Understanding and defending against use-after-free vulnerabilities
Date
2025
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Over the past decades, use-after-free (UaF) vulnerabilities have become a critical and widely exploited security concern. To address such increasing threats, this dissertation advances defense in multiple aspects, including UaF vulnerability detection, UaF exploit defense, and UaF bug fixes. ☐ The first research direction delves into a comprehensive empirical study of UaF vulnerabilities. Utilizing a dataset of 150 real-world UaF cases randomly sampled from representative software suites such as the Linux kernel, Python, and Mozilla Firefox, this study seeks to unravel the commonalities, root causes, and recurring patterns in real-world UaF bugs. The findings highlight the diversity and non-uniform distribution of root causes among different software, emphasizing that a generic UaF detector or fuzzer might not be an optimal solution. By categorizing the root causes into 11 patterns, several of which can be translated into simple static detection rules, this work further introduces a static bug detector named Palfrey. Palfrey exhibits superior coverage and accuracy in UaF detection, while minimizing time and memory overhead, making it a promising tool to address UaF vulnerabilities. ☐ The second research direction investigates the relationship between fuzzing techniques and UaF vulnerabilities. Fuzzing has proven effective in rapidly generating faulty inputs to discover software bugs, but its efficiency in identifying UaF instances with specific patterns and characteristics remains uncertain. The study explores whether the efficiency of fuzzing is dependent on the code scope of UaF, particularly for bugs with larger code scopes. Additionally, the research addresses the challenge of detecting non-deterministic UaF bugs and explores the necessity of auxiliary tools like address sanitizers (ASan) to assist fuzzers in identifying UaF vulnerabilities. The study provides practical guidelines to enhance UaF detection using fuzzers, aiming to improve the effectiveness of dynamic testing techniques in identifying UaF vulnerabilities. ☐ The third research direction explores how Large Language Models (LLMs) perceive and detect UaF vulnerabilities compared to traditional static analysis tools. Unlike deterministic analyzers, LLMs rely on probabilistic language reasoning and are influenced by prompt phrasing, input granularity, and abstraction level. To enable systematic evaluation, this work constructs a benchmark of 50 curated UaF cases specifically adapted for LLM-based analysis. These samples are distilled from the broader set of 150 real-world UaF cases and carefully reduced to single-file, self-contained programs that preserve critical semantic features while remaining within LLM token limits. The benchmark is used to evaluate LLM performance across prompt styles and input formats, including source code and LLVM IR. Novel evaluation metrics—such as Scalability Index, Context-Aware Precision, and Prompt Sensitivity Score—are proposed to capture the unique behaviors of LLMs in code analysis. The study reveals a semantic gap between LLM and static tool reasoning and highlights opportunities for hybrid approaches. ☐ In conclusion, this dissertation seeks to advance the state of the art in UaF vulnerability mitigation by comprehensively understanding real-world UaF characteristics, introducing innovative static analysis techniques, and enhancing the efficiency of fuzzing for UaF detection. These research directions collectively contribute to the goal of addressing the critical issue of UaF vulnerabilities and enhancing the security and reliability of software systems.
Description
Keywords
Python, Large Language Models, Bug fixes, Software systems