Java
  • About This Book
  • 🍖Prerequisites
    • 反射
      • 反射基本使用
      • 高版本JDK反射绕过
      • 反射调用命令执行
      • 反射构造HashMap
      • 方法句柄
    • 类加载
      • 动态加载字节码
      • 双亲委派模型
      • BCEL
      • SPI
    • RMI & JNDI
      • RPC Intro
      • RMI
      • JEP 290
      • JNDI
    • Misc
      • Unsafe
      • 代理模式
      • JMX
      • JDWP
      • JPDA
      • JVMTI
      • JNA
      • Java Security Manager
  • 👻Serial Journey
    • URLDNS
    • SerialVersionUID
    • Commons Collection 🥏
      • CC1-TransformedMap
      • CC1-LazyMap
      • CC6
      • CC3
      • CC2
    • FastJson 🪁
      • FastJson-Basic Usage
      • FastJson-TemplatesImpl
      • FastJson-JdbcRowSetImpl
      • FastJson-BasicDataSource
      • FastJson-ByPass
      • FastJson与原生反序列化(一)
      • FastJson与原生反序列化(二)
      • Jackson的原生反序列化利用
    • Other Components
      • SnakeYaml
      • C3P0
      • AspectJWeaver
      • Rome
      • Spring
      • Hessian
      • Hessian_Only_JDK
      • Kryo
      • Dubbo
  • 🌵RASP
    • JavaAgent
    • JVM
    • ByteCode
    • JNI
    • ASM 🪡
      • ASM Intro
      • Class Generation
      • Class Transformation
    • Rasp防御命令执行
    • OpenRASP
  • 🐎Memory Shell
    • Tomcat-Architecture
    • Servlet API
      • Listener
      • Filter
      • Servlet
    • Tomcat-Middlewares
      • Tomcat-Valve
      • Tomcat-Executor
      • Tomcat-Upgrade
    • Agent MemShell
    • WebSocket
    • 内存马查杀
    • IDEA本地调试Tomcat
  • ✂️JDBC Attack
    • MySQL JDBC Attack
    • H2 JDBC Attack
  • 🎨Templates
    • FreeMarker
    • Thymeleaf
    • Enjoy
  • 🎏MessageQueue
    • ActiveMQ CNVD-2023-69477
    • AMQP CVE-2023-34050
    • Spring-Kafka CVE-2023-34040
    • RocketMQ CVE-2023-33246
  • 🛡️Shiro
    • Shiro Intro
    • Request URI ByPass
    • Context Path ByPass
    • Remember Me反序列化 CC-Shiro
    • CB1与无CC依赖的反序列化链
  • 🍺Others
    • Deserialization Twice
    • A New Blazer 4 getter RCE
    • Apache Commons Jxpath
    • El Attack
    • Spel Attack
    • C3P0原生反序列化的JNDI打法
    • Log4j
    • Echo Tech
      • SpringBoot Under Tomcat
    • CTF 🚩
      • 长城杯-b4bycoffee (ROME反序列化)
      • MTCTF2022(CB+Shiro绕过)
      • CISCN 2023 西南赛区半决赛 (Hessian原生JDK+Kryo反序列化)
      • CISCN 2023 初赛 (高版本Commons Collections下其他依赖的利用)
      • CISCN 2021 总决赛 ezj4va (AspectJWeaver写字节码文件到classpath)
      • D^3CTF2023 (新的getter+高版本JNDI不出网+Hessian异常toString)
      • WMCTF2023(CC链花式玩法+盲读文件)
      • 第六届安洵杯网络安全挑战赛(CB PriorityQueue替代+Postgresql JDBC Attack+FreeMarker)
  • 🔍Code Inspector
    • CodeQL 🧶
      • Tutorial
        • Intro
        • Module
        • Predicate
        • Query
        • Type
      • CodeQL 4 Java
        • Basics
        • DFA
        • Example
    • SootUp ✨
      • Intro
      • Jimple
      • DFA
      • CG
    • Tabby 🔦
      • install
    • Theory
      • Static Analysis
        • Intro
        • IR & CFG
        • DFA
        • DFA-Foundation
        • Interprocedural Analysis
        • Pointer Analysis
        • Pointer Analysis Foundation
        • PTA-Context Sensitivity
        • Taint Anlysis
        • Datalog
Powered by GitBook
On this page
  • Intro
  • Factors
  • Heap Abstraction
  • Context Sensitivity
  • Flow Sensitivity
  • Analysis Scope
  • Concerned statements

Was this helpful?

  1. 🔍Code Inspector
  2. Theory
  3. Static Analysis

Pointer Analysis

PreviousInterprocedural AnalysisNextPointer Analysis Foundation

Last updated 11 months ago

Was this helpful?

Intro

problem of CHA:impression

CHA only considers class hierarchy(ignores data-flow information)

Constant Propagation result: x = NAC(imprecise)

introducing Pointer Analysis~

It is a fundamental static analysis based on points-to relation. For java, it computes which objects a pointer (variable or field) can point to.(over-approximation/may analysis)

Two closely related but different concepts

  • Pointer analysis: which objects a pointer can point to?

  • Alias analysis: can two pointers point to the same object?

alias information can be derived from points-to relations

Applications of Pointer Analysis:

  • Fundamental information

    • Call Graph、aliases

  • Compiler optimization

    • Virtual call inlining

  • Bug detection

    • Null pointer detection

  • Security analysis

    • information flow analysis

  • ......

Pointer analysis is one of the most fundamental static program analyses,on which virtually all others are built.

Factors

Multiple factors affect the precision and efficiency of the pointer analysis.

Factor
Problem
Choice

Heap abstraction

how 2 model heap memory

allocation-site、storeless

Context sensitivity

how 2 model calling context

context-sensitive、context-insensitive

Flow sensitivity

how 2 model control flow

flow-sensitive、flow-insensitive

Analysis scope

which parts of program should be analyzed

whole-program、demand-driven

Heap Abstraction

In dynamic execution, the number of heap objects can be unbounded due to loops and recursion.

To ensure termination, heap abstraction models dynamically allocated, unbounded concrete objects as finite abstract objects for static analysis

The most commonly-used heap abstraction is allocation-site abstraction

  • Model concrete objects by their allocation sites

  • One abstract object per allocation site to represent all its allocated concrete objects

Context Sensitivity

Context-sensitive
Context-insensitive

Distinguish different calling contexts of a method

Merge all calling contexts of a method

Analyze each method multiple times, once for each context

Analyze each method once

obviously context-insensitive analysis may lose precision.

Flow Sensitivity

Flow-sensitive
Flow-insensitive

Respect the execution order of the statements

Ignore the control-flow order, treat the program as a set of unordered statements

Maintain a map of points-to relations at each program location

Maintain one map of points-to relations for the whole program

All data-flow analyses we’ve learnt previously are flow-sensitive

There is no hard evidence shows that flow-sensitive analysis shows a lot of greater performance than flow-insensitive analysis in Java. So we choose flow-insensitive analysis.

Analysis Scope

Whole-program
Demand-driven

Compute points-to information for all pointers in the program

Only compute points-to information for the pointers that may affect specific sites of interest (on demand)

Provide information for all possible clients

Provide information for specific client

There may be duplicate computation of points-to information if many demand-driven tasks are required.

In this lecture, we conduct pointer analysis base on:

  • allocation-site heap abstraction

  • context-sensitive/context-insensitive analysis (both will be discussed)

  • Flow-insensitive analysis

  • whole-program analysis-scope

Concerned statements

We only focus on pointer-affecting statement

pointers in Java:

  • Local variable: x

  • Static field: C.f

  • Instance field: x.f

  • Array element: array[i]

In this lecture, we focus on local variables and instance field

Pointer-Affecting Statements:

  • New

    • x = new T()

  • Assign

    • x = y

  • Store

    • x.f = y

  • Load

    • y = x.f

  • Call

    • r = x.k(a, …)

image-20240407132637110
image-20240407133208440
image-20240407133304553
image-20240407134123533
image-20240407134339199
image-20240407135012206
image-20240407135352606
image-20240407135839470