POMP++: Facilitating postmortem program diagnosis with value-set analysis

Dongliang Mu; Yunlan Du; Jianhao Xu; Jun Xu; Xinyu Xing; Bing Mao; Peng Liu

doi:10.1109/TSE.2019.2939528

POMP++: Facilitating postmortem program diagnosis with value-set analysis

Dongliang Mu^*, Yunlan Du, Jianhao Xu, Jun Xu, Xinyu Xing, Bing Mao, Peng Liu

^*Corresponding author for this work

Computer Science

Research output: Contribution to journal › Article › peer-review

9 Scopus citations

Abstract

With the emergence of hardware-assisted processor tracing, execution traces can be logged with lower runtime overhead and integrated into the core dump. In comparison with an ordinary core dump, such a new post-crash artifact provides software developers and security analysts with more clues to a program crash. However, existing works only rely on the resolved runtime information, which leads to the limitation in data flow recovery within long execution traces. In this work, we propose POMP++, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP++ introduces a reverse execution mechanism to construct the data flow that a program followed prior to its crash. Furthermore, POMP++ utilizes Value-set Analysis, which helps to verify memory alias relation, to improve the ability of data flow recovery. With the restored data flow, POMP++ then performs backward taint analysis and highlights program statements that actually contribute to the crash. We have implemented POMP++ for Linux system on x86-32 platform, and tested it against various crashes resulting from 31 distinct real-world security vulnerabilities. The evaluation shows that, our work can pinpoint the root causes in 29 cases, increase the number of recovered memory addresses by 12 percent and reduce the execution time by 60 percent compared with existing reverse execution. In short, POMP++ can accurately and efficiently pinpoint program statements that truly contribute to the crashes, making failure diagnosis significantly convenient.

Original language	English (US)
Pages (from-to)	1929-1942
Number of pages	14
Journal	IEEE Transactions on Software Engineering
Volume	47
Issue number	9
DOIs	https://doi.org/10.1109/TSE.2019.2939528
State	Published - Sep 1 2021

Funding

We thank the anonymous reviewers for their helpful feedback on this paper. This work was supported by ARO W911NF-13-1-0421 (MURI), ARO W911NF-15-1-0576, NSF Award-1718459, NSF CNS-1505664, NSF CNS-1814679, and Chinese National Natural Science Foundation 61272078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any funding agencies. An earlier version appeared at the 26th USENIX Security Symposium (USENIX Security ’17) [1].

Keywords

Postmortem program diagnosis
failure diagnosis
reverse execution
value-set analysis

ASJC Scopus subject areas

Software

Access to Document

10.1109/TSE.2019.2939528

Cite this

@article{ef220a64e4794b1e89dcb37bfae9f134,

title = "POMP++: Facilitating postmortem program diagnosis with value-set analysis",

abstract = "With the emergence of hardware-assisted processor tracing, execution traces can be logged with lower runtime overhead and integrated into the core dump. In comparison with an ordinary core dump, such a new post-crash artifact provides software developers and security analysts with more clues to a program crash. However, existing works only rely on the resolved runtime information, which leads to the limitation in data flow recovery within long execution traces. In this work, we propose POMP++, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP++ introduces a reverse execution mechanism to construct the data flow that a program followed prior to its crash. Furthermore, POMP++ utilizes Value-set Analysis, which helps to verify memory alias relation, to improve the ability of data flow recovery. With the restored data flow, POMP++ then performs backward taint analysis and highlights program statements that actually contribute to the crash. We have implemented POMP++ for Linux system on x86-32 platform, and tested it against various crashes resulting from 31 distinct real-world security vulnerabilities. The evaluation shows that, our work can pinpoint the root causes in 29 cases, increase the number of recovered memory addresses by 12 percent and reduce the execution time by 60 percent compared with existing reverse execution. In short, POMP++ can accurately and efficiently pinpoint program statements that truly contribute to the crashes, making failure diagnosis significantly convenient.",

keywords = "Postmortem program diagnosis, failure diagnosis, reverse execution, value-set analysis",

author = "Dongliang Mu and Yunlan Du and Jianhao Xu and Jun Xu and Xinyu Xing and Bing Mao and Peng Liu",

note = "Funding Information: We thank the anonymous reviewers for their helpful feedback on this paper. This work was supported by ARO W911NF-13-1-0421 (MURI), ARO W911NF-15-1-0576, NSF Award-1718459, NSF CNS-1505664, NSF CNS-1814679, and Chinese National Natural Science Foundation 61272078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any funding agencies. An earlier version appeared at the 26th USENIX Security Symposium (USENIX Security {\textquoteright}17) [1]. Publisher Copyright: {\textcopyright} 1976-2012 IEEE.",

year = "2021",

month = sep,

day = "1",

doi = "10.1109/TSE.2019.2939528",

language = "English (US)",

volume = "47",

pages = "1929--1942",

journal = "IEEE Transactions on Software Engineering",

issn = "0098-5589",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "9",

}

TY - JOUR

T1 - POMP++

T2 - Facilitating postmortem program diagnosis with value-set analysis

AU - Mu, Dongliang

AU - Du, Yunlan

AU - Xu, Jianhao

AU - Xu, Jun

AU - Xing, Xinyu

AU - Mao, Bing

AU - Liu, Peng

N1 - Funding Information: We thank the anonymous reviewers for their helpful feedback on this paper. This work was supported by ARO W911NF-13-1-0421 (MURI), ARO W911NF-15-1-0576, NSF Award-1718459, NSF CNS-1505664, NSF CNS-1814679, and Chinese National Natural Science Foundation 61272078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any funding agencies. An earlier version appeared at the 26th USENIX Security Symposium (USENIX Security ’17) [1]. Publisher Copyright: © 1976-2012 IEEE.

PY - 2021/9/1

Y1 - 2021/9/1

N2 - With the emergence of hardware-assisted processor tracing, execution traces can be logged with lower runtime overhead and integrated into the core dump. In comparison with an ordinary core dump, such a new post-crash artifact provides software developers and security analysts with more clues to a program crash. However, existing works only rely on the resolved runtime information, which leads to the limitation in data flow recovery within long execution traces. In this work, we propose POMP++, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP++ introduces a reverse execution mechanism to construct the data flow that a program followed prior to its crash. Furthermore, POMP++ utilizes Value-set Analysis, which helps to verify memory alias relation, to improve the ability of data flow recovery. With the restored data flow, POMP++ then performs backward taint analysis and highlights program statements that actually contribute to the crash. We have implemented POMP++ for Linux system on x86-32 platform, and tested it against various crashes resulting from 31 distinct real-world security vulnerabilities. The evaluation shows that, our work can pinpoint the root causes in 29 cases, increase the number of recovered memory addresses by 12 percent and reduce the execution time by 60 percent compared with existing reverse execution. In short, POMP++ can accurately and efficiently pinpoint program statements that truly contribute to the crashes, making failure diagnosis significantly convenient.

AB - With the emergence of hardware-assisted processor tracing, execution traces can be logged with lower runtime overhead and integrated into the core dump. In comparison with an ordinary core dump, such a new post-crash artifact provides software developers and security analysts with more clues to a program crash. However, existing works only rely on the resolved runtime information, which leads to the limitation in data flow recovery within long execution traces. In this work, we propose POMP++, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP++ introduces a reverse execution mechanism to construct the data flow that a program followed prior to its crash. Furthermore, POMP++ utilizes Value-set Analysis, which helps to verify memory alias relation, to improve the ability of data flow recovery. With the restored data flow, POMP++ then performs backward taint analysis and highlights program statements that actually contribute to the crash. We have implemented POMP++ for Linux system on x86-32 platform, and tested it against various crashes resulting from 31 distinct real-world security vulnerabilities. The evaluation shows that, our work can pinpoint the root causes in 29 cases, increase the number of recovered memory addresses by 12 percent and reduce the execution time by 60 percent compared with existing reverse execution. In short, POMP++ can accurately and efficiently pinpoint program statements that truly contribute to the crashes, making failure diagnosis significantly convenient.

KW - Postmortem program diagnosis

KW - failure diagnosis

KW - reverse execution

KW - value-set analysis

UR - http://www.scopus.com/inward/record.url?scp=85115262252&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85115262252&partnerID=8YFLogxK

U2 - 10.1109/TSE.2019.2939528

DO - 10.1109/TSE.2019.2939528

M3 - Article

AN - SCOPUS:85115262252

SN - 0098-5589

VL - 47

SP - 1929

EP - 1942

JO - IEEE Transactions on Software Engineering

JF - IEEE Transactions on Software Engineering

IS - 9

ER -

POMP++: Facilitating postmortem program diagnosis with value-set analysis

Abstract

Funding

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this