Pan Bian,Bin Liang,Wenchang Shi,Jianjun Huang

2018-01-01

Abstract:Inferring programming rules from source code based on datamining techniques has been proven to be effective to detect software bugs. Existing studies focus on discovering positive rules in the form of A ⇒ B, indicating that when operation A appears, operation B should also be here. Unfortunately, the negative rules (A ⇒ ¬B), indicating the mutual suppression or conflict relationships among program elements, have not gotten the attention they deserve. In fact, violating such negative rules can also result in serious bugs. In this paper, we propose a novel method called NAR-Miner to automatically extract negative association programming rules from large-scale systems, and detect their violations to find bugs. However, mining negative rules faces a more serious rule explosion problem than mining positive ones. Most of the obtained negative rules are uninteresting and can lead to unacceptable false alarms. To address the issue, we design a semantics-constrained mining algorithm to focus rule mining on the elements with strong semantic relationships. Furthermore, we introduce information entropy to rank candidate negative rules and highlight the interesting ones. Consequently, we effectively mitigate the rule explosion problem. We implement NAR-Miner and apply it to a Linux kernel (v4.12-rc6). The experiments show that the uninteresting rules are dramatically reduced and 17 detected violations have been confirmed as real bugs and patched by kernel community. We also apply NAR-Miner to PostgreSQL, OpenSSL and FFmpeg and discover six real bugs.

Lingfeng Bao,Xin Xia,Ahmed E. Hassan,Xiaohu Yang

DOI: https://doi.org/10.1145/3510003.3510113

2022-01-01

Abstract:Vulnerabilities publicly disclosed in the National Vulnerability Database (NVD) are assigned with CVE (Common Vulnerabilities and Exposures) IDs and associated with specific software versions. Many organizations, including IT companies and government, heavily rely on the disclosed vulnerabilities in NVD to mitigate their security risks. Once a software is claimed as vulnerable by NVD, these organizations would examine the presence of the vulnerable versions of the software and assess the impact on themselves. However, the version information about vulnerable software in NVD is not always reliable. Nguyen et al. find that the version information of many CVE vulnerabilities is spurious and propose an approach based on the original SZZ algorithm (i.e., an approach to identify bug-introducing commits) to assess the software versions affected by CVE vulnerabilities. However, SZZ algorithms are designed for common bugs, while vulnerabilities and bugs are different. Many bugs are introduced by a recent bug-fixing commit, but vulnerabilities are usually introduced in their initial versions. Thus, the current SZZ algorithms often fail to identify the inducing commits for vulnerabilities. Therefore, in this study, we propose an approach based on an improved SZZ algorithm to refine software versions affected by CVE vulnerabilities. Our proposed SZZ algorithm leverages the line mapping algorithms to identify the earliest commit that modified the vulnerable lines, and then considers these commits to be the vulnerability-inducing commits, as opposed to the previous SZZ algorithms that assume the commits that last modified the buggy lines as the inducing commits. To evaluate our proposed approach, we manually annotate the true inducing commits and verify the vulnerable versions for 172 CVE vulnerabilities with fixing commits from two publicly available datasets with five C/C++ and 41 Java projects, respectively. We find that 99 out of 172 vulnerabilities whose version information is spurious. The experiment results show that our proposed approach can identify more vulnerabilities with the true inducing commits and correct vulnerable versions than the previous SZZ algorithms. Our approach outperforms the previous SZZ algorithms in terms of F1-score for identifying vulnerability-inducing commits on both C/C++ and Java projects (0.736 and 0.630, respectively). For refining vulnerable versions, our approach also achieves the best performance on the two datasets in terms of F1-score (0.928 and 0.952).

Pan Bian,Bin Liang,Wenchang Shi,Jianjun Huang,Yan Cai

DOI: https://doi.org/10.1145/3236024.3236032

2018-01-01

Abstract:Inferring programming rules from source code based on data mining techniques has been proven to be effective to detect software bugs. Existing studies focus on discovering positive rules in the form of A ⇒ B, indicating that when operation A appears, operation B should also be here. Unfortunately, the negative rules (A ⇒ ¬ B), indicating the mutual suppression or conflict relationships among program elements, have not gotten the attention they deserve. In fact, violating such negative rules can also result in serious bugs. In this paper, we propose a novel method called NAR-Miner to automatically extract negative association programming rules from large-scale systems, and detect their violations to find bugs. However, mining negative rules faces a more serious rule explosion problem than mining positive ones. Most of the obtained negative rules are uninteresting and can lead to unacceptable false alarms. To address the issue, we design a semantics-constrained mining algorithm to focus rule mining on the elements with strong semantic relationships. Furthermore, we introduce information entropy to rank candidate negative rules and highlight the interesting ones. Consequently, we effectively mitigate the rule explosion problem. We implement NAR-Miner and apply it to a Linux kernel (v4.12-rc6). The experiments show that the uninteresting rules are dramatically reduced and 17 detected violations have been confirmed as real bugs and patched by kernel community. We also apply NAR-Miner to PostgreSQL, OpenSSL and FFmpeg and discover six real bugs.

Xiang Li,Jinfu Chen,Zhechao Lin,Lin Zhang,Zibin Wang,Minmin Zhou,Wanggen Xie

DOI: https://doi.org/10.1109/cbd.2017.58

2017-08-01

Abstract:Software vulnerability remains a serious challenge to the software engineering domain over the past decade as a result of the recent technological advancement in information systems. The rapid development in software applications and failure on the part of system developers to properly analyze program codes before been released to the market increases the chance for data breaches. It is a known fact that most system failures are as a result of bugs and errors detected in software applications. Although code errors significantly affect software quality, there is no effective method that can be used in eliminating software errors to improve its reliability. Data Mining and its related algorithms are an active area which can successfully be applied in analyzing software vulnerability. However the concept of applying data mining techniques has not been empirically proven as an effective method for obtaining the essential characteristics of software vulnerability. To investigate this effect, we propose a vulnerability mining algorithm to analyze and obtain the essential characteristics of Software vulnerability based data mining techniques. We first extracted and preprocessed the software vulnerabilities using data mining techniques and common vulnerability database. We evaluate the proposed technique using the Common Vulnerability and Exposure (CVE) Database, Common Weakness Enumeration (CWE) Database, National Vulnerability Database (NVD) datasets. Empirical results show that the proposed vulnerability mining algorithm has a remarkable improvement in the vulnerability mining process. The most interesting finding is that, we observed that across all the three projects, recall was around 70% and precision was approximately 60%.

Susheng Wu,Bin Chen,MingXu Sun,Renyu Duan,Qixiang Zhang,Cheng Huang

DOI: https://doi.org/10.1109/trustcom53373.2021.00090

2021-01-01

Abstract:Open-source code repositories play an important role in software development, but they also introduce a slew of security issues. Firstly, everyone can use open-source projects and libraries from the third-party ecosystem, which increases the risk of vulnerabilities attacking. Secondly, it may cause a domino effect and make these products inherit these vulnerabilities when referring to vulnerable repositories. Traditional technical methods were unable to detect these public flaws in a timely manner, leaving these developers in an insecure situation. Although vulnerability management institutes like CVE and NVD provide inadequate coverage, leading to a lack of timely, reliable, and detailed information about open-source projects' vulnerabilities. To better detect and repair vulnerability, we designed a vulnerability intelligence mining system named DeepVuler based on threads analysis and changed code in open-source communities using machine learning. We choose and define a series of effective features extracted from open-source communities to early infer vulnerability intelligence. Our result shows that two proposed models of DeepVuler achieve a detection rate of 0.979 in threads and 0.890 in changed codes. Besides, the detection from DeepVuler is often days or weeks ahead of official vulnerability disclosure.

Bin Liang,Pan Bian,Yan Zhang,Wenchang Shi,Wei You,Yan Cai

DOI: https://doi.org/10.1145/2884781.2884870

2016-01-01

Abstract:Detecting bugs with code mining has proven to be an effective approach. However, the existing methods suffer from reporting serious false positives and false negatives. In this paper, we developed an approach called AntMiner to improve the precision of code mining by carefully preprocessing the source code. Specifically, we employ the program slicing technique to decompose the original source repository into independent sub-repositories, taking critical operations (automatically extracted from source code) as slicing criteria. In this way, the statements irrelevant to a critical operation are excluded from the corresponding sub-repository. Besides, various semantics-equivalent representations are normalized into a canonical form. Eventually, the mining process can be performed on a refined code database, and false positives and false negatives can be significantly pruned. We have implemented AntMiner and applied it to detect bugs in the Linux kernel. It reported 52 violations that have been either confirmed as real bugs by the kernel development community or fixed in new kernel versions. Among them, 41 cannot be detected by a widely used representative analysis tool Coverity . Besides, the result of a comparative analysis shows that our approach can effectively improve the precision of code mining and detect subtle bugs that have previously been missed.

Jiayuan Zhou,Michael Pacheco,Zhiyuan Wan,Xin Xia,David Lo,Yuan Wang,Ahmed E. Hassan

DOI: https://doi.org/10.1109/ase51524.2021.9678720

2021-01-01

Abstract:Following the coordinated vulnerability disclosure model, a vulnerability in open source software (OSS) is sug-gested to be fixed "silently", without disclosing the fix until the vulnerability is disclosed. Yet, it is crucial for OSS users to be aware of vulnerability fixes as early as possible, as once a vulnerability fix is pushed to the source code repository, a malicious party could probe for the corresponding vulnerability to exploit it. In practice, OSS users often rely on the vulnerability disclosure information from security advisories (e.g., National Vulnerability Database) to sense vulnerability fixes. However, the time between the availability of a vulnerability fix and its disclosure can vary from days to months, and in some cases, even years. Due to manpower constraints and the lack of expert knowledge, it is infeasible for OSS users to manually analyze all code changes for vulnerability fix detection. Therefore, it is essential to identify vulnerability fixes automatically and promptly. In a first-of-its-kind study, we propose VulFixMiner, a Transformer-based approach, capable of automatically extracting semantic meaning from commit-level code changes to identify silent vulnerability fixes. We construct our model using sampled commits from 204 projects, and evaluate using the full set of commits from 52 additional projects. The evaluation results show that VulFixMiner outperforms various state-of-the-art baselines in terms of AUC (i.e., 0.81 and 0.73 on Java and Python dataset, respectively) and two effort-aware performance metrics (i.e., EffortCost, Popt). Especially, with an effort of inspecting 5% of total LOC, VulFixMiner can identify 49% of total vulnerability fixes. Additionally, with manual verification of sampled commits that were identified as vulnerability fixes, but not marked as such in our dataset, we observe that 35% (29 out of 82) of the commits are for fixing vulnerabilities, indicating VulFixMiner is also capable of identifying unreported vulnerability fixes.

Calvin Deutschbein

DOI: https://doi.org/10.48550/arXiv.2108.09249

2021-08-20

Cryptography and Security

Abstract:Specification mining offers a solution by automating security specification for hardware. Specification miners use a form of machine learning to specify behaviors of a system by studying a system in execution. However, specification mining was first developed for use with software. Complex hardware designs offer unique challenges for this technique. Further, specification miners traditionally capture functional specifications without a notion of security, and may not use the specification logics necessary to describe some security requirements. This work demonstrates specification mining for hardware security. On CISC architectures such as x86, I demonstrate that a miner partitioning the design state space along control signals discovers a specification that includes manually defined properties and, if followed, would secure CPU designs against Memory Sinkhole and SYSRET privilege escalation. For temporal properties, I demonstrate that a miner using security specific linear temporal logic (LTL) templates for specification detection may find properties that, if followed, would secure designs against historical documented security vulnerabilities and against potential future attacks targeting system initialization. For information--flow hyperproperties, I demonstrate that a miner may use Information Flow Tracking (IFT) to develop output properties containing designer specified information--flow security properties as well as properties that demonstrate a design does not contain certain Common Weakness Enumerations (CWEs).

Pan Bian,Bin Liang,Yan Zhang,Chaoqun Yang,Wenchang Shi,Yan Cai

DOI: https://doi.org/10.1109/tse.2018.2816639

IF: 7.4

2019-01-01

IEEE Transactions on Software Engineering

Abstract:Code mining has been proven to be a promising approach to inferring implicit programming rules for finding software bugs. However, existing methods may report large numbers of false positives and false negatives. In this paper, we propose a novel approach called EAntMiner to improve the effectiveness of code mining. EAntMiner elaborately reduces noises from statements irrelevant to interesting rules and different implementation forms of the same logic. During preprocessing, we employ program slicing to decompose the original source repository into independent sub-repositories. In each sub-repository, statements irrelevant to critical operations (automatically extracted from source code) are excluded and various semantics-equivalent implementations are normalized into a canonical form as far as possible. Moreover, to tackle the challenge that some bugs are difficult to be detected by mining frequent patterns as rules, we further developed a kNN-based method to identify them. We have implemented EAntMiner and evaluated it on four large-scale C systems. EAntMiner successfully detected 105 previously unknown bugs that have been confirmed by corresponding development communities. A set of comparative evaluations also demonstrate that EAntMiner can effectively improve the precision of code mining.

David Lo,Siau-Cheng Khoo,Chao Liu

DOI: https://doi.org/10.1002/smr.375

2008-01-01

Abstract:Software evolution incurs difficulties in program comprehensionand software verification, and hence it increases the cost ofsoftware maintenance. In this study, we propose a novel techniqueto mine from program execution traces a sound and complete set ofstatistically significant temporal rules of arbitrary lengths. Theextracted temporal rules reveal invariants that the programobserves, and will consequently guide developers to understand theprogram behaviors, and facilitate all downstream applications suchas verification and debugging. Different from previous studies thatwere restricted to mining two-event rules (e.g., (lock)→(unlock)), our algorithm discovers rules of arbitrarylengths. In order to facilitate downstream applications, werepresent the mined rules as temporal logic expressions, so thatexisting model checkers or other formal analysis toolkit canreadily consume our mining results. Performance studies onbenchmark data sets and a case study on an industrial system havebeen performed to show the scalability and utility of our approach.We performed case studies on JBoss application server and a buggyconcurrent versions system application, and the result clearlydemonstrates the usefulness of our technique in recoveringunderlying program designs and detecting bugs. Copyright ©2008 John Wiley & Sons, Ltd.This work was done while the author was with School ofComputing, National University of Singapore.

YU Xiu-Mei,LIANG Bin,CHEN Hong,XIE Su-Bin,WANG Mei-Lin

DOI: https://doi.org/10.3969/j.issn.1003-6059.2012.04.019

2012-01-01

Pattern Recognition and Artificial Intelligence

Abstract:A large number of widespread source systems make the security of source code of software increasingly important. Multi-variable access correlation rules are mined by the path-sensitive method and the defects caused by inconsistent access to correlated variables are detected automatically in the large-scale source code systems. Multi-variable access correlations can be mined via logical information of source code and sensitive path information, which avoids fault from the insensitive path method. The effective solutions to the uneven distribution of path weight and the path explosion problems are presented. The presented method is verified by Linux system, and the experimental result shows that it mines correct multi-variable access correlations.

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845694

2014-01-01

Abstract:Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.

Zihan Yu,Jintao Xue,Xin Sun,Wen Wang,Yubo Song,Liquan Chen,Zhongyuan Qin

DOI: https://doi.org/10.1109/cis58238.2022.00087

2022-01-01

Abstract:The increasing number of software vulnerabilities pose serious security attacks and lead to system compromise, information leakage or denial of service. It is a challenge to further improve the vulnerability detection technique. Nowadays most applications are implemented using C/C++. In this paper we focus on the detection of overflow vulnerabilities in C/C++ source code. A novel scheme named VulMiningBGS (Vulnerability Mining Based on Graph Similarity) is proposed. We convert the source code into Top N-Weighted Range Sum Feature Graph (TN-WRSFG), and graph similarity comparisons based on source code level can be effectively carried on to detect possible vulnerabilities. Three categories of vulnerabilities in the Juliet test suite are used, i.e., CWE121, CWE122 and CWE190, with four indicators for performance evaluation (precision, recall, accuracy and F1_score). Experimental results show that our scheme outperforms the traditional methods, and is effective in the overflow vulnerability detection for C/C++ source code.

Fei Zuo,Junghwan Rhee

DOI: https://doi.org/10.1007/s10207-023-00795-8

2024-01-07

International Journal of Information Security

Abstract:In recent years, there has been a remarkable surge in the adoption of open-source software (OSS). However, with the growing usage of OSS components in both free and proprietary software, vulnerabilities that are present within them can be spread to a vast array of underlying applications. Even worse, a myriad of vulnerabilities are fixed secretly via patch commits, which causes other software re-using the vulnerable code snippets to be left in the dark. Thus, source code patch commit mining toward vulnerability discovery is receiving immense attention, and a variety of approaches are proposed. Despite that, there is no comprehensive survey summarizing and discussing the current progress within this field. To fill this gap, we survey, evaluate, and systematize a list of literature and provide the community with our insights on both successes and remaining issues in this space. Special attention is paid on the work toward vulnerability discovery. In this paper, we also provide an introductory panorama with our replicable hands-on experience, which can help readers quickly understand and step into the pertinent field. Our empirical study reveals noteworthy challenges which need to be highlighted and addressed in this field. We also discuss potential directions for the future work. To the best of knowledge, we provide the first literature review to study source code patch commit mining in the vulnerability discovery context. The systematic framework, hands-on practices, and list of potential challenges provide new knowledge for mining source code patch commit toward a more robust software eco-system. The research gaps found in this literature review show the need for future research, such as the concern on data quality, high false alarms, and the significance of textual information.

computer science, information systems, theory & methods, software engineering

Huqiu Liu,Yuping Wang,Lingbo Jiang,Shimin Hu

DOI: https://doi.org/10.1016/j.jss.2016.02.007

IF: 3.5

2016-01-01

Journal of Systems and Software

Abstract:Drivers are significant components of the operating systems(OSs), and they run in kernel mode. Generally, drivers have many errors to handle, and the functions called in the normal execution paths and error handling paths are in pairs, which are named as paired functions. However, some developers do not handle the errors completely as they forget about or are unaware of releasing the acquired resources, thus memory leaks and other potential problems can be easily introduced. Therefore, it is highly valuable to automatically extract paired functions for these problems and detect violations for the programmers. This paper proposes an efficient tool named PF-Miner, which can automatically extract paired functions and detect violations between normal execution paths and error handling paths from the source code of C program with the data mining and statistical methods. We have evaluated PF-Miner on different versions of Android kernel 2.6.39 and 3.10.0, and 81 bugs reported by PF-Miner in 2.6.39 have been fixed before the latest version 3.10.0. PF-Miner only needs about 150 seconds to analyze the source code of 3.10.0, and 983 violations have been detected from 546 paired functions that have been extracted. We have reported the top 51 violations as potential bugs to the developers, and 15 bugs have been confirmed.

Van Nguyen,Surya Nepal,Tingmin Wu,Xingliang Yuan,Carsten Rudolph

2024-09-02

Abstract:Software vulnerabilities (SVs) have emerged as a prevalent and critical concern for safety-critical security systems. This has spurred significant advancements in utilizing AI-based methods, including machine learning and deep learning, for software vulnerability detection (SVD). While AI-based methods have shown promising performance in SVD, their effectiveness on real-world, complex, and diverse source code datasets remains limited in practice. To tackle this challenge, in this paper, we propose a novel framework that enhances the capability of large language models to learn and utilize semantic and syntactic relationships from source code data for SVD. As a result, our approach can enable the acquisition of fundamental knowledge from source code data while adeptly utilizing crucial relationships, i.e., semantic and syntactic associations, to effectively address the software vulnerability detection (SVD) problem. The rigorous and extensive experimental results on three real-world challenging datasets (i.e., ReVeal, D2A, and Devign) demonstrate the superiority of our approach over the effective and state-of-the-art baselines. In summary, on average, our SAFE approach achieves higher performances from 4.79% to 9.15% for F1-measure and from 16.93% to 21.70% for Recall compared to the baselines across all datasets used.

Software Engineering

Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1109/icse.2009.5070548

2009-01-01

Abstract:Programming languages such as Java and C++ provide exception-handling constructs to handle exception conditions. Applications are expected to handle these exception conditions and take necessary recovery actions such as releasing opened database connections. However, exception-handling rules that describe these necessary recovery actions are often not available in practice. To address this issue, we develop a novel approach that mines exception-handling rules as sequence association rules of the form “(FC1c1…FCcn) ∧ FCa ⇒ (FCe1…FCem)”. This rule describes that function call FCa should be followed by a sequence of function calls (FCe1…FCem) when FCa is preceded by a sequence of function calls (FCe1…FCcn). Such form of rules is required to characterize common exception-handling rules. We show the usefulness of these mined rules by applying them on five real-world applications (including 285 KLOC) to detect violations in our evaluation. Our empirical results show that our approach mines 294 real exception-handling rules in these five applications and also detects 160 defects, where 87 defects are new defects that are not found by a previous related approach.

Zhi Liu,Xiaosong Zhang,Yue Wu,Ting Chen

DOI: https://doi.org/10.1108/03321641311296873

2013-01-01

Abstract:PurposeThe purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.Design/methodology/approachCurrent dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.FindingsConversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.Originality/valueThis paper proposes an approach to block IMCE with high‐level policy enforcement using taint analysis. It has very low false negatives, though still causes certain false positives. The authors made several implementation contributions to strengthen accuracy and performance.

Suresh Thummalapenta,Tao Xie

2008-01-01

Abstract:Neglected conditions, also referred as missing paths, are known to be an important class of software defects. Revealing neglected conditions around individual API calls in an application requires the knowledge of programming rules that must be obeyed while reusing those APIs. To mine those implicit programming rules and hence to detect neglected conditions, we develop a novel framework, called NEGWeb, that substantially expands mining scope to billions of lines of open source code available on the web by leveraging a code search engine. We evaluated NEGWeb to detect violations of mined rules in local code bases or open source code bases. In our evaluation, we show that NEGWeb finds three real defects in Java code reported in the literature and also finds three previously unknown defects in a large-scale open source project called Columba (91, 508 lines of Java code) that reuses 541 classes and 2225 methods. We also report a high percentage of real rules among the top 25 reported patterns mined for APIs provided by five popular open source applications.