Zhang Tao,Chen Xiarun,Chen Zhong

DOI: https://doi.org/10.1109/ICIPCA59209.2023.10257912

2023-01-01

Abstract:As the Internet environment becomes increasingly complex, network security gradually has more and more impact on people's real life. The research on static vulnerability detection is of great significance to the security of software systems. To solve the problems of imperfect technical support for basic analysis and high false alarm rate in the current mainstream static vulnerability detection methods, we design a vulnerability detection method based on taint value range propagation analysis, combining data flow analysis and abstract interpretation to achieve cross-functional variable value range analysis, and combining the identification and analysis of data security checks to achieve an automated vulnerability detection system prototype—RVDetecor, with good performance and detection, and applicable to real-world scenarios. In its analysis of the Linux kernel source code, RVDetecor verified 15 fixed issues.

Jian Lin,Liehui Jiang,Yisen Wang,Weiyu Dong

DOI: https://doi.org/10.1109/access.2019.2936139

IF: 3.9

2019-01-01

IEEE Access

Abstract:Value set analysis is a common static binary program analysis approach. Value set analysis attempts to identify a tight over-approximation of the program state at any given point in the program and can be used to detect vulnerability. Existing memory corruption detection analysis technologies based on value set analysis have a high false positive rate, because value set analysis suffers from a lack of accuracy. We observed that two main sources of imprecision in value set analysis are merge operation and failed branch conditions tracking. In order to address above problems, in this paper, we propose a value set analysis refinement approach based on conditional merging and lazy constraint solving. We propose a variable dependence analysis algorithm to divide program paths into subsets and only merge the states which satisfy the condition that the states are from the same subset, which reduces the imprecision from the merging operation. We collect path predicates as path constraint and solve the path constraint using Satisfiability Modulo Theories (SMT) solver lazily to get a tighter number range of the variable when a variable need be refined, which reduces the imprecision from the failed branch conditions tracking. We implement a prototype system RVSA based on the proposed approach and verify its effectiveness according to experimentation. Compared with state-of-the-art approach, the experimental results demonstrate that the false positive rate is reduced by 12.9%. Furthermore, using our proposed approach, 25 zero-day vulnerabilities are found in the Netgear httpd binary.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

Zhefei Zhang,Qinghua Zheng,Xiaohong Guan,Qing Wang,Tuo Wang

DOI: https://doi.org/10.1007/s11460-008-0047-x

2008-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:SQL injection poses a major threat to the application level security of the database and there is no systematic solution to these attacks. Different from traditional run time security strategies such as IDS and firewall, this paper focuses on the solution at the outset; it presents a method to find vulnerabilities by analyzing the source codes. The concept of validated tree is developed to track variables referenced by database operations in scripts. By checking whether these variables are influenced by outside inputs, the database operations are proved to be secure or not. This method has advantages of high accuracy and efficiency as well as low costs, and it is universal to any type of web application platforms. It is implemented by the software code vulnerabilities of SQL injection detector (CVSID). The validity and efficiency are demonstrated with an example.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

Chao CHANG,Ke-sheng LIU,Long-dan TAN,Wen-chao JIA

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.05.022

2017-01-01

Abstract:A dataflow analysis method based on graph model for C program was proposed to solve the problem of high false positive rate.A multi-dimensional property graph that includes abstract syntax tree,control flow graph,program dependence graph and function call graph was constrcheted.From the security sensitive program point (sink),the related external controllable input point (source) could be traced.The tainted-style vulnerabilities could be detected through intra-procedural and inter-procedural define analysis.Results show that the false positive rate of data flow analysis was effectively reduced relying on the complete code property guidance and interval operation support,The method can reduce the workload of manual code audit.

TANG He-ping,HUANG Shu-guang,ZHANG Liang

2010-01-01

Abstract:Software vulnerabilities have become an omnipresent and dangerous threat to network security.Vulnerability Exploits Detection is proposed to take active defense measures to monitor system state and cut exploit data sources off or terminate program execution before exploitation.Taint analysis for vulnerability exploits detection is composed of taint propagation link,taint propagation,taint analysis and taint track.A Vulnerability exploits detection prototype system was implemented by emulator and many optimization mechanisms.In contrast to the experiment result of other taint analysis systems,our prototype system has higher accuracy and vulnerability exploits coverage.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

Bhargava Shastry,Fabian Yamaguchi,Konrad Rieck,Jean-Pierre Seifert

DOI: https://doi.org/10.48550/arXiv.1508.04627

2016-04-07

Abstract:Eliminating vulnerabilities from low-level code is vital for securing software. Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write. But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer. In this paper, we present the design and implementation of a practical vulnerability assessment framework, called Melange. Melange performs data and control flow analysis to diagnose potential security bugs, and outputs well-formatted bug reports that help developers understand and fix security bugs. Based on the intuition that real-world vulnerabilities manifest themselves across multiple parts of a program, Melange performs both local and global analyses. To scale up to large programs, global analysis is demand-driven. Our prototype detects multiple vulnerability classes in C and C++ code including type confusion, and garbage memory reads. We have evaluated Melange extensively. Our case studies show that Melange scales up to large codebases such as Chromium, is easy-to-use, and most importantly, capable of discovering vulnerabilities in real-world code. Our findings indicate that static analysis is a viable reinforcement to the software testing tool set.

Cryptography and Security,Programming Languages

M Ogawa,ZJ Hu,I Sasano

DOI: https://doi.org/10.1145/944746.944716

2003-01-01

Abstract:Program analysis is the heart of modern compilers. Most control flow analyses are reduced to the problem of finding a fixed point in a certain transition system, and such fixed point is commonly computed through an iterative procedure that repeats tracing until convergence.This paper proposes a new method to analyze programs through recursive graph traversals instead of iterative procedures, based on the fact that most programs (without spaghetti GOTO) have well-structured control flow graphs, graphs with bounded tree width. Our main techniques are; an algebraic construction of a control flow graph, called SP Term, which enables control flow analysis to be defined in a natural recursive form, and the Optimization Theorem, which enables us to compute optimal solution by dynamic programming.We illustrate our method with two examples; dead code detection and register allocation. Different from the traditional standard iterative solution, our dead code detection is described as a simple combination of bottom-up and top-down traversals on SP Term. Register allocation is more interesting, as it further requires optimality of the result. We show how the Optimization Theorem on SP Terms works to find an optimal register allocation as a certain dynamic programming.

Wei-Jun SHEN,En-Yi TANG,Zhen-Yu CHEN,Xin CHEN,Bin LI,Juan ZHAI

DOI: https://doi.org/10.13328/j.cnki.jos.005503

2018-01-01

Abstract:Vulnerability detection is an important way of improving the security of software.However,the development of the Internet makes it possible for hackers to attack software systems with new techniques.This paper focuses on a new kind of vulnerability that relates to numerical stability.It poses new threat to software security as hackers are able to bypass security protection by the new kind of vulnerability,and numerical analysis is difficult to detect such a vulnerability.In the paper,the vulnerability related to numerical stability is defined from the perspective of software behavior variation caused by numerical errors,and an automatic detection approach is proposed.The approach combines the static analysis and symbolic execution,and detects the vulnerability by three steps:symbolic extraction,static attack analysis,and dynamic attack verification with high precision values.This new approach is evaluated on a few famous open source projects.The results show that the proposed approach effectively detects the vulnerabilities related to numerical stability hidden in the real-world projects.

Ming Wen,Zifan Xie,Kaixuan Luo,Xiao Chen,Yibiao Yang,Hai Jin

DOI: https://doi.org/10.1109/TSE.2022.3209590

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:It is a widely-adopted strategy for developers to monitor the values of program variables when debugging in practice. In particular, developers often set breakpoints at specific locations or execute the program step by step in the debugging mode to inspect if abnormal values or status will be observed for concerned variables. Such a practical debugging strategy can facilitate developers in understanding and localizing the target fault. This study aims to identify suspicious program variables of a given fault (i.e., denoted as fault-correlated variables) automatically, thus facilitating the debugging activities for developers. To the best of our knowledge, this is the finest granularity in fault localization (FL) so far, which can address the limitations of being coarse-grained as faced by existing FL techniques. However, isolating fault-correlated variables precisely is challenging since there are usually substantially different variables used or defined in a program, and plenty of them are in the same basic block which cannot be well discriminated from each other since they will be either executed or not against the given test suite. To address such challenges, this study presents IsoVar, a two-phase model to isolate fault-correlated variables. Specifically, IsoVar first performs statistical analysis based on variable execution matrices, which is a novel concept proposed in this study, to identify a set of suspicious variables. It then observes the impacts of those variables on the program dynamically after applying subtle mutations at the bytecode level, to further isolate fault-correlated variables. Extensive experiments on Defects4J and Bears demonstrate that IsoVar can outperform state-of-the-art techniques significantly (13.0% for MAP and 19.3% for MRR). More importantly, we incorporated IsoVar into 11 existing FL techniques as well as 14 automated program repair techniques, and found that IsoVar can significantly boost their performance.

HOU Su-ning,CHEN Li-qian,WANG Zhao-fei,WANG Ji

DOI: https://doi.org/10.3969/j.issn.1007-130x.2011.03.018

2011-01-01

Abstract:The validation of program correctness is a challenge problem in computer science.The theory of abstract interpretation provides a general framework for static analysis which can deduce programs' dynamic property automatically.A value range analysis based on abstract interpretation can give the invariant relationship of variables at every program point,which is very important to compilation optimization and error examination.We propose an interprocedural framework that analyses the value range information of numerical programs,which can process C and Fortran programs.The C or Fortran source program is first preprocessed to an uniform representation,and then we draw the semantic equation which is equivalent to the source semantics.Finally,the iterative computation is done on this syntax equation to get the program invariant.Besides,we model some complex syntax structures such as array.The experiment indicates that our framework is very extensive and precise,and can process most problems brought by the usage of array.

Xiang Du,Liangze Yin,Haining Feng,Wei Dong

DOI: https://doi.org/10.1109/apsec53868.2021.00033

2021-01-01

Abstract:Due to the non-deterministic occurring of interrupt service routines, vulnerabilities of interrupt-driven programs, such as data race and atomicity violation, are usually hard to discover. Static analysis is an effective method for vulnerability analysis of interrupt-driven programs. However, existing techniques usually produce a large number of false alarms, which limits the application of static analysis in practice. To achieve high precision in vulnerability analysis of interrupt-driven programs, this paper proposes a program verification enhanced precise analysis method. For each potential vulnerability detected by static analysis, we propose a vulnerability validation approach which employs program verification to further automatically verify its feasibility. We have implemented a prototype of our method on top of CBMC. Experimental results on both an academic benchmark and 24 real-world programs show that our method can successfully identify true vulnerabilities and achieve a high precise analysis.

Rulin Xu,Xiaoguang Mao,Wei Xiao

DOI: https://doi.org/10.1109/CSECS60003.2023.10428132

2023-01-01

Abstract:C language programs are often subject to memory vulnerabilities, posing substantial security risks to software systems. Conventional detection techniques, rooted in static value-flow analysis, necessitate exhaustive searches across the entirety of value-flow graphs. This approach results in inefficient analyses of large-scale codes and presents difficulties in parallelization due to interdependent steps. In this study, we propose an innovative approach based on parallel graph summarization. This technique effectively transforms the computational bottleneck into a task that can be expedited in a parallel manner, leveraging multicore computation to significantly enhance the performance and scalability of vulnerability detection within <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$C$</tex> programs. We segment the value-flow graph of the program into multiple subgraphs, extracting summaries of three pivotal types of information from each subgraph: path summaries, guard summaries, and behaviour summaries. These summaries significantly stream-line subsequent vulnerability detection analyses. Moreover, we implement a task-level parallel technique to accelerate the graph summary process in a multicore environment. Notably, empirical results reveal that our method, while ensuring accuracy, achieves 2.7X-6.1X speedup compared to serial algorithms. When assessed against prevalent open-source detection tools, our approach demonstrates superior trade-offs between accuracy and efficiency. In conclusion, this research presents an efficient and effective strategy for vulnerability detection in larze-scale <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$C$</tex> programs.

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

Cheng Peng,Guihua Duan,Xiangxin Wang,Pingping Dong,Kehua Guo

2013-01-01

Abstract:Based on the fact that Flash has many serious security problems through widely used in the Internet, a detection method for Flash vulnerability based on virtual execution and branch coverage was proposed. Firstly, Flash file was decompiled and scanned to get the ActionScript code. Secondly, the class structure was analyzed and multiple virtual execution processes were generated according to the analysis. Finally it was determined whether the Flash file contained vulnerabilities after each virtual execution process. The results indicate that the method has advantages of low false positives and high execution efficiency.

Pingyan Wang,Shaoying Liu

DOI: https://doi.org/10.1142/s0218194024500013

IF: 1.007

2024-02-23

International Journal of Software Engineering and Knowledge Engineering

Abstract:International Journal of Software Engineering and Knowledge Engineering, Ahead of Print. Pointer analysis is the underlying technique of many static analysis tools for vulnerability discovery. It has proved to be effective in identifying a variety of vulnerabilities, such as buffer overflow vulnerabilities and injection vulnerabilities. However, most existing pointer analysis approaches require whole-program availability, i.e. the program to be analyzed should be complete, which may hinder a timely analysis during the coding phase. In this paper, we present two approaches, exhaustive and demand-driven pointer analyses, both of which are applied to a paradigm known as Human–Machine Pair Programming. The ideas enable us to discover security flaws as early as in the coding phase. In this paper, we describe in detail how our approaches maintain flow sensitivity and propagate points-to and taint information in an incremental fashion. We conduct an evaluation of our approaches on SecuriBench Micro and show that the approaches can capture all the potential vulnerabilities in the test cases, though several false alarms are reported.

computer science, artificial intelligence,engineering, electrical & electronic, software engineering

孔德光,郑烇,帅建梅,陈超,葛瑶

2009-01-01

Abstract:Static analysis technology is a significant method to detect software vulnerabilities. To cope with the problem of untrusting data inputs leading to software vulnerabilities, presents a vulnerability detection method based on taint analysis. It tracks various kinds of input including program parameters and environment variables ,marks the type of input, after constructing the control flow graph, makes use of dataflow information, propagating the taint data to the vulnerability functions, to settle the problem of buffer overflow and format string. It utilizes the related information of control flow and dataflow during this process, thus improves the accuracy and decreases the false negatives. It is proved by experiment that this technology is an effective vulnerability analysis method.