Verification of String Manipulating Programs Using Multi-Track Automata

Verification of string manipulation operations is a crucial problem in computer security. We present a new symbolic string verification technique that can be used to prove that vulnerabilities that result from improper string manipulation do not exist in a given program. We formally characterize the string verification problem as the reachability analysis of string systems, programs that contain only string variables and allow a limited set of operations on them. We show that string analysis problem is undecidable with even three variables if branch conditions that compare different variables are allowed. We develop a sound symbolic analysis technique for string verification that over-approximates the reachable states of the string system. We represent the set of string values that string variables can take using multi-track deterministic finite automata and implement a forward fixpoint computation using an automata based widening operation. In order to handle branch conditions in string systems, we describe the precise construction of multi-track DFAs for linear word equations, such as c1X1c2 = c ′ 1X2c ′ 2, as well as Boolean combinations of these equations. We show that non-linear word equations (even the simple one X1 = X2X3) cannot be characterized precisely as a multi-track DFA. We propose a regular approximation for non-linear equations, such as X1 . . .Xi = X1′ . . .Xi′ , as well as Boolean combinations of these equations. We present a summarization technique for inter-procedural analysis that generates a transducer characterizing the relationship between the input parameters and the return values of each procedure. We implemented these algorithms using the MONA automata package and analyzed several PHP programs. Unlike prior string analysis techniques, our approach is able to keep track of the relationships among the string variables, improving the precision of the string analysis and enabling verification of assertions such as X1 = X2 where X1 and X2 are string variables.