A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Value set analysis is a common static binary program analysis approach. Value set analysis attempts to identify a tight over-approximation of the program state at any given point in the program and can be used to detect vulnerability. Existing memory corruption detection analysis technologies based on value set analysis have a high false positive rate, because value set analysis suffers from a lack of accuracy. We observed that two main sources of imprecision in value set analysis are merge operation and failed branch conditions tracking. In order to address above problems, in this paper, we propose a value set analysis refinement approach based on conditional merging and lazy constraint solving. We propose a variable dependence analysis algorithm to divide program paths into subsets and only merge the states which satisfy the condition that the states are from the same subset, which reduces the imprecision from the merging operation. We collect path predicates as path constraint and solve the path constraint using Satisfiability Modulo Theories (SMT) solver lazily to get a tighter number range of the variable when a variable need be refined, which reduces the imprecision from the failed branch conditions tracking. We implement a prototype system RVSA based on the proposed approach and verify its effectiveness according to experimentation. Compared with state-of-the-art approach, the experimental results demonstrate that the false positive rate is reduced by 12.9%. Furthermore, using our proposed approach, 25 zero-day vulnerabilities are found in the Netgear httpd binary.