A Method for Software Vulnerability Detection Based on Improved Control Flow Graph
|
摘要
With the rapid development of software technology, software vulnerability has become a major threat to computer security. The timely detection and repair of potential vulnerabilities in software, are of great significance in reducing system crashes and maintaining system security and integrity. This paper focuses on detecting three common types of vulnerabilities: Unused_Variable, Use_of_Uninitialized_Variable, and Use_After_ Free. We propose a method for software vulnerability detection based on an improved control flow graph(ICFG) and several predicates of vulnerability properties for each type of vulnerability. We also define a set of grammar rules for analyzing and deriving the three mentioned types of vulnerabilities, and design three vulnerability detection algorithms to guide the process of vulnerability detection. In addition, we conduct cases studies of the three mentioned types of vulnerabilities with real vulnerability program segments from Common Weakness Enumeration(CWE). The results of the studies show that the proposed method can detect the vulnerability in the tested program segments. Finally, we conduct manual analysis and experiments on detecting the three types of vulnerability program segments(30 examples for each type) from CWE, to compare the vulnerability detection effectiveness of the proposed method with that of the existing detection tool Cpp Check. The results show that the proposed method performs better. In summary, the method proposed in this paper has certain feasibility and effectiveness in detecting the three mentioned types of vulnerabilities, and it will also have guiding significance for the detection of other common vulnerabilities.
With the rapid development of software technology, software vulnerability has become a major threat to computer security. The timely detection and repair of potential vulnerabilities in software, are of great significance in reducing system crashes and maintaining system security and integrity. This paper focuses on detecting three common types of vulnerabilities: Unused_Variable, Use_of_Uninitialized_Variable, and Use_After_ Free. We propose a method for software vulnerability detection based on an improved control flow graph(ICFG) and several predicates of vulnerability properties for each type of vulnerability. We also define a set of grammar rules for analyzing and deriving the three mentioned types of vulnerabilities, and design three vulnerability detection algorithms to guide the process of vulnerability detection. In addition, we conduct cases studies of the three mentioned types of vulnerabilities with real vulnerability program segments from Common Weakness Enumeration(CWE). The results of the studies show that the proposed method can detect the vulnerability in the tested program segments. Finally, we conduct manual analysis and experiments on detecting the three types of vulnerability program segments(30 examples for each type) from CWE, to compare the vulnerability detection effectiveness of the proposed method with that of the existing detection tool Cpp Check. The results show that the proposed method performs better. In summary, the method proposed in this paper has certain feasibility and effectiveness in detecting the three mentioned types of vulnerabilities, and it will also have guiding significance for the detection of other common vulnerabilities.
With the rapid development of software technology, software vulnerability has become a major threat to computer security. The timely detection and repair of potential vulnerabilities in software, are of great significance in reducing system crashes and maintaining system security and integrity. This paper focuses on detecting three common types of vulnerabilities: Unused_Variable, Use_of_Uninitialized_Variable, and Use_After_ Free. We propose a method for software vulnerability detection based on an improved control flow graph(ICFG) and several predicates of vulnerability properties for each type of vulnerability. We also define a set of grammar rules for analyzing and deriving the three mentioned types of vulnerabilities, and design three vulnerability detection algorithms to guide the process of vulnerability detection. In addition, we conduct cases studies of the three mentioned types of vulnerabilities with real vulnerability program segments from Common Weakness Enumeration(CWE). The results of the studies show that the proposed method can detect the vulnerability in the tested program segments. Finally, we conduct manual analysis and experiments on detecting the three types of vulnerability program segments(30 examples for each type) from CWE, to compare the vulnerability detection effectiveness of the proposed method with that of the existing detection tool Cpp Check. The results show that the proposed method performs better. In summary, the method proposed in this paper has certain feasibility and effectiveness in detecting the three mentioned types of vulnerabilities, and it will also have guiding significance for the detection of other common vulnerabilities.
引文
[1]Liu B,Shi L,Cai Z,et al.Software vulnerability discovery techniques:A survey[C]//Proc 4th International Conference on Multimedia Information Networking and Security.Piscataway:IEEE,2012:152-156.
[2]Liu P,Su J,Yang X.Research on software security vulnerability detection technology[C]//Proc 2nd International Conference on Computer Science and Network Technology.Piscataway:IEEE,2012,3:1873-1876.
[3]Kumar M,Sharma A.An integrated framework for software vulnerability detection,analysis and mitigation:An autonomic system[J].Sādhanā,2017,42(9):1481-1493.
[4]Rahimi S,Zargham M.Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database[J].IEEE Transactions on Reliability,2013,62(2):395-407.
[5]Kim S,Kim R Y C,Park Y B.Software vulnerability detection methodology combined with static and dynamic analysis[J].Wireless Personal Communications,2016,89(3):777-793.
[6]Chernis B,Verma R.Machine learning methods for software vulnerability detection[C]//Proc 4th ACM International Workshop on Security and Privacy Analytics.New York:ACM,2018:31-39.
[7]Shuai B,Li M,Li H,et al.Software vulnerability detection using genetic algorithm and dynamic taint analysis[C]//Proc4th International Conference on Consumer Electronics,Communications and Networks.Piscataway:IEEE,2014:589-593.
[8]Huang C C,Lin F Y,Lin Y S,et al.A novel approach to evaluate software vulnerability prioritization[J].Journal of Systems&Software,2013,86(11):2822-2840.
[9]Kapur P K,Yadavali V S S,Shrivastava A K.A comparative study of vulnerability discovery modeling and software reliability growth modeling[C]//Proc 1st International Conference on Futuristic Trends on Computational Analysis and Knowledge Management.Piscataway:IEEE,2015:246-251.
[10]Bekrar S,Bekrar C,Groz R,et al.Finding software vulnerabilities by smart fuzzing[C]//Proc 4th IEEE Fourth International Conference on Software Testing,Verification and Validation.Piscataway:IEEE,2011:427-430.
[11]Woo M,Sang K C,Gottlieb S,et al.Scheduling black-box mutational fuzzing[C]//Proc 20th ACM Sigsac Conference on Computer&Communications Security.New York:ACM,2013:511-522.
[12]Avgerinos T,Sang K C,Rebert A,et al.Automatic exploit generation[J].Communications of the ACM,2014,57(2):74-84.
[13]Fagan M E.Design and code inspections to reduce errors in program development[J].IBM Systems Journal,2001:15(3):182-211.
[14]Viega J,Bloch J T,Kohno Y,et al.ITS4:A static vulnerability scanner for C and C++code[C]//Proc 16th Computer Security Applications.Piscataway:IEEE,2000:257-267.
[15]Sands D.A theorem proving approach to analysis of secure information flow[C]//Proc 2nd International Conference on Security in Pervasive Computing.Berlin:Springer-Verlag,2005,3450(10):193-209.
[16]Clarke E M,Grumberg O,Peled D A.Model checking[C]//Proc 17th International Conference on Foundations of Software Technology&Theoretical Computer Science.Berlin:Springer-Verlag,1997,1346:54-56.
[17]Nguyen M H,Nguyen T B,Quan T T,et al.A hybrid approach for control flow graph construction from binary code[C]//Proc 20th Asia-Pacofic Software Engineering Conference.Piscataway:IEEE,2013,2:159-164.
[18]Rothermel G.Representation and analysis of software[J].Angewandte Chemie,2005,46(31):5896-900.
[19]Gold R.Control flow graphs and code coverage[J].Versita,2010,20(4):739-749.
[20]Sun X,Zhongyang Y B,Xin Z,et al.Detecting code reuse in Android applications using component-based control flow graph[J].IFIP Advances in Information&Communication Technology,2016,428:142-155.
[21]Gomes P D C,Picoco A,Gurov D.Sound control flow graph extraction from incomplete Java bytecode programs[C]//Proc 17th International Conference on Fundamental Approaches to Software Engineering.Berlin:Springer-Verlag,2014,8411:215-229.
[22]Sasaki S,Tanabe K,Fujita M.Using SpecC program slicing to detect uninitialized variables and unused variables[J].Technical Report of Ieice Vld,2005,104(708):59-64.
[23]Lin W,Liu J,Wang Q,et al.Method of uninitialized variable detecting for C++Program[J].International Journal of Education&Management Engineering,2011,1(1):63-67.
[24]Jana A,Naik R.Precise detection of uninitialized variables using dynamic analysis-Extending to aggregate and vector types[C]//Proc 19th Working Conference on Reverse Engineering.Piscataway:IEEE,2012:197-201.
[25]Xu W,Li J,Shu J,et al.From collision to exploitation:Unleashing Use-After-Free vulnerabilities in Linux kernel[C]//Proc 22nd ACM Conference on Computer and Communications Security.New York:ACM,2015:414-425.
[26]Yan H,Sui Y,Chen S,et al.Machine-Learning-Guided typestate analysis for static Use-After-Free detection[C]//Proc 33rd Computer Security Applications Conference.New York:ACM,2017:42-54.
[27]Feist J,Mounier L,Potet M L.Statically detecting use after free on binary code[J].Journal of Computer Virology&Hacking Techniques,2014,10(3):211-217.
[28]Kouwe E V D,Nigade V,Giuffrida C.Dang San:Scalable Use-after-free detection[C]//Proc 12th European Conference on Computer Systems.New York:ACM,2017:405-419.
[29]Caballero J,Grieco G,Marron M,et al.Undangle:Early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proc International Symposium on Software Testing and Analysis.New York:ACM,2012:133-143.
[30]Han X,Wei S,Ye J Y,et al.Detect use-after-free vulnerabilities in binaries[J].Journal of Tsinghua University,2017,57(10):1022-1029(Ch).
[2]Liu P,Su J,Yang X.Research on software security vulnerability detection technology[C]//Proc 2nd International Conference on Computer Science and Network Technology.Piscataway:IEEE,2012,3:1873-1876.
[3]Kumar M,Sharma A.An integrated framework for software vulnerability detection,analysis and mitigation:An autonomic system[J].Sādhanā,2017,42(9):1481-1493.
[4]Rahimi S,Zargham M.Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database[J].IEEE Transactions on Reliability,2013,62(2):395-407.
[5]Kim S,Kim R Y C,Park Y B.Software vulnerability detection methodology combined with static and dynamic analysis[J].Wireless Personal Communications,2016,89(3):777-793.
[6]Chernis B,Verma R.Machine learning methods for software vulnerability detection[C]//Proc 4th ACM International Workshop on Security and Privacy Analytics.New York:ACM,2018:31-39.
[7]Shuai B,Li M,Li H,et al.Software vulnerability detection using genetic algorithm and dynamic taint analysis[C]//Proc4th International Conference on Consumer Electronics,Communications and Networks.Piscataway:IEEE,2014:589-593.
[8]Huang C C,Lin F Y,Lin Y S,et al.A novel approach to evaluate software vulnerability prioritization[J].Journal of Systems&Software,2013,86(11):2822-2840.
[9]Kapur P K,Yadavali V S S,Shrivastava A K.A comparative study of vulnerability discovery modeling and software reliability growth modeling[C]//Proc 1st International Conference on Futuristic Trends on Computational Analysis and Knowledge Management.Piscataway:IEEE,2015:246-251.
[10]Bekrar S,Bekrar C,Groz R,et al.Finding software vulnerabilities by smart fuzzing[C]//Proc 4th IEEE Fourth International Conference on Software Testing,Verification and Validation.Piscataway:IEEE,2011:427-430.
[11]Woo M,Sang K C,Gottlieb S,et al.Scheduling black-box mutational fuzzing[C]//Proc 20th ACM Sigsac Conference on Computer&Communications Security.New York:ACM,2013:511-522.
[12]Avgerinos T,Sang K C,Rebert A,et al.Automatic exploit generation[J].Communications of the ACM,2014,57(2):74-84.
[13]Fagan M E.Design and code inspections to reduce errors in program development[J].IBM Systems Journal,2001:15(3):182-211.
[14]Viega J,Bloch J T,Kohno Y,et al.ITS4:A static vulnerability scanner for C and C++code[C]//Proc 16th Computer Security Applications.Piscataway:IEEE,2000:257-267.
[15]Sands D.A theorem proving approach to analysis of secure information flow[C]//Proc 2nd International Conference on Security in Pervasive Computing.Berlin:Springer-Verlag,2005,3450(10):193-209.
[16]Clarke E M,Grumberg O,Peled D A.Model checking[C]//Proc 17th International Conference on Foundations of Software Technology&Theoretical Computer Science.Berlin:Springer-Verlag,1997,1346:54-56.
[17]Nguyen M H,Nguyen T B,Quan T T,et al.A hybrid approach for control flow graph construction from binary code[C]//Proc 20th Asia-Pacofic Software Engineering Conference.Piscataway:IEEE,2013,2:159-164.
[18]Rothermel G.Representation and analysis of software[J].Angewandte Chemie,2005,46(31):5896-900.
[19]Gold R.Control flow graphs and code coverage[J].Versita,2010,20(4):739-749.
[20]Sun X,Zhongyang Y B,Xin Z,et al.Detecting code reuse in Android applications using component-based control flow graph[J].IFIP Advances in Information&Communication Technology,2016,428:142-155.
[21]Gomes P D C,Picoco A,Gurov D.Sound control flow graph extraction from incomplete Java bytecode programs[C]//Proc 17th International Conference on Fundamental Approaches to Software Engineering.Berlin:Springer-Verlag,2014,8411:215-229.
[22]Sasaki S,Tanabe K,Fujita M.Using SpecC program slicing to detect uninitialized variables and unused variables[J].Technical Report of Ieice Vld,2005,104(708):59-64.
[23]Lin W,Liu J,Wang Q,et al.Method of uninitialized variable detecting for C++Program[J].International Journal of Education&Management Engineering,2011,1(1):63-67.
[24]Jana A,Naik R.Precise detection of uninitialized variables using dynamic analysis-Extending to aggregate and vector types[C]//Proc 19th Working Conference on Reverse Engineering.Piscataway:IEEE,2012:197-201.
[25]Xu W,Li J,Shu J,et al.From collision to exploitation:Unleashing Use-After-Free vulnerabilities in Linux kernel[C]//Proc 22nd ACM Conference on Computer and Communications Security.New York:ACM,2015:414-425.
[26]Yan H,Sui Y,Chen S,et al.Machine-Learning-Guided typestate analysis for static Use-After-Free detection[C]//Proc 33rd Computer Security Applications Conference.New York:ACM,2017:42-54.
[27]Feist J,Mounier L,Potet M L.Statically detecting use after free on binary code[J].Journal of Computer Virology&Hacking Techniques,2014,10(3):211-217.
[28]Kouwe E V D,Nigade V,Giuffrida C.Dang San:Scalable Use-after-free detection[C]//Proc 12th European Conference on Computer Systems.New York:ACM,2017:405-419.
[29]Caballero J,Grieco G,Marron M,et al.Undangle:Early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proc International Symposium on Software Testing and Analysis.New York:ACM,2012:133-143.
[30]Han X,Wei S,Ye J Y,et al.Detect use-after-free vulnerabilities in binaries[J].Journal of Tsinghua University,2017,57(10):1022-1029(Ch).