VANDALIR: Vulnerability Analyses Based on Datalog and LLVM-IR

While modern-day static analysis tools are capable of finding standard vulnerabilities as well as complex patterns, implementing those tools is expensive regarding both development time and runtime performance. During the last years, domain specific languages like Datalog have gained popularity as they simplify the development process of analyses and rule sets dramatically. Similarly, intermediate representations like LLVM-IR are used to facilitate static source code analysis. In this paper, we present VANDALIR, a vulnerability analyzer and detector based on Datalog and LLVM-IR. VANDALIR is a static source code analyzer that allows to define and customize detection rules in a high-level, declarative way. We implement VANDALIR as a comprehensive static analysis tool, aiming to simplify vulnerability detection by a new combination of modern technologies. Besides the novel design of VANDALIR, we present a predefined detection rule set covering stack-based memory corruption, double free and format string vulnerabilities. As we show, our rule set achieves a detection rate of over 90% on test cases from the Juliet Test Suite, outperforming well-established vulnerability scanners such as the Clang Static Analyzer. Furthermore, we evaluated VANDALIR on open source projects and could reproduce existing vulnerabilities as well as identify previously unknown vulnerabilities.