Efficient Dynamic Detection of Input Related Software Faults

Final defense chair Todd Austin
Bugs caused by improperly bounded program inputs cost software companies millions of dollars annually. These bugs can be exploited by malicious users, allowing them to overwrite buffers and execute harmful code. This thesis describes a dynamic approach for detecting input-related software faults that is both efficient and reduces the dependence on the input provided to the program.

In this work, we address one of the major drawbacks associated with dynamic bug detection: its dependence on the particular input. Typically, a user must specify a precise input in order to expose the bug. Our approach relaxes this requirement by shadowing input-derived variables with additional state that characterize the allowed bounds. Potentially hazardous program sites, such as array references and string functions, are checked against the entire range of values that the user could specify. If a specifiable input could cause a fault, the program would display an error message. Overall, our approach found several bugs including two high-risk security bugs in a recent version of OpenSSH.

Another downside to finding software faults at run-time is the impact on performance. To lessen this impact, instrumentation is only applied to statements that manipulate variables that contain input-derived data and have a result that will eventually be used in a dangerous operation. In addition, we improved the management of the additional state needed by the checker by tightly integrating the instrumentation with the compiler. Applying both of these optimizations improved performance by 58%.