Abstract
With the emergence of hardware-assisted processor tracing, execution traces can be logged with lower runtime overhead and integrated into the core dump. In comparison with an ordinary core dump, such a new post-crash artifact provides software developers and security analysts with more clues to a program crash. However, existing works only rely on the resolved runtime information, which leads to the limitation in data flow recovery within long execution traces. In this work, we propose POMP++, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP++ introduces a reverse execution mechanism to construct the data flow that a program followed prior to its crash. Furthermore, POMP++ utilizes Value-set Analysis, which helps to verify memory alias relation, to improve the ability of data flow recovery. With the restored data flow, POMP++ then performs backward taint analysis and highlights program statements that actually contribute to the crash. We have implemented POMP++ for Linux system on x86-32 platform, and tested it against various crashes resulting from 31 distinct real-world security vulnerabilities. The evaluation shows that, our work can pinpoint the root causes in 29 cases, increase the number of recovered memory addresses by 12 percent and reduce the execution time by 60 percent compared with existing reverse execution. In short, POMP++ can accurately and efficiently pinpoint program statements that truly contribute to the crashes, making failure diagnosis significantly convenient.
Original language | English (US) |
---|---|
Pages (from-to) | 1929-1942 |
Number of pages | 14 |
Journal | IEEE Transactions on Software Engineering |
Volume | 47 |
Issue number | 9 |
DOIs | |
State | Published - Sep 1 2021 |
Funding
We thank the anonymous reviewers for their helpful feedback on this paper. This work was supported by ARO W911NF-13-1-0421 (MURI), ARO W911NF-15-1-0576, NSF Award-1718459, NSF CNS-1505664, NSF CNS-1814679, and Chinese National Natural Science Foundation 61272078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any funding agencies. An earlier version appeared at the 26th USENIX Security Symposium (USENIX Security ’17) [1].
Keywords
- Postmortem program diagnosis
- failure diagnosis
- reverse execution
- value-set analysis
ASJC Scopus subject areas
- Software