effectively.

Abstract

Eliminating vulnerabilities from low-level code is vital for securing software. Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write. But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer. In this paper, we present the design and implementation of a practical vulnerability assessment framework, called Melange. Melange performs data and control flow analysis to diagnose potential security bugs, and outputs well-formatted bug reports that help developers understand and fix security bugs. Based on the intuition that real-world vulnerabilities manifest themselves across multiple parts of a program, Melange performs both local and global analyses. To scale up to large programs, global analysis is demand-driven. Our prototype detects multiple vulnerability classes in C and C++ code including type confusion, and garbage memory reads. We have evaluated Melange extensively. Our case studies show that Melange scales up to large codebases such as Chromium, is easy-to-use, and most importantly, capable of discovering vulnerabilities in real-world code. Our findings indicate that static analysis is a viable reinforcement to the software testing tool set.