Published Research

PointsTo (CFT)

Large programs with manual memory management (e.g. web browsers and network servers) frequently have object lifetime bugs that hide behind rarely executed code paths. Left undetected, they lead to data corruption, unintended control-flow, and crashes.

Uncovering these vulnerabilities manually is challenging, even for expert security analysts. Dynamic analysis won’t always succeed because it can’t check every possible program path.

The solution: PointsTo, a static analysis system that takes source code as input and automatically produces vulnerability reports for dangling pointer-like flaws. With minimal human intervention PointsTo delivers maximum code coverage.

At any program point, an object is in one of three states: allocated, freed, or possibly-freed. An object’s state summarizes whether it has been freed on any path leading to the current program point. Program paths that use freed objects are definitely vulnerable. Program paths that use possible-freed objects are worth further investigation.

PointsTo analyzes how data flows through all program executions to reason about the state of all objects at each program point, even in very large codebases.

At the end of an analysis run, PointsTo provides an easy-to-understand ‘map’ of vulnerabilities, their locations, and their root causes, which significantly reduces the effort needed to patch them.

PointsTo was designed for easy deployment and use. Analysts can integrate their own knowledge of the target software into PointsTo with a user-friendly interface.