Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Lida Zhao,Sen Chen,Zhengzi Xu,Chengwei Liu,Lyuye Zhang,Jiahui Wu,Jun Sun,Yang Liu

DOI: https://doi.org/10.1145/3611643.3616299

2023-01-01

Abstract:Software composition analysis (SCA) tools are proposed to detect potential vulnerabilities introduced by open-source software (OSS) imported as third-party libraries (TPL). With the increasing complexity of software functionality, SCA tools may encounter various scenarios during the dependency resolution process, such as diverse formats of artifacts, diverse dependency imports, and diverse dependency specifications. However, there still lacks a comprehensive evaluation of SCA tools for Java that takes into account the above scenarios. This could lead to a confined interpretation of comparisons, improper use of tools, and hinder further improvements of the tools. To fill this gap, we proposed an Evaluation Model which consists of Scan Modes, Scan Methods, and SCA Scope for Maven (SSM), for comprehensive assessments of the dependency resolving capabilities and effectiveness of SCA tools. Based on the Evaluation Model, we first qualitatively examined 6 SCA tools’ capabilities. Next, the accuracy of dependency and vulnerability is quantitatively evaluated with a large-scale dataset (21,130 Maven modules with 73,499 unique dependencies) under two Scan Modes (i.e., build scan and pre-build scan). The results show that most tools do not fully support SSM, which leads to compromised accuracy. For dependency detection, the average F1-score is 0.890 and 0.692 for build and pre-build respectively, and for vulnerability accuracy, the average F1-score is 0.475. However, proper support for SSM reduces dependency detection false positives by 34.24% and false negatives by 6.91%. This further leads to a reduction of 18.28% in false positives and 8.72% in false negatives in vulnerability reports.

Jens Dietrich,Shawn Rasheed,Alexander Jordan,Tim White

DOI: https://doi.org/10.48550/arXiv.2306.05534

2023-10-10

Abstract:Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged for this purpose. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present a novel approach to detect vulnerable clones in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of a custom index. Starting with 29 vulnerabilities with assigned CVEs and proof-of-vulnerability projects, we retrieve over 53k potential vulnerable clones from Maven Central. After running our analysis on this set, we detect 727 confirmed vulnerable clones (86 if versions are aggregated) and synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss those exposures. At the time of submission those results have led to changes to the entries for six CVEs in the GitHub Security Advisory Database (GHSA) via accepted pull requests, with more pending.

Software Engineering

Paolo Boldi,Georgios Gousios

DOI: https://doi.org/10.1145/3418209

2020-12-09

Abstract:Modern software development is increasingly dependent on components, libraries and frameworks coming from third-party vendors or open-source suppliers and made available through a number of platforms (or forges). This way of writing software puts an emphasis on reuse and on composition, commoditizing the services which modern applications require. On the other hand, bugs and vulnerabilities in a single library living in one such ecosystem can affect, directly or by transitivity, a huge number of other libraries and applications. Currently, only product-level information on library dependencies is used to contain this kind of danger, but this knowledge often reveals itself too imprecise to lead to effective (and possibly automated) handling policies. We will discuss how fine-grained function-level dependencies can greatly improve reliability and reduce the impact of vulnerabilities on the whole software ecosystem.

Software Engineering,Social and Information Networks

Li Sui,Jens Dietrich,Michael Emery,Shawn Rasheed,Amjed Tahir

DOI: https://doi.org/10.1007/978-3-030-02768-1_4

2018-01-01

Abstract:Static program analysis is widely used to detect bugs and vulnerabilities early in the life cycle of software. It models possible program executions without executing a program, and therefore has to deal with both false positives (precision) and false negatives (soundness). A particular challenge for sound static analysis is the presence of dynamic language features, which are prevalent in modern programming languages, and widely used in practice.We catalogue these features for Java and present a micro-benchmark that can be used to study the recall of static analysis tools. In many cases, we provide examples of real-world usage of the respective feature. We then study the call graphs constructed with soot, wala and doop using the benchmark. We find that while none of the tools can construct a sound call graph for all benchmark programs, they all offer some support for dynamic language features.We also discuss the notion of possible program execution that serves as the ground truth used to define both precision and soundness. It turns out that this notion is less straight-forward than expected as there are corner cases where the (language, JVM and standard library) specifications do not unambiguously define possible executions.

Huaijin Wang,Zhibo Liu,Shuai Wang,Ying Wang,Qiyi Tang,Sen Nie,Shi Wu

DOI: https://doi.org/10.1109/eurosp60621.2024.00034

2024-01-01

Abstract:Software composition analysis (SCA) has attracted the attention of the industry and academic community in recent years. Given a piece of program source code, SCA facilitates extracting certain components from the input program and matching the extracted components with opensource software (OSS) libraries. Despite the prosperous development of SCA, binary SCA (BSCA) is highly challenging and still underdeveloped. Few available BSCA solutions are either closed source (for commercial usage) or suffer from low performance. Nevertheless, a related line of research, binary similarity analysis (BSA), which decides the similarity between two pieces of binary code, has been progressively developed in academia for decades. De facto BSA techniques, often based on deep learning, efficiently analyze large-scale executables with high accuracy. This study explores bridging the gap between state-of-the-art (SOTA) BSA and BSCA. We spent considerable manual effort building the first large real-world benchmark dataset, containing over 55 million lines of C/C++ code. Then, we establish our BSCA pipeline by extending and calibrating the SOTA SCA pipeline. Particularly, we concretize the key procedure of BSCA, namely matching a binary component with OSS using six SOTA BSA techniques. Evaluation using our benchmark dataset reveals that simply employing BSA in BSCA exhibits less desirable accuracy, as BSCA faces unique challenges. After inspecting the failed cases, we propose three enhancements whose hybrid usage improves the F1 score of BSCA by over 30% and outperforms SOTA commercial BSCA software. Our experiment on 1-day vulnerability detection demonstrates our BSCA framework's effectiveness. We also discuss several open challenges and potential solutions to augment BSCA solutions.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibin Guan

DOI: https://doi.org/10.1109/IMIS.2011.59

2011-01-01

Abstract:Dynamic taint analysis has been proved to be very effective in solving security problems recently, especially in software vulnerability detection and malicious behavior prevention. Unfortunately, most of current researches in this field focus on the runtime protection, and are incapable to discover the potential threat in the software. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF. The framework translates the binary into assembly code and tracks the data flow. Then with static method, the system can get the important information which can't be gained at runtime, such as unexecuted part of the code. When this information is acquired, they will be provided to the client tools. The practicability of the framework is validated by implementing and evaluating a tool built on SDCF. The result of the experiments shows that our system is able to detect latent software vulnerabilities efficiently.

Dinesh Reddy Chittibala

DOI: https://doi.org/10.47941/ijce.1737

2024-03-21

Abstract:Purpose: This article aims to shed light on the transformative role of Open Source Software (OSS) in digital infrastructure and the accompanying security challenges. It highlights the critical need for automated code scanning technologies to address vulnerabilities stemming from coding errors, lack of secure coding practices, and the rapid development pace. Methodology: Through a comprehensive analysis of static, dynamic, and interactive code scanning methods, along with the exploration of AI and ML integration, this study examines scalable and efficient approaches to enhance detection capabilities early in the development lifecycle. Findings: While automated code scanning technologies have made significant strides in detecting and mitigating vulnerabilities, there remain notable research and methodology gaps, especially in technology scalability and the effectiveness of these methods. Unique Contribution to Theory, Policy, and Practice: This article posits a forward-looking perspective on automated code scanning, advocating for intelligent, collaborative, and integrated security measures in OSS. It emphasizes the indispensable role of community collaboration and open-source contributions in advancing these technologies, crucial for the proactive identification and mitigation of security vulnerabilities, thereby safeguarding the digital ecosystem's integrity and reliability.

Yanwen Ding,Weihan Tian,Baojiang Cui

DOI: https://doi.org/10.21203/rs.3.rs-5261746/v1

2024-01-01

Abstract:With the widespread use of third-party components in software development, their security has become a major challenge in the field of software security. The implantation of malicious components or the unintentional reference of security weak components by developers may lead to serious security problems.In order to effectively solve the dependency obfuscation problem, this paper proposes a detection framework (Comchecker) based on source code analysis to cope with the dependency obfuscation problem through source code analysis techniques. The framework first accurately identifies and builds the code tree of third-party components and optimizes them through static analysis of component source code. Then, it evaluates the security risk of the components by designing a comprehensive evaluation model which combines various factors such as the source, structural features, and other components. Subsequently, we conduct a series of experiments to evaluate the proposed framework and compare it with state-of-the-art component detection tools.Through extensive experiments with three comparative detection tools, our detection framework achieves 93.51% accuracy for third-party component detection, outperforming existing detection tools in terms of detection accuracy and precision, and 91.04% accuracy for obfuscation-dependent detection.Finally, Comchecker is also well extended to be applied to components used in most mainstream development languages.

xusheng xiao,tao xie,nikolai tillmann,peli de halleux

2010-01-01

Abstract:The process of achieving high structural coverage of the pro- gram under test can be automated using Dynamic Sym- bolic Execution (DSE), which generates test inputs to it- eratively explore paths of the program under test. When applied on real-world applications, DSE faces various chal- lenges in generating test inputs to achieve high structural coverage. Among issues related to these challenges, our preliminary study identified two main types of issues: (1) object-creation issues (OCI), where DSE fails to generate method-call sequences to produce desirable object states; (2) external-method-call issues (EMCI), where symbolic val- ues are passed as arguments to third-party library methods that are not instrumented by DSE. Automatically solving these two main types of issues is challenging, since the explo- ration space of generating method-call sequences for desir- able object states is usually too huge, and instrumenting all third-party libraries can cause explosion of the exploration space. However, when provided with informative informa- tion of issues, users can effectively assist DSE to achieve high structural coverage. In this paper, we propose a gen- eral approach, called Covana, to identify issues faced by DSE via analyzing runtime information, and filter out irrelevant issues using residual structural coverage. We provide two techniques to instantiate our general approach to identify OCIs and EMCIs. To show the effectiveness of Covana, we conduct evaluations on two open source projects. Our re- sults show that Covana effectively identifies 155 OCIs, and 43 EMCIs. Moreover, Covana effectively reduces 296 irrel- evant issues out of 451 OCIs and 1567 irrelevant issues out of 1610 EMCIs produced by a straightforward approach.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Huaijin Wang,Zhibo Liu,Yanbo Dai,Shuai Wang,Qiyi Tang,Sen Nie,Shi Wu

2024-12-02

Abstract:Software composition analysis (SCA) denotes the process of identifying open-source software components in an input software application. SCA has been extensively developed and adopted by academia and industry. However, we notice that the modern SCA techniques in industry scenarios still need to be improved due to privacy concerns. Overall, SCA requires the users to upload their applications' source code to a remote SCA server, which then inspects the applications and reports the component usage to users. This process is privacy-sensitive since the applications may contain sensitive information, such as proprietary source code, algorithms, trade secrets, and user data. Privacy concerns have prevented the SCA technology from being used in real-world scenarios. Therefore, academia and the industry demand privacy-preserving SCA solutions. For the first time, we analyze the privacy requirements of SCA and provide a landscape depicting possible technical solutions with varying privacy gains and overheads. In particular, given that de facto SCA frameworks are primarily driven by code similarity-based techniques, we explore combining several privacy-preserving protocols to encapsulate the similarity-based SCA framework. Among all viable solutions, we find that multi-party computation (MPC) offers the strongest privacy guarantee and plausible accuracy; it, however, incurs high overhead (184 times). We optimize the MPC-based SCA framework by reducing the amount of crypto protocol transactions using program analysis techniques. The evaluation results show that our proposed optimizations can reduce the MPC-based SCA overhead to only 8.5% without sacrificing SCA's privacy guarantee or accuracy.

Software Engineering,Cryptography and Security

Di Cui

DOI: https://doi.org/10.1109/access.2021.3054472

IF: 3.9

2021-01-01

IEEE Access

Abstract:During software evolution, complex structural dependencies between source files pose a great challenge on maintenance activities. Some of these dependencies propagate defects among files, incurring frequent bugs or changes, and consuming significant maintenance costs. They can be referred to as flawed structural dependencies. In this paper, we proposed a method to identify these potential problematic dependencies at an early stage during software evolution, by combing structural and semantic dependencies, so that developers can save maintenance costs by fixing these issues in time. Our method works as follows: First, we extract structural dependencies from the source code syntax and semantic dependencies from the source code lexicon. Second, we collect suspect file pairs by calculating the difference between structural and semantic dependencies. Next, we exhaustively examine each source file in the system and locate the interaction of its impacted subordinated files and suspect file pairs (SFP) as suspect dependencies. Finally, we gather all the suspect dependencies as flawed structural dependencies candidates. We evaluate our method using 838 releases of 15 open source projects, including 33353 bug reports and 86690 revision commits. The detection result shows that our identified dependencies use 14% of all the files to capture almost 70% of top 10% bug-prone files or change-prone files with enough high precision: 92%. Moreover, our identified dependencies also incur 957% of bug frequencies and 1050% of change frequencies than average in future versions. In summary, our method can effectively and efficiently detect flawed structural dependencies in time during software evolution.

Anshul Tanwar,Krishna Sundaresan,Parmesh Ashwath,Prasanna Ganesan,Sathish Kumar Chandrasekaran,Sriram Ravi

DOI: https://doi.org/10.48550/arXiv.2004.12783

2020-04-24

Software Engineering

Abstract:Currently, while software engineers write code for various modules, quite often, various types of errors - coding, logic, semantic, and others (most of which are not caught by compilation and other tools) get introduced. Some of these bugs might be found in the later stage of testing, and many times it is reported by customers on production code. Companies have to spend many resources, both money and time in finding and fixing the bugs which would have been avoided if coding was done right. Also, concealed flaws in software can lead to security vulnerabilities that potentially allow attackers to compromise systems and applications. Interestingly, same or similar issues/bugs, which were fixed in the past (although in different modules), tend to get introduced in production code again. We developed a novel AI-based system which uses the deep representation of Abstract Syntax Tree (AST) created from the source code and also the active feedback loop to identify and alert the potential bugs that could be caused at the time of development itself i.e. as the developer is writing new code (logic and/or function). This tool integrated with IDE as a plugin would work in the background, point out existing similar functions/code-segments and any associated bugs in those functions. The tool would enable the developer to incorporate suggestions right at the time of development, rather than waiting for UT/QA/customer to raise a defect. We assessed our tool on both open-source code and also on Cisco codebase for C and C++ programing language. Our results confirm that deep representation of source code and the active feedback loop is an assuring approach for predicting security and other vulnerabilities present in the code.

Gabor Horvath,Reka Kovacs,Zoltan Porkolab

2024-08-04

Abstract:Static analysis is the analysis of a program without executing it, usually carried out by an automated tool. Symbolic execution is a popular static analysis technique used both in program verification and in bug detection software. It works by interpreting the code, introducing a symbol for each value unknown at compile time (e.g. user-given inputs), and carrying out calculations symbolically. The analysis engine strives to explore multiple execution paths simultaneously, although checking all paths is an intractable problem, due to the vast number of possibilities. We focus on an error finding framework called the Clang Static Analyzer, and the infrastructure built around it named CodeChecker. The emphasis is on achieving end-to-end scalability. This includes the run time and memory consumption of the analysis, bug presentation to the users, automatic false positive suppression, incremental analysis, pattern discovery in the results, and usage in continuous integration loops. We also outline future directions and open problems concerning these tools. While a rich literature exists on program verification software, error finding tools normally need to settle for survey papers on individual techniques. In this paper, we not only discuss individual methods, but also how these decisions interact and reinforce each other, creating a system that is greater than the sum of its parts. Although the Clang Static Analyzer can only handle C-family languages, the techniques introduced in this paper are mostly language-independent and applicable to other similar static analysis tools.

Software Engineering

Wuxia Jin,Ting Liu,Yu Qu,Qinghua Zheng,Di Cui,Jianlei Chi

DOI: https://doi.org/10.1007/s11219-017-9369-3

2017-01-01

Software Quality Journal

Abstract:With the advent of network technologies and the ultra-fast increasing of computing ability, the distributed architecture has become a necessity for the majority of software systems. However, it is difficult for current architecture measurements to evaluate distributed systems, such as cohesion and coupling. Most current methods focus on the relations among various classes or packages but barely consider the structure at component level, which has a serious impact on change impact analysis, fault diagnosis, or other maintenance activities. In this paper, we propose a dynamic structure measurement for distributed software. The intra-component and inter-component dependencies are introduced into a Calling Network model to further represent distributed software. More importantly, based on the Kieker monitoring framework, the measurement methods are proposed and implemented for distributed software. Two structural quality attributes cohesion factor of component (CHC) and coupling factor of component (CPC) are measured. Finally, case studies are conducted on two open-source distributed systems: RSS Reader Recipes and the distributed version of iBATIS JPetStore. By applying the proposed methods and comparing with the existing ones, the features of CHC and CPC can be assessed and observed for distributed software.

Anne Veenendaal,Elliot Daly,Eddie Jones,Zhao Gang,Sumalini Vartak,Rahul S Patwardhan

DOI: https://doi.org/10.48550/arXiv.1610.04594

2016-07-27

Software Engineering

Abstract:Enterprise level software is implemented using multi-layer architecture. These layers are often implemented using de-coupled solutions with millions of lines of code. Programmers often have to track and debug a function call from user interface layer to the data access layer while troubleshooting an issue. They have to inspect the code based on search results or use design documents to construct the call graph. This process is time consuming and laborious. The development environment tools are insufficient or confined to analyzing only the code in the loaded solution. This paper proposes a method to construct a call graph of the call across several layers of the code residing in different code bases to help programmers better understand the design and architecture of the software. The signatures of class, methods, and properties were evaluated and then matched against the code files. A graph of matching functions was created. The recursive search stopped when there were no matches or the data layer code was detected. The method resulted in 78.26% accuracy when compared with manual search.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1016/j.camwa.2011.08.001

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%.

Ting Su,Geguang Pu,Bin Fang,Jifeng He

DOI: https://doi.org/10.1109/SERE.2014.23

2014-01-01

Abstract:Recently code transformations or tailored fitness functions are adopted to achieve coverage (structural or logical criterion) driven testing to ensure software reliability. However, some internal threats like negative impacts on underlying search strategies or local maximum exist. So we propose a dynamic symbolic execution (DSE) based framework combined with a path filtering algorithm and a new heuristic path search strategy, i.e., predictive path search, to achieve faster coverage-driven testing with lower testing cost. The empirical experiments (three open source projects and two industrial projects) show that our approach is effective and efficient. For the open source projects w.r.t branch coverage, our approach in average reduces 25.5% generated test cases and 36.3% solved constraints than the traditional DSE-based approach without path filtering. And the presented heuristic strategy, on the same testing budget, improves the branch coverage by 26.4% and 35.4% than some novel search strategies adopted in KLEE and CREST.

Aiman Hanna,Hai Zhou Ling,Xiaochun Yang,Mourad Debbabi

DOI: https://doi.org/10.1007/978-3-642-05151-7_5

2009-01-01

Abstract:The main contribution of this paper is a framework for security testing. The key components of this framework are twofold: First, a static analyzer that automatically identifies suspicious sites of security vulnerabilities in a control flow graph. Second, a test-data generator. The intent is to attempt proving/disproving whether, or not, the suspicious sites are actual vulnerabilities. The paper introduces the static-dynamic hybrid vulnerability detection system, a system that targets the automation of security vulnerability detection in software. The system combines the detection powers of both static and dynamic analysis. Various components compose this model, namely Static Vulnerability Revealer, Goal-Path-oriented System, and Dynamic Vulnerability Detector.