SCAD: Controlled Memory Allocation Analysis and Detection

Memory errors have been one of the main causes for software vulnerability. This paper discusses an issue called controlled memory allocation (CMA) which occurs when key elements of memory allocation are affected by elaborately designed input data. This paper proposes a renovated approach of CMA detection, utilizing static analysis, and optimizing symbolic execution system with path-guided technologies. Combining these technologies with the state-of-the-art symbolic execution engine, KLEE, we present a prototype CMA detection tool, SCAD. SCAD was tested on commonly used applications like Coreutils and Texinfo, where it found 14 CMA related bugs including 5 unknown previously ones. SCAD's path guided searcher could reach an assigned target faster and with more paths than other path searchers which are provided by KLEE. Two memory allocation sites in Coreutils could not be reached by 8 path searchers provided by KLEE in five minutes, but SCAD's path guided searcher could reach them in 24 seconds and 17 seconds respectively. For memory allocation related code, SCAD executes faster with higher coverage than conventional symbolic execution engines.