Visible to the public UFO: Predictive Concurrency Use-After-Free Detection

TitleUFO: Predictive Concurrency Use-After-Free Detection
Publication TypeConference Paper
Year of Publication2018
AuthorsHuang, Jeff
Conference Name2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE)
Date PublishedMay 2018
KeywordsBrowsers, Chromium, common attack vectors, composability, Concurrency, concurrency UAF, concurrency use-after-free detection, Concurrent computing, concurrent programs, critical software systems, cyber-physical system, Cyber-physical systems, encoding, extended maximal thread causality model, Instruction sets, larger thread scheduling space, Metrics, multi-threading, multithreaded execution trace, Predictive Metrics, program debugging, program diagnostics, program operating, provably higher detection capability, pubcrawl, rare thread schedules, resilience, Resiliency, Schedules, scheduling, security of data, single observed execution trace, Tools, UAF, UAF detection, UAF vulnerabilities, UFO, UFO scales, use-after-free vulnerabilities, vulnerabilities

Use-After-Free (UAF) vulnerabilities are caused by the program operating on a dangling pointer and can be exploited to compromise critical software systems. While there have been many tools to mitigate UAF vulnerabilities, UAF remains one of the most common attack vectors. UAF is particularly di cult to detect in concurrent programs, in which a UAF may only occur with rare thread schedules. In this paper, we present a novel technique, UFO, that can precisely predict UAFs based on a single observed execution trace with a provably higher detection capability than existing techniques with no false positives. The key technical advancement of UFO is an extended maximal thread causality model that captures the largest possible set of feasible traces that can be inferred from a given multithreaded execution trace. By formulating UAF detection as a constraint solving problem atop this model, we can explore a much larger thread scheduling space than classical happens-before based techniques. We have evaluated UFO on several real-world large complex C/C++ programs including Chromium and FireFox. UFO scales to real-world systems with hundreds of millions of events in their execution and has detected a large number of real concurrency UAFs.

Citation Keyhuang_ufo:_2018