• Abstract
  • I. Inctrodcution
  • II. Exploit Mitigations vs. Sanitizers
  • III. Low-Level Vulnerabilities
    • A. Memory Safety Violations
      • (1) Spatial Safety Violatoins
      • (2) Temporal Safety Violations
    • B. Use of Uninitialized Variables
    • C. Pointer Type Errors
    • D. Variadic Function Misuse
    • E. Other Vulnerabilities
  • IV. Bug Finding Techiques
    • A. Memory Safety Violations
      • Location-based Access Checkers
      • Identity-based Access Checkers
        • (1) Spatial Memory Safety Violations
          • Red-zone Insertion
          • Guard Pages
          • Per-pointer Bounds Tracking
          • Per-object Bounds Tracking
        • (2) Temporal Memory Safety Violations
          • Reuse Delay
          • Lock-and-key
          • Dangling Pointer Tagging
    • B. Use of Uninitailized Variables
      • Uninitailized Memory Read Detection
      • Uninitialized Value Use Dectection
    • C. Pointer Type Errors
      • Pointer Casting Monitor
      • Pointer Use Monitor
    • D. Variadic Function Misuse
      • Dangerous Format String Detection
      • Argument Mismatch Detection
    • E. Other Vulnerabilities
  • V. Program Instumentation
    • A. Language-level Instrumentation
    • B. IR-level Instrumentation
    • C. Binary Instrumentation
    • D. Library Interposition
  • VI. Metadata Management
    • A. Object Metadata
      • Embedded Metadata
      • Direct-mapped Shadow
      • Multi-level Shadow
      • Custom Data Structure
    • B. Pointer Metadata
      • Fat Pointers
      • Tagged Pointers
      • Disjoint Metadata
    • C. Static Metadata
  • VII. Driving A Sanitizer
  • VIII. Analysis
    • A. False Positives
    • B. False Negatives
    • C. Incomplete Instrumentation
    • D. Tread Safety
    • E. Performance Overhead
    • F. Memory Overhead
  • IX. Deployment
    • A. Methodology
      • Popular Github repositories
      • Sanitizer web pages
      • Search trends
    • B. Findings
      • AddressSanitizer is the most widely adopted sanitizer
      • The adoption rate for other LLVM-based sanitizers is lower
    • C. Deployment Directions
  • X. Future Research And Development Directions
    • A. Type Error Detection
    • B. Improving Compatibility
    • C. Composing Sanitizers
    • D. Hardware Support
    • E. Kernel and Bare-Metal Support
  • XI. Conclusion