NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

Abstract

Null pointer dereference (NPD) is a widespread vulnerability that occurs whenever an executing program attempts to dereference a null pointer. NPD vulnerability can be exploited by hackers to maliciously crash a process to cause a denial of service or execute an arbitrary code under specific conditions. This typical taint-style vulnerability requires an accurate data dependency analysis to trace whether a source is propagated to a sensitive sink without proper sanitization. The primary challenge in data dependency analysis is pointer aliasing, which may significantly affect the vulnerability detection accuracy. Although there have been many studies and open-source tools, they still have limitations when detecting a real-world binary. In this paper, we propose a static binary analysis approach to detect an NPD vulnerability. To improve detection accuracy and practicality, we first identify two challenges that affect the accuracy of binary NPD detection: (i) pointer aliasing, and (ii) untrusted source identification. Then we implement a prototype of the proposed approach, NPDHunter, and evaluate it against 318 test cases provided by Juliet Test Suite v1.3. For the Juliet dataset, NPDHunter is accurate in detecting NPDs and generates 0% false negatives; as compared to bap-toolkit and cwe_checker, which have false-negative rates of 70.89% and 89.81%, respectively. We also evaluate NPDHunter for real-world binaries which recently reported NPD vulnerability. We have analyzed XNU kernel (large-scale), Redis, Bitlbee, libredwg, and libvncserver binaries and NPDHunter can detect all NPD cases, which justifies its usefulness for real-world binaries; compiled for x86_64 architecture.