Nlp-Eye: Detecting Memory Corruptions Via Semantic-Aware Memory Operation Function Identification

Memory corruption vulnerabilities are serious threats to software security, which is often triggered by improper use of memory operation functions. The detection of memory corruptions relies on identifying memory operation functions and examining how it manipulates the memory. Distinguishing memory operation functions is challenging because they usually come in various forms in real-world software. In this paper, we propose NLP-EYE, an NLP-based memory corruption detection system. NLP-EYE is able to identify memory operation functions through a semantic-aware source code analysis automatically. It first creates a programming language friendly corpus in order to parse function prototypes. Based on the similarity comparison by utilizing both semantic and syntax information, NLP-EYE identifies and labels both standard and customized memory operation functions. It uses symbolic execution at last to check whether a memory operation causes incorrect memory usage.Instead of analyzing data dependencies of the entire source code, NLP-EYE only focuses on memory operation parts. We evaluated the performance of NLP-EYE by using seven real-world libraries and programs, including Vim, Git, CPython, etc. NLP-EYE successfully identifies 27 null pointer dereference, two double-free and three use-after-free that are not discovered before in the latest versions of analysis targets.