Author ORCID Identifier

https://orcid.org/0009-0006-4673-065X

Semester

Summer

Date of Graduation

2024

Document Type

Dissertation

Degree Type

PhD

College

Statler College of Engineering and Mineral Resources

Department

Lane Department of Computer Science and Electrical Engineering

Committee Chair

Thomas Devine

Committee Co-Chair

Katerina Goseva-Popstojanova

Committee Member

Katerina Goseva-Popstojanova

Committee Member

Brian Powell

Committee Member

Brian Woerner

Committee Member

Jesse Samluk

Abstract

Undefined behavior in C programs is a major source of unreliable software. Many of the most common exploitable software vulnerabilities can be traced directly to undefined behavior. In the increasingly connected world, a successful attack can cost the victim millions of dollars to recover from. While static program analysis aids in identifying undefined behavior, testing indicates that even the best static analysis tools correctly identifies about 35% of these defects. This dissertation introduces UNG’s Not GNU (UNG), a standard C library designed to mitigate undefined behavior. Where others have seen opportunities for optimization, UNG makes every effort to identify undefined behavior at run time and, when encountered, prevent it from becoming an exploit vector by terminating the program with a detailed diagnostic message. It can be used to protect and diagnose existing programs without recompilation, or it can provide more details by recompiling programs to use it directly. In tests, UNG reliably diagnoses 59 of the 110 types of undefined behavior related to the standard library. This is 14750% more than the average of 0.4 identified by existing implementations, or 5900% more than the next best result of 1. Compared to static analysis tools, UNG correctly identifies 55% more samples than the best performer (38), and 178% more than the average of 21.25. Testing against exploitable Common Vulnerabilities and Exposures (CVE)s also shows that UNG is capable of preventing known attacks from succeeding, providing confidence that it will also prevent future unknown attacks of a similar nature.

Download

Share

COinS