In October 2025, CyberPress reported a essential safety vulnerability within the Redis Server, an open-source in-memory database: CVE-2025-49844 allowed authenticated attackers to attain distant code execution via a use-after-free (CWE-416) flaw within the Lua scripting engine.
In 2024, one other outstanding temporal reminiscence security flaw was discovered within the Netfilter subsystem within the Linux kernel: CVE-2024-1086. This problem triggered the nf_hook_slow() perform to free reminiscence twice (CWE-415: Double Free), permitting an attacker to use this double-free vulnerability to execute arbitrary code of their very own selecting.
Because the above examples illustrate, bugs associated to temporal reminiscence security, comparable to use-after-free and double-free vulnerabilities, are difficult points in C and C++ code. These bugs are troublesome to detect and repair, usually leading to important safety vulnerabilities and system instability. Every year from 2006-2018, roughly 70 p.c of vulnerabilities to which Microsoft assigned a CVE have been reminiscence questions of safety (temporal or spatial reminiscence questions of safety, comparable to buffer overflows), dropping solely to round 50 p.c in 2023. In its listing of most harmful software program weaknesses, MITRE ranked CWE-416 seventh in 2022 and fourth in 2023. CWE-416 can also be the supply of greater than a 3rd of the high-severity safety bugs within the Chromium codebase. (CVE is the MITRE-maintained stock of recognized vulnerabilities in programs; CWE is the MITRE-maintained stock of patterns of widespread weak spot in programs, comparable to use-after-free.)
This submit, primarily tailored from the not too long ago revealed technical report Design of Enhanced Pointer Possession Mannequin for C, highlights current updates to the Pointer Possession Mannequin (POM). POM is a modeling framework designed to enhance the flexibility of builders to statically analyze C applications for errors involving dynamic reminiscence. To make a program adjust to POM, a developer wanted to establish this system’s “accountable” pointers, that’s, pointers whose objects should be explicitly freed earlier than the pointers themselves could also be destroyed. Any program that complies with POM will be statically analyzed to make sure that the design is constant and safe and that the code appropriately respects the ideas of pointer possession.
POM can be used to diagnose and remove many dynamic reminiscence errors from C applications. The primary downside of the unique POM (mannequin and tooling) was the intensive handbook effort required for builders to extract POM-relevant data from a selected codebase and formalize it right into a corresponding pointer mannequin (often called a p-model).
There have been two important developments since that preliminary 2013 POM was launched: First, Rust has grown considerably in reputation and adoption, providing the flexibleness and security offered by C and C++ however with ensures of reminiscence security. Therefore, there may be extra sensitivity to reminiscence security usually. Second, LLMs present novel capabilities in varied areas of software program engineering, bringing with them important potential but in addition important dangers to safety and performance. Therefore, LLMs supply the potential to scale back the handbook burden of constructing a p-model, making adoption and utility simpler. Each developments inspire our work to boost the unique POM, for improved capabilities and for absolutely automated p-model creation.
Our current updates to POM embody:
- using giant language fashions (LLMs) to finish a p-model,
- an improved mechanism to forestall use-after-free errors, impressed by Rust’s borrow checker and object lifetimes,
- improved perform argument dealing with with a brand new abstraction of diligent or producer arguments, and
- dealing with structs, unions, or arrays that include pointers; and proper dealing with of ambiguity in project operations.
This submit additionally particulars an method to mechanically test whether or not a program satisfies an related p-model, as outlined within the technical report. Past the report, this submit supplies highlights of our staff’s newest POM work that includes SAT solvers for automated p-model creation and/or validation.
A Two-Stage Method to Securing Temporal Reminiscence Security
POM is designed to assist builders keep away from, establish, and repair temporal memory-safety points in two levels:
- The POM builder automates era of the p-model.
- The POM verifier identifies all remaining POM compliance errors.
The POM builder and verifier are designed to imagine that each pointer is in precisely one of many following 5 classes:
- Accountable: Accountable pointers are the subset of pointers that shepherd heap reminiscence and make sure that the reminiscence ultimately will get freed. Addresses referenced by accountable pointers will be within the following states: GOOD, NULL, or ZOMBIE. A ZOMBIE accountable pointer deal with is one which factors to freed reminiscence, a GOOD pointer deal with factors to legitimate reminiscence, and a NULL pointer deal with comprises the worth NULL (or 0). Every chunk of heap reminiscence (i.e., a heap object) could also be accessed instantly at most by one GOOD accountable pointer. Accountable pointers by no means level into the stack, into the info phase of reminiscence, or inside a heap object besides its starting.
- Irresponsible: Irresponsible pointers will not be accountable for allocation or deallocation of the reminiscence they level to. Addresses referenced by irresponsible pointers will be VALID, NULL, or INVALID. The primary concern with irresponsible pointers is that they have to respect temporal reminiscence security. The unique POM modeled irresponsible pointers however used no monitoring mechanism akin to lifetimes, so it didn’t forestall use-after-free errors. The present POM (mannequin and verifier) does. An irresponsible pointer can’t be assigned the return worth of a perform that returns a accountable pointer (comparable to
malloc()). In contrast to a accountable pointer, an irresponsible pointer will be assigned a worth ensuing from pointer arithmetic or a worth created by C’s address-of operator&. - Producer: The deal with will not be mutable. It’s utilized by C to mutate the pointed-to argument (maybe allocating, releasing, or altering it).
- Diligent: The deal with will not be mutable. It doesn’t escape its scope, and it’s used to learn or write the deal with’s reminiscence with out allocating or releasing it.
- Out of Scope: The POM builder and verifier ignore pointers labeled as out of scope.
If the p-model’s identification of the pointer’s duty doesn’t agree with how the pointer is utilized in code, that constitutes a POM violation, and the verifier ought to detect it. The person ought to examine every violation. If the person decides that the pointer is out of scope (i.e., it’s managed by another mechanism), then the person ought to add this data to the p-model.
We use the time period heap object to indicate any single knowledge construction whose reminiscence is allotted with malloc(), calloc(), aligned alloc(), or realloc(). Objects not allotted utilizing one among these capabilities will not be heap objects. The phrases accountable, irresponsible, producer, diligent, and out of scope will be handled like kind qualifiers in C (e.g., const or prohibit). They subtype the pointer variables, regardless of the variables’ values. As with sorts, these qualifiers apply to a variable all through its lifetime. For instance, if p is taken into account to be a accountable pointer, it stays accountable all through the scope of the variable and can’t stop to be accountable. These phrases can apply to native pointers, pointers outlined in structs or unions, pointers outlined as perform arguments, and the return worth of a perform if it’s a pointer kind. They’ll additionally apply to static pointers, however POM doesn’t assist static pointers but.
Extra POM Updates
Our technical report goes into higher element, however it’s value noting right here that POM additionally improves on its dealing with of perform arguments which are pointers. A pointer that’s handed right into a perform could possibly be accountable, irresponsible, diligent, producer, or out-of-scope. Whereas the pointer’s duty kind stays the identical through the perform’s execution, the pointer’s state could change. Thus, each pointer argument has an preliminary set of states and a closing set of states. These could also be an identical however needn’t be.
The brand new POM additionally has a design for sorts that include pointers, which the outdated POM didn’t deal with. We outline a composite kind as any C knowledge kind that may include a pointer. Composite sorts include pointer sorts and structs, unions, arrays, and pointers that include a composite kind. We distinguish these from non-composite sorts, which embody structs, unions, and arrays that don’t include any pointers. A composite object is an object of a composite kind. A accountable composite object is a composite object with a minimum of one accountable pointer, and an irresponsible composite object is a composite object with a minimum of one irresponsible pointer. Notice {that a} composite object will be each accountable and irresponsible, primarily based on the pointers it comprises.
A accountable composite object with precisely one accountable pointer has the identical accountable states because the pointer. That’s, if the accountable pointer is GOOD, the composite object’s accountable state will be inferred as GOOD. A composite object with a couple of accountable pointer may also have a accountable state derived from the accountable pointers’ states. Likewise, a composite object with precisely one irresponsible pointer itself can have the identical states because the pointer. That’s, if the irresponsible pointer is VALID, the composite object’s irresponsible state will be inferred as VALID. A composite object with a couple of irresponsible pointer may also have an irresponsible state derived from the accountable pointers’ states.
In C, many heap objects will not be accessible instantly by way of a pointer outlined on the stack however will be accessed not directly via two or extra pointers. An instance is the third component in a linked listing. We outline a C-path as a option to entry any object in reminiscence in C. It begins off with a world or native variable after which consists of a (presumably empty) sequence of array accesses (e.g., a[i]), pointer dereferences (e.g., *p), struct membership (e.g., s.a), and union membership (e.g., u.a). C-paths are lots like file paths. Composite sorts are what one makes use of to construct networks of heap objects in reminiscence. The pointers should be VALID (for irresponsible pointers) or GOOD (for accountable pointers). A heap object that may’t be referenced by any C-path signifies a reminiscence leak. If no reminiscence leaks exist in a program at a time limit, then each heap object has a minimum of one C-path to reference it. In a memory-safe program with no out-of-scope pointers, at any level throughout program execution, each heap object has precisely one C-path the place each pointer within the path is accountable. We name this “the accountable C-path.” It’s a violation of POM to free a pointer by way of a C-path that has a minimum of one irresponsible pointer in it. Notice that any variables earlier than the primary pointer reside on the stack or international phase, and the whole lot previous the primary pointer should reside on the heap.
Management Circulate and Accountable Pointer States
A pointer will be in a number of states directly. We at all times assume that the states of a pointer will be decided statically. For any two states, branching can create a pointer that could possibly be in each states. For instance, malloc() returns a accountable pointer that could possibly be GOOD or NULL. This generally is a supply of hassle. In Commonplace C, there isn’t any option to distinguish GOOD accountable pointers from uninitialized pointers. This (amongst different issues) requires a developer to take care of inside self-discipline to make it possible for solely GOOD pointers are handed to most library capabilities. POM is designed to maintain observe of the states of pointers and problem warnings. For instance, the POM verifier will warn if a pointer that is likely to be uninitialized or NULL is dereferenced.
Implementing POM
Every p-model is saved in a YAML file. The determine beneath reveals an instance of C supply code and its related p-model.
Determine 1: The left reveals an instance of C supply code and, to the proper, its related p-model.
We’ve now developed two strategies to create a p-model file: LLM-based or SAT-solver-based. The SAT-solver technique creates a p-model after verifying that this system satisfies POM constraints and can’t create a p-model for this system if it doesn’t. The LLM-based technique can create a p-model for this system, no matter a SAT-solver’s willpower. In the event you solely use an LLM to generate a p-model, chances are you’ll not know if the code is compliant or if the LLM made a mistake. That’s, an LLM at all times generates a p-model, even when this system violates POM, and the p-model is wrong. In distinction, a SAT solver at all times generates a p-model if this system can adjust to POM, but when there are a number of p-models, the SAT solver doesn’t know which p-model is right, and if there aren’t any legitimate p-models, the SAT solver can not generate one. Learning how LLMs and SAT solvers can work together to maximise their strengths and decrease their weaknesses is future work.
Enter to the p-model builder consists of the supply code and output from the Clang compiler device. First run Clang on the supply code to generate an Summary Syntax Tree (AST), then serialize the AST to a JavaScript Object Notation (JSON) file. Clang may also produce an intermediate illustration (IR) file, which will be helpful to each the POM builder and verifier. The builder can use the AST or IR to establish capabilities and different areas of textual content (comparable to lessons or structs) to feed to the LLM, and the verifier can use the AST and IR to substantiate that they adjust to the p-model.
Utilizing automated static evaluation to construct p-models is dear and time-consuming to construct, preserve, and debug. For instance, figuring out the duty of a pointer inside a struct requires inspecting how the struct is used all through this system. The place the unique POM required handbook completion of a p-model, right this moment we use an LLM to assist full automated p-model era. We hypothesize that an LLM could possibly appropriately confirm the duty of many pointers that static evaluation alone could not resolve appropriately and do it quicker and extra precisely than a human may (i.e., with a higher share of right labels within the p-model). Manually creating or verifying a p-model is gradual and impedes its use. For instance, the specs utilized by Frama-C’s library should be proofread by the person. A p-model that may be generated mechanically doesn’t have this obstacle. We additionally hypothesize that an LLM could also be higher at discerning programmer intent than static evaluation alone, particularly if the code is flawed or violates POM.
A danger of utilizing LLMs is that they often hallucinate, making improper statements, usually in assured language. Nonetheless, for the reason that verifier will assess the accuracy of a p-model, it is going to emit warnings on any p-model that this system doesn’t adjust to, subsequently stopping any hallucinations from producing a “right” p-model. We’ve began to check how profitable the LLM is in filling out the p-model. Since a p-model will be accomplished manually, it’s easy to “grade” the LLM, and the LLM’s efficiency is a serious part of this analysis. As we proceed to develop POM primarily based on this design after which check it, we need to examine which LLMs carry out greatest and optimize LLM prompts to output good p-models.
The verifier’s job is to substantiate that this system complies with the p-model offered to it, no matter how the p-model was constructed. Thus, the verifier would be capable of flag any LLM-generated hallucinations as non-compliance, and it could additionally catch human error if the p-model is generated manually.
In our preliminary plan, a p-model can be verified utilizing static evaluation. As soon as this system’s AST is serialized in JSON format, the verifier can ingest the AST to trace and construct an inside pointer mannequin of the pointers in this system. A easy dictionary is used to map capabilities discovered within the AST to the perform’s inside management stream, argument pointers, native variable pointers, and return kind pointers. Given the tree construction of the AST JSON, every perform definition will include all essential data to construct the interior pointer mannequin. Based mostly on the AST node kind, the interior pointer mannequin will digest the AST node accordingly and replace the related perform’s inside management stream if essential. After the interior pointer mannequin has been absolutely created from the digested AST JSON for every perform, the p-model is in comparison with the tip state of the interior pointer mannequin after following the interior management stream. First, the p-model checks for the existence of all declared perform argument pointers, native variable pointers, and the return pointer kind. If there are any lacking or extraneous pointers, the verifier will warn the person of the discrepancy. Afterward, the perform argument pointers and return pointer kind within the p-model are verified for correctness given the interior management stream. As soon as the perform argument pointers and return pointer kind within the p-model are verified, the native variable pointers are verified for correctness given the interior management stream. Any verification errors are reported again to the person as warnings. (Appendix B in our technical report supplies the main points of our deliberate implementation and features a high-level stream diagram of verifying a p-model.)
Nonetheless, our present verifier makes use of a SAT solver, which is cheaper and less complicated. There’s an older, incomplete verifier that checks if the AST complies with the POM. The SAT-solver verifier examines the LLVM IR generated from the supply code. It runs our constraint generator and the SAT solver. Its enter can embody p-model information however doesn’t have to.
The verifier output is designed to assist builders shortly perceive if the code is POM-compliant.
- If the discovering is SAT (it’s POM-compliant), builders are supplied with the validation particulars.
- If the discovering is UNSAT (it isn’t POM-compliant), builders are pointed to an UNSAT core (a subset of the unique clauses that’s ample to show unsatisfiability) to assist them perceive the issue to allow them to repair it. Associated output information present traces to each the supply code (with line numbers and variable names) and LLVM IR code (with line numbers and variable names).
If the constraints are satisfiable, the next information are generated:
- answer.json: Task of true or false to every of the named variables showing in constraints.txt.
- answer.txt: Uncooked output from SAT solver, utilizing numeric variable IDs.
If the constraints are unsatisfiable, the next information are generated:
- proof.drat: A proof of unsatisfiability.
- core.unsat: The subset of clauses from constraints.dimacs which are used within the above proof.
- core.unsat.named: Similar as core.unsat, besides utilizing descriptive variable names as a substitute of numeric variable IDs.
Future Pointer Possession Mannequin Updates
Our POM formal mannequin will be helpful to show partial temporal reminiscence security in C code. We are actually growing code for automating p-code creation and validation in addition to an automatic testing framework to run experiments. Our design alternative to make use of an LLM for p-model era assist is meant to decrease handbook effort and enhance correctness, nevertheless it dangers hallucinations. We anticipate that such hallucinations will trigger the verifier to supply warnings about this system violating the p-model.
We’re at present finishing assessments to assist us perceive the influence of utilizing LLMs, SAT solvers, and different design decisions. Our assessments use temporal reminiscence safety-relevant subsets of the Juliet C/C++ v1.3 check suite, plus on some further open-source and project-created check code. Outcomes of that testing will probably be revealed quickly in shows and a forthcoming technical report, plus ultimately revealed in a convention paper (to be submitted quickly). As new publications occur, we are going to replace the POM collections webpage. POM is meant to assist builders keep away from, establish, and repair temporal memory-safety points with its psychological mannequin, automated p-model era, and automatic verification. If profitable at validating temporal security, POM may enhance the safety and performance of a lot of the massive quantity of C code at present in use at a low value (because of full automation) and with no efficiency discount. Future work may examine how out-of-scope pointers work together with accountable and irresponsible pointers in knowledge constructions comparable to doubly linked lists and reference-counted pointers after which presumably lengthen POM to incorporate such knowledge constructions.
Utilizing POM requires some coaching on what the mannequin is and use the tooling we’ve developed to assist it. Many software program engineers are unfamiliar with SAT solvers, so in instances the place the output says UNSATISFIABLE (UNSAT), with out schooling and follow, even the subset of clauses ensuing from DIMACS will be arduous to know at first. When the result’s UNSAT, engineers have to then modify the code and/or p-models, and the DIMACS output helps them look at the clauses that may’t all be true after which make modifications. We offer demos (with demo code to research and step-by-step directions) and explanations within the README.mdand README.sat.solver.md within the code launch, plus we improve the DIMACS output to assist customers establish the related code within the IR and supply code. We wish to additional enhance the tooling to allow extra automation and cut back the training burden on engineers. Additionally, sooner or later we could develop a workshop and/or extra coaching materials, to assist new customers to shortly jump-start utilizing and benefitting from POM.
Future work may enhance C language protection in POM by supporting the alloca() perform, which might require modifying the C-path definition; supporting static pointers; and supporting tracing accountable or irresponsible pointers via integer casts or casts to some other non-pointer sorts. One other space of future work may lengthen POM’s temporal reminiscence security checks to additionally embody spatial reminiscence security, together with vulnerabilities comparable to buffer overflows and Heartbleed.
