Chi Li,Zuxing Gu,Min Zhou,Jiecheng Wu,Jiarui Zhang,Ming Gu

DOI: https://doi.org/10.1142/s0218194019400205

IF: 1.007

2019-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Libraries offer reusable functionality through Application Programming Interfaces (APIs) with usage constraints such as call conditions or orders. Constraint violations, i.e. API misuses, commonly lead to bugs and security issues. Although researchers have developed various API misuse detectors in the past few decades, recent studies show that API misuse is prevalent in real-world projects, especially for secure socket layer (SSL) certificate validation, which is completely broken in many security-critical applications and libraries. In this paper, we introduce SSLDoc to effectively detect API misuse bugs, specifically for SSL API libraries. The key insight behind SSLDoc is a constraint-directed static analysis technique powered by a domain-specific language (DSL) for specifying API usage constraints. Through studying real-world API misuse bugs, we propose ISpec DSL, which covers majority types of API usage constraints and enables simple but precise specification. Furthermore, we design and implement SSLDoc to automatically parse ISpec into checking targets and employ a static analysis engine to identify potential API misuses and prune false positives with rich semantics. We have instantiated SSLDoc for OpenSSL APIs and applied it to large-scale open-source programs. SSLDoc found 45 previously unknown security-sensitive bugs in OpenSSL implementation and applications in Ubuntu. Up to now, 35 have been confirmed by the corresponding development communities and 27 have been fixed in master branch.

Zuxing Gu,Jiecheng Wu,Chi Li,Min Zhou,Ming Gu

DOI: https://doi.org/10.18293/seke2019-006

2019-01-01

Abstract:Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols provide a reliable communication channel between applications over the Internet.Implementations of these protocols (e.g., OpenSSL and GnuTLS) publish wellformat documentation and examples online to guide the usage of SSL/TLS APIs.However, incorrect usages have caused many severe vulnerabilities (e.g., privilege escalation, denial of service, man-in-the-middle attack, etc.) in recent years.In this paper, we introduce SSLDoc to diagnose incorrect SSL API usages in real-world C programs automatically.The key insight behind SSLDoc is a constraint-directed static analysis technique powered by domain-specific usage patterns that we learn from real-world vulnerabilities and bug-fix-related patches.We have instantiated SSLDoc for OpenSSL APIs and applied it to large-scale opensource programs.SSLDoc found 45 previously unknown securitysensitive bugs in OpenSSL implementation and applications in Ubuntu.We created and submitted issues for all of them.Up to now, 35 have been confirmed by the corresponding development communities and 27 have been fixed in master branch.

Xin Xia,Lingfeng Bao,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icsme.2016.67

2016-01-01

Abstract:Due to the complexity of software systems, bugs are inevitable. Software debugging is tedious and time consuming. To help developers perform this crucial task, a number of spectra-based fault localization techniques have been proposed. In general, spectra-based fault localization helps developers to find the location of a bug given its symptoms (e.g., program failures). A previous study by Parnin and Orso however implies that several assumptions made by existing work on spectra-based fault localization do not hold in practice, which hinders the practical usage of these tools. Moreover, a recent study by Xie et al. claims that spectra-based fault localization can potentially "weaken programmers' abilities in fault detection".Unfortunately, these studies are performed either using only 2 bugs from small systems (Parnin and Orso's study) or synthetic bugs injected into toy programs (Xie et al.'s study), only involve students, and use dated spectra-based fault localization tools. Thus, the question whether spectra-based fault localization techniques can help professionals to improve their debugging efficiency in a reasonably large project is still insufficiently answered.In this paper, we perform a more realistic investigation of how professionals can use and benefit from spectra-based fault localization techniques. We perform a user study of spectra-based fault localization with a total of 16 real bugs from 4 reasonably large open-source projects, with 36 professionals, amounting to 80 recorded debugging hours. The 36 professionals are divided into 3 groups, i.e., those that use an accurate fault localization tool, use a mediocre fault localization tool, and do not use any fault localization tool. Our study finds that both the accurate and mediocre spectra-based fault localization tools can help professionals to save their debugging time, and the improvements are statistically significant and substantial. We also discuss implications of our findings to future directions of spectra-based fault localization.

Zhouyang Jia,Shanshan Li,Tingting Yu,Xiangke Liao,Ji Wang,Xiaodong Liu,Yunhuai Liu

DOI: https://doi.org/10.1109/ASE.2019.00029

2019-01-01

Abstract:Most software systems frequently encounter errors when interacting with their environments. When errors occur, error-handling code must execute flawlessly to facilitate system recovery. Implementing correct error handling is repetitive but non-trivial, and developers often inadvertently introduce bugs into error-handling code. Existing tools require correct error specifications to detect error-handling bugs. Manually generating error specifications is error-prone and tedious, while automatically mining error specifications is hard to achieve a satisfying accuracy. In this paper, we propose EH-Miner, a novel and practical tool that can automatically detect error-handling bugs without the need for error specifications. Given a function, EH-Miner mines its error-handling rules when the function is frequently checked by an equivalent condition, and handled by the same action. We applied EH-Miner to 117 applications across 15 software domains. EH-Miner mined error-handling rules with the precision of 91.1% and the recall of 46.9%. We reported 142 bugs to developers, and 106 bugs had been confirmed and fixed at the time of writing. We further applied EH-Miner to Linux kernel, and reported 68 bugs for kernel-4.17, of which 42 had been confirmed or fixed.

Justice Adeenze-Kangah,Yuting Chen

DOI: https://doi.org/10.1088/1742-6596/1176/2/022045

2019-01-01

Journal of Physics Conference Series

Abstract:The importance of secure communication over the Internet cannot be overstated because of the implications it has for ensuring privacy and safety for users. Much research has been done in this field of study, leading to the creation of the Secure Socket Layer (SSL) protocol and its successor—the Transport Layer Security (TLS) protocol. These protocols serve as a guide for implementing secure connections across the web and as such many libraries have been written to provide Application Programming Interface (API) for their implementation. However, many security risks have arisen due to improper usage of these libraries mainly due to the wrong sequence of API calls. It is also worth noting that the sequence of API calls might differ in certain situations, therefore adding to the level of complexity and increasing the chances of wrongful usage. In this paper, we present a method to detect proper API usage by defining them as usage patterns and testing them against proper implementation models.

Chi Li,Min Zhou,Zuxing Gu,Ming Gu,Hongyu Zhang

DOI: https://doi.org/10.1109/ASE.2019.00130

2019-01-01

Abstract:ABSTRACTMisuse of APIs happens frequently due to misunderstanding of API semantics and lack of documentation. An important category of API-related defects is the error handling defects, which may result in security and reliability flaws. These defects can be detected with the help of static program analysis, provided that error specifications are known. The error specification of an API function indicates how the function can fail. Writing error specifications manually is time-consuming and tedious. Therefore, automatic inferring the error specification from API usage code is preferred. In this paper, we present Ares, a tool for automatic inferring error specifications for C code through static analysis. We employ multiple heuristics to identify error handling blocks and infer error specifications by analyzing the corresponding condition logic. Ares is evaluated on 19 real world projects, and the results reveal that Ares outperforms the state-of-the-art tool APEX by 37% in precision. Ares can also identify more error specifications than APEX. Moreover, the specifications inferred from Ares help find dozens of API-related bugs in well-known projects such as OpenSSL, among them 10 bugs are confirmed by developers.

Zuxing Gu,Min Zhou,Jiecheng Wu,Yu Jiang,Jiaxiang Liu,Ming Gu

DOI: https://doi.org/10.1109/tase.2019.00006

2019-01-01

Abstract:Application Programming Interfaces (APIs) usually have usage constraints, such as call conditions or call orders. Incorrect usage of these constraints, called API misuse, will result in system crashes, bugs, and even security problems. It is crucial to detect such misuses early in the development process. Though many approaches have been proposed over the last years, recent studies show that API misuses are still prevalent, especially the ones specific to individual projects. In this paper, we strive to improve current API-misuse detection capability for large-scale C programs. First, We propose IMSpec, a lightweight domain-specific language enabling developers to specify API usage constraints in three different aspects (i.e., parameter validation, error handling, and causal calling), which are the majority of API-misuse bugs. Then, we have tailored a constraint guided static analysis engine to automatically parse IMSpec rules and detect API-misuse bugs with rich semantics. We evaluate our approach on widely used benchmarks and real-world projects. The results show that our easily extensible approach performs better than state-of-the-art tools. We also discover 19 previously unknown bugs in real-world open-source projects, all of which have been confirmed by the corresponding developers.

Boyuan He,Vaibhav Rastogi,Yinzhi Cao,Yan Chen,V. N. Venkatakrishnan,Chunlin Xiong,Runqing Yang,Zhenrui Zhang

2016-01-01

Abstract:Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions – Ubuntu. We find 29 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

Zuxing Gu,Jiecheng Wu,Jiaxiang Liu,Min Zhou,Ming Gu

DOI: https://doi.org/10.1109/compsac.2019.00012

2019-01-01

Abstract:Today, large and complex software is developed with integrated components using application programming interfaces (APIs). Correct usage of APIs in practice presents a challenge due to implicit constraints, such as call conditions or call orders. API misuse, i.e., violation of these constraints, is a well-known source of bugs, some of which can cause serious security vulnerabilities. Although researchers have developed many API-misuse detectors over the last two decades, recent studies show that API misuses are still prevalent. In this paper, we provide a comprehensive empirical study on API-misuse bugs in open-source C programs. To understand the nature of API misuses in practice, we analyze 830 API-misuse bugs from six popular programs across different domains. For all the studied bugs, we summarize their root causes, fix patterns and usage statistics. Furthermore, to understand the capabilities and limitations of state-of-the-art static analysis detectors for API-misuse detection, we develop APIMU4C, a dataset of API-misuse bugs in C code based on our empirical study results, and evaluate three widely-used detectors on it qualitatively and quantitatively. We share all the findings and present possible directions towards more powerful API-misuse detectors.

Hailong Liu,Zhanhuai Li,Cheqing Jin,Qun Chen

DOI: https://doi.org/10.1109/bigcomp.2016.7425923

2016-01-01

Abstract:It is critical to detect and correct information errors effectively to achieve higher data quality in many applications. Most existing techniques only use the intrinsic information to detect and correct a database, provided that data is adequate and well-structured. These techniques will not work properly if there is no sufficient data available. Integrating the information from external sources, like the World Wide Web (WWW), can help us overcome the shortcomings of existing techniques to a great extent. In this paper, we introduce our on-going work that is capable of detecting and correcting data errors in a database by integrating external information from the WWW. The goal of our research is to pursuit another effective way to enhance information quality.

Kaizheng Liu,Ming Yang,Zhen Ling,Yuan Zhang,Chongqing Lei,Lan Luo,Xinwen Fu

DOI: https://doi.org/10.1109/infocom52122.2024.10621138

2024-01-01

Abstract:IoT devices are increasingly adopting Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. However, the misuse of SSL/TLS libraries still threatens the communication. Existing tools for detecting SSL/TLS API misuses primarily rely on source code analysis while IoT applications are usually released as binaries with no source code. This paper presents Samba, a novel tool to automatically detect SSL/TLS API misuses in IoT binaries through static analysis. To overcome the path explosion problem and deal with various SSL/TLS implementations, we introduce a three-level reduction method to construct the SSL/TLS API-centric graph (SAG), which has a much smaller size compared with the conventional inter-procedural control flow graph. We propose a formal expression of API misuse signatures, which is capable of capturing different types of misuse, particularly those in the SSL/TLS connection establishment process. We successfully analyze 115 IoT binaries and find that 94 of them have the vulnerability of insecure certificate verification and 112 support deprecated SSL/TLS protocols. Samba is the first IoT binary analysis system for detecting SSL/TLS API misuses.

Tie Du,Long Zheng,Shaopeng Chen,Hai Jin

DOI: https://doi.org/10.1109/icpads.2016.0061

2016-01-01

Abstract:Program security bugs pose a great threat to users' privacy and security. A great deal of effort, e.g., runtime defense, dynamic detection, and static detection, has been conducted to attempt to be aware of the existence of security bugs. Most of the prior work focuses on detecting the security bugs. They report a mixed set of security bugs, regardless of whether the elements in the set are useful to the developers for the debugging. In this paper, we are instead devoted to automatically classifying the security bugs for the purpose of the productivity to the developers. Our insight is that the existing common security bugs can be featured by a simple rule that can be further simplified into a mathematical assertion problem. Based on this insight, we propose a Compile Time Error Segregator (CTES), which can automatically classify the security bugs into three categories, including deterministic bugs, internal indeterministic bugs, and external indeterministic bugs. The core idea of achieving the above includes three steps: 1) building a rule library according to the feature of each type of security bugs (e.g., buffer overflow, null-pointer dereference, and divide-by-zero), 2) obtaining the requisite information appearing in the rule, 3) verifying if the rule is established. If so, a deterministic bug is found, otherwise, a novel inverse taint analysis is further performed to distinguish the remaining two categories. We implement CTES on top of LLVM (3.5.0), running in parallel with normal compile procedure. Our experimental results on micro-benchmark and 14 real programs demonstrate the efficiency of CTES, and also show that CTES is able to precisely make the reported security bugs well-classified into three-categories.

David Lazar,Haogang Chen,Xi Wang,Nickolai Zeldovich

DOI: https://doi.org/10.1145/2637166.2637237

2014-06-25

Abstract:Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.

Computer Science

D. Yao,Y. Xiao,Y. Zhang,Na Meng,M. Kabir

DOI: https://doi.org/10.1109/TSE.2022.3150302

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:The Java platform provides various cryptographic APIs to facilitate secure coding. However, correctly using these APIs is challenging for developers who lack cybersecurity training. Prior work shows that many developers misused APIs and consequently introduced vulnerabilities into their software. To eliminate such vulnerabilities, people created tools to detect and/or fix cryptographic API misuses. However, it is still unknown (1) how current tools are designed to detect cryptographic API misuses, (2) how effectively the tools work to locate API misuses, and (3) how developers perceive the usefulness of tools’ outputs. For this paper, we conducted an empirical study to investigate the research questions mentioned above. Specifically, we first conducted a literature survey on existing tools and compared their approach design from different angles. Then we applied six of the tools to three popularly used benchmarks to measure tools’ effectiveness of API-misuse detection. Next, we applied the tools to 200 Apache projects and sent 57 vulnerability reports to developers for their feedback. Our study revealed interesting phenomena. For instance, none of the six tools was found universally better than the others; however, CogniCrypt, CogniGuard, and Xanitizer outperformed SonarQube. More developers rejected tools’ reports than those who accepted reports (30 versus 9) due to their concerns on tools’ capabilities, the correctness of suggested fixes, and the exploitability of reported issues. This study reveals a significant gap between the state-of-the-art tools and developers’ expectations; it sheds light on future research in vulnerability detection.

Computer Science

Hai-Long LIU,Zhan-Huai LI,Qun CHEN,Zhao-Qiang CHEN

DOI: https://doi.org/10.11897/SP.J.1016.2017.02286

2017-01-01

Abstract:Information quality has become an important issue in many application areas.Automatically detecting and correcting information errors has proven to be an effective way to improve information quality in most information systems.Integrating information from the World Wide Web (WWW) can help us overcome the shortcomings of existing rule-based,externalinformation-based,human-based information error detection and correction techniques for relational databases to a great extent.The advantages of Web-based techniques include less dependence on the sufficiency of the database,more styles of constrains,wider applicability and more accurate repairs.In this review,we detail the advantages and challenges of Web-based information error detection and correction techniques.We propose a technological framework and believe it should include four components,including Web-based information expansion model,Web-based error detection algorithms,Web-based error correction algorithms and Web-based evaluation models for error detection and correction algorithms.Based on the framework,we comprehensively review current research works on the topics like Web-based error detection techniques,Web-based error correction techniques and Web-based information expansion techniques.We also refine out two key scientific problems which all Web-based information error detection and correction techniques must concern.Furthermore we prospect some future research topics and ideas.

Haoran Liu,Zhouyang Jia,Shanshan Li,Yan Lei,Yue Yu,Yu Jiang,Xiaoguang Mao,Xiangke Liao

DOI: https://doi.org/10.1145/3660787

2024-01-01

Abstract:Error-handling bugs are prevalent in software systems and can result in severe consequences. Existing works on error-handling bug detection can be categorized into template-based and learning-based approaches. The former requires much human effort and is difficult to accommodate the software evolution. The latter usually focuses on errors of API and assumes that error handling should be right after the handled error. Such an assumption, however, may affect both learning and detecting phases. The existing learning-based approaches can be regarded as API-oriented, which starts from an API and learns if the API requires error handling. In this paper, we propose EH-Digger, an ERROR-oriented approach, which starts from an error handling. Our approach can learn why the error occurs and when the error has to be handled. We conduct a comprehensive study on 2,322 error-handling code snippets from 22 widely used software systems across 8 software domains to reveal the limitation of existing approaches and guide the design of EH-Digger. We evaluated EH-Digger on the Linux Kernel and 11 open-source applications. It detected 53 new bugs confirmed by the developers and 71 historical bugs fixed in the latest versions. We also compared EH-Digger with three state-of-the-art approaches, 30.1% of bugs detected by EH-Digger cannot be detected by the existing approaches.

Hao Zhang,Ji Luo,Mengze Hu,Jun Yan,Jian Zhang,Zongyan Qiu

DOI: https://doi.org/10.1109/icse48619.2023.00098

2023-01-01

Abstract:Exception handling is a mechanism in modern programming languages. Studies have shown that the exception handling code is error-prone. However, there is still limited research on detecting exception handling bugs, especially for C++ programs. To tackle the issue, we try to precisely represent the exception control flow in C++ programs and propose an analysis method that makes use of the control flow to detect such bugs. More specifically, we first extend control flow graph by introducing the concepts of five different kinds of basic blocks, and then modify the classic symbolic execution framework by extending the program state to a quadruple and properly processing try, throw and catch statements. Based on the above techniques, we develop a static analysis tool on the top of Clang Static Analyzer to detect exception handling bugs. We run our tool on projects with high stars from GitHub and find 36 exception handling bugs in 8 projects, with a precision of 84%. We compare our tool with four state-of-the-art static analysis tools (Cppcheck, Clang Static Analyzer, Facebook Infer and IKOS) on projects from GitHub and handmade benchmarks. On the GitHub projects, other tools are not able to detect any exception handling bugs found by our tool. On the handmade benchmarks, our tool has a significant higher recall.

Boyuan He,Vaibhav Rastogi,Yinzhi Cao,Yan Chen,V. N. Venkatakrishnan,Runqing Yang,Zhenrui Zhang

DOI: https://doi.org/10.1109/SP.2015.38

2015-01-01

Abstract:Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions -- Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.

Zuxing Gu,Jiecheng Wu,Chi Li,Min Zhou,Yu Jiang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/icse-companion.2019.00046

2019-01-01

Abstract:Libraries offer reusable functionality through application programming interfaces (APIs) with usage constraints such as call conditions and orders. Constraint violations, i.e., API misuses, commonly lead to bugs and even security issues. In this paper, we introduce IMChecker, a constraint-directed static analysis toolkit to vet API usages in C programs powered by a domain-specific language (DSL) to specify the API usages. First, we propose a DSL, which covers most API usage constraint types and enables straightforward but precise specification by studying real-world API-misuse bug patches. Then, we design and implement a static analysis engine to automatically parse specifications into checking targets, identify potential API misuses and prune the false positives with rich semantics. We have instantiated IMChecker for C programs with user-friendly graphic interfaces and evaluated the widely used benchmarks and real-world projects. The results show that IMChecker outperforms 4.78-36.25% in precision and 40.25-55.21% w.r.t. state-of-the-arts toolkits. We also found 75 previously unknown bugs in Linux kernel, OpenSSL and applications of Ubuntu, 61 of which have been confirmed by the corresponding development communities. Video: https://youtu.be/YGDxeyOEVIM.

Qingyang Zhou,Qiushi Wu,Dinghao Liu,Shouling Ji,Kangjie Lu

DOI: https://doi.org/10.1145/3548606.3560661

2022-01-01

Abstract:Security bugs like memory errors are constantly introduced to software programs, and recent years have witnessed an increasing number of reported security bugs. Traditional detection approaches are mainly specification-based---detecting violations against a specified rule as security bugs. This often does not work well in practice because specifications are difficult to specify and generalize, leaving complicated and new types of bugs undetected. Recent research thus leans toward deviation-based detection which finds a substantial number of similar cases and detects deviating cases as potential bugs. This, however, suffers from two other problems. First, it requires enough similar cases to find deviations and thus cannot work for custom code that does not have similar cases. Second, code-similarity analysis is probabilistic and challenging, so the detection can be unreliable. Sometimes, similar cases can normally have deviating behaviors under different contexts. In this paper, we propose a novel approach for detecting security bugs based on a new concept called Non-Distinguishable Inconsistencies (NDI). The insight is that if two code paths in a function exhibit inconsistent security states (such as being freed or initialized) that are non-distinguishable from the external, such as the callers, there is no way to recover from the inconsistency from the external, which results in a bug. Such an approach has several strengths. First, it is specification-free and thus can support complicated and new types of bugs. Second, it does not require similar cases and by its nature is deterministic. Third, the analysis is practical by minimizing complicated and lengthy data-flow analysis. We implemented NDI and applied it to well-tested programs, including the OpenSSL library, the FreeBSD kernel, the Apache httpd server, and the PHP interpreter. The results show that NDI works for both large and small programs, and it effectively found 51 new bugs, most of which are otherwise missed by the state-of-the-art detection tools.