Open Access
Xu, Jun
Graduate Program:
Information Sciences and Technology
Doctor of Philosophy
Document Type:
Date of Defense:
May 10, 2018
Committee Members:
  • Peng Liu, Dissertation Advisor
  • Peng Liu, Committee Chair
  • Sencun Zhu, Committee Member
  • Xinyu Xing, Committee Member
  • Trent Ray Jaeger, Outside Member
  • Software security
  • Software crash diagnosis
  • Software vulnerability
Software systems are expanding into every aspect of human society. Accompanying this expansion comes a substantial growth of motivated adversaries and sophisticated attacks. This pair of impulses make it imperative to secure software systems. To the security of software systems, a fundamental threat is vulnerability — a type of defect that allows adversaries to exploit for malicious intentions. The battle against software vulnerabilities started two decades ago. Recently, the security community has been developing a consistent philosophy. It starts with vulnerability discoveries during product development and in-house testing. These are augmented by re-engineering the software systems to enforce run-time protections. These two lines of technique mitigate a great number of vulnerabilities, but they cannot resolve all of them. The reason behind is that vulnerability discovery does not scale well to large software and complicated vulnerabilities while in-depth run-time protection incurs performance overhead that goes beyond practical acceptance. This results in the practice that a substantial number of vulnerabilities are shipped to end users and we have no corresponding counteractions. Among those unresolved vulnerabilities, there is an interesting observation — when those vulnerabilities are triggered either during exploit tests by attackers or normal operations by benign users, the software often runs into failure. The most common type of failure is software crash. According to Microsoft, it observes millions of crashes every day. Among the root causes of those crashes, nearly 10% are vulnerabilities. My dissertation research is inspired by this practice and explores to identify unresolved vulnerabilities with automated software crash diagnosis. After a software has crashed, it typically leaves behind a snapshot of its crashing state in the form of a core dump. I design and implement CREDAL, an automatic diagnosis tool, to combine information in the core dump and source code of the crashed program to provide informative aid in tracking down the crash causes. CREDAL is featured with the capability to analyze crashes due to a common type of vulnerability known as memory corruption. For a core dump carrying corrupted memory, CREDALsystematically analyzes the core dump and identifies the crash point and stack frames. Further, CREDAL pinpoints the objects holding corrupted data using the source code along with the stack frames. To assist in tracking down the root cause, CREDAL also performs analysis and highlights the source code fragments responsible for the memory corruption. The development of CREDAL carries two assumptions — source code is available and the crash occurred in a random exercise scenario. Because of that, CREDAL may experience usability and reliability problems. To address those shortcomings of CREDAL, I then designed POMP to locate the vulnerabilities behind software crashes, even when the source codes are unavailable and the crashed execution was under attack. POMP leverages a hardware feature on recent generations of Intel processors, Processor Tracing (PT), to trace the software execution and it includes the trace in the core dump. Along with the execution trace, POMP introduces a new reverse execution mechanism to construct the data flow prior to the crash. POMP then performs a backward taint analysis and highlights those instructions that actually pertain to the vulnerability, making the diagnosis more effective.