NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

Null pointer dereference (NPD) is a widespread vulnerability that occurs whenever an executing program attempts to dereference a null pointer. NPD vulnerability can be exploited by hackers to maliciously crash a process to cause a denial of service or execute an arbitrary code under specific conditi...

Full description

Bibliographic Details
Main Authors: Wenhui Jin, Sami Ullah, Dongmin Yoo, Heekuck Oh
Format: Article
Language:English
Published: IEEE 2021-01-01
Series:IEEE Access
Subjects:
Null pointer dereference
binary analysis
vulnerability detection
static analysis
data dependency
Online Access:https://ieeexplore.ieee.org/document/9461802/
id doaj-d195d9f898094507866d86c6d6b111fe
record_format Article
spelling doaj-d195d9f898094507866d86c6d6b111fe2021-06-29T23:00:36ZengIEEEIEEE Access2169-35362021-01-019901539016910.1109/ACCESS.2021.30912099461802NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in BinaryWenhui Jin0https://orcid.org/0000-0002-4647-6261Sami Ullah1https://orcid.org/0000-0002-5332-2914Dongmin Yoo2Heekuck Oh3https://orcid.org/0000-0002-2989-8737Department of Computer Science and Engineering, Hanyang University, Ansan, South KoreaDepartment of Computer Science and Engineering, Hanyang University, Ansan, South KoreaDepartment of Computer Science and Engineering, Major in Bio Artificial Intelligence, Hanyang University, Ansan, South KoreaDepartment of Computer Science and Engineering, Hanyang University, Ansan, South KoreaNull pointer dereference (NPD) is a widespread vulnerability that occurs whenever an executing program attempts to dereference a null pointer. NPD vulnerability can be exploited by hackers to maliciously crash a process to cause a denial of service or execute an arbitrary code under specific conditions. This typical taint-style vulnerability requires an accurate data dependency analysis to trace whether a source is propagated to a sensitive sink without proper sanitization. The primary challenge in data dependency analysis is pointer aliasing, which may significantly affect the vulnerability detection accuracy. Although there have been many studies and open-source tools, they still have limitations when detecting a real-world binary. In this paper, we propose a static binary analysis approach to detect an NPD vulnerability. To improve detection accuracy and practicality, we first identify two challenges that affect the accuracy of binary NPD detection: (i) pointer aliasing, and (ii) untrusted source identification. Then we implement a prototype of the proposed approach, NPDHunter, and evaluate it against 318 test cases provided by Juliet Test Suite v1.3. For the Juliet dataset, NPDHunter is accurate in detecting NPDs and generates 0% false negatives; as compared to bap-toolkit and cwe_checker, which have false-negative rates of 70.89% and 89.81%, respectively. We also evaluate NPDHunter for real-world binaries which recently reported NPD vulnerability. We have analyzed XNU kernel (large-scale), Redis, Bitlbee, libredwg, and libvncserver binaries and NPDHunter can detect all NPD cases, which justifies its usefulness for real-world binaries; compiled for x86_64 architecture.https://ieeexplore.ieee.org/document/9461802/Null pointer dereferencebinary analysisvulnerability detectionstatic analysisdata dependency
collection DOAJ
language English
format Article
sources DOAJ
author Wenhui Jin
Sami Ullah
Dongmin Yoo
Heekuck Oh
spellingShingle Wenhui Jin
Sami Ullah
Dongmin Yoo
Heekuck Oh
NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary
IEEE Access
Null pointer dereference
binary analysis
vulnerability detection
static analysis
data dependency
author_facet Wenhui Jin
Sami Ullah
Dongmin Yoo
Heekuck Oh
author_sort Wenhui Jin
title NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary
title_short NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary
title_full NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary
title_fullStr NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary
title_full_unstemmed NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary
title_sort npdhunter: efficient null pointer dereference vulnerability detection in binary
publisher IEEE
series IEEE Access
issn 2169-3536
publishDate 2021-01-01
description Null pointer dereference (NPD) is a widespread vulnerability that occurs whenever an executing program attempts to dereference a null pointer. NPD vulnerability can be exploited by hackers to maliciously crash a process to cause a denial of service or execute an arbitrary code under specific conditions. This typical taint-style vulnerability requires an accurate data dependency analysis to trace whether a source is propagated to a sensitive sink without proper sanitization. The primary challenge in data dependency analysis is pointer aliasing, which may significantly affect the vulnerability detection accuracy. Although there have been many studies and open-source tools, they still have limitations when detecting a real-world binary. In this paper, we propose a static binary analysis approach to detect an NPD vulnerability. To improve detection accuracy and practicality, we first identify two challenges that affect the accuracy of binary NPD detection: (i) pointer aliasing, and (ii) untrusted source identification. Then we implement a prototype of the proposed approach, NPDHunter, and evaluate it against 318 test cases provided by Juliet Test Suite v1.3. For the Juliet dataset, NPDHunter is accurate in detecting NPDs and generates 0% false negatives; as compared to bap-toolkit and cwe_checker, which have false-negative rates of 70.89% and 89.81%, respectively. We also evaluate NPDHunter for real-world binaries which recently reported NPD vulnerability. We have analyzed XNU kernel (large-scale), Redis, Bitlbee, libredwg, and libvncserver binaries and NPDHunter can detect all NPD cases, which justifies its usefulness for real-world binaries; compiled for x86_64 architecture.
topic Null pointer dereference
binary analysis
vulnerability detection
static analysis
data dependency
url https://ieeexplore.ieee.org/document/9461802/
work_keys_str_mv AT wenhuijin npdhunterefficientnullpointerdereferencevulnerabilitydetectioninbinary
AT samiullah npdhunterefficientnullpointerdereferencevulnerabilitydetectioninbinary
AT dongminyoo npdhunterefficientnullpointerdereferencevulnerabilitydetectioninbinary
AT heekuckoh npdhunterefficientnullpointerdereferencevulnerabilitydetectioninbinary
_version_ 1721354262574792704

Similar Items