An Efficient Metric-Based Approach for Static Use-After-Free Detection

Nowadays, attackers are increasingly using Use-After-Free(UAF) vulnerabilities to create threats against software security. Existing static approaches for UAF detection are capable of finding potential bugs in the large code base. In most cases, analysts perform manual inspections to verify whether the warnings detected by static analysis are real vulnerabilities. However, due to the complex constraints of constructing UAF vulnerability, it is very time and cost-intensive to screen all warnings. In fact, many warnings should be discarded before the manual inspection phase because they are almost impossible to get triggered in real-world, and it is often overlooked by current static analysis techniques. In this paper, we introduce a metric-based static analysis approach, named MAD, for efficiently identifying UAF vulnerabilities by removing redundant warnings. We design two sets of systematic metrics to drive MAD. First, we apply lightweight static analysis to locate potential UAF pairs and use Feature Metrics to gather their feature information into an evaluation pool. Then, we use Controllability Metrics to rank the evaluation pools and filter out the high ones as candidates for subsequent manual inspection. We have implemented MAD and evaluated it using Juliet Test Suite and a set of eight open-source C programs. MAD can locate all UAF bugs in Juliet Test Suite within a recognizable range, showing effectiveness and scalability by detecting 5 known CVEs with 1,286 KLOC in just 1.6 hours. Furthermore, we can achieve an average 75% reduction rate for reported warnings and save about half the time in locating UAF vulnerabilities during manual inspection.