Inferring Patterns for Taint-Style Vulnerabilities With Security Patches

Taint-style vulnerabilities can damage the service provided by mobile seriously. The pattern-based method is a practical way to detect taint-style vulnerabilities. Most of the methods extract the vulnerability patterns from the code base, however, sometimes missing the vulnerability patterns and resulting in some vulnerabilities undiscovered. The security patches contain valuable information about the vulnerabilities. To compensate for the inherent incompleteness of pattern matching, in this paper, we propose an approach to infer patterns with the security information carried on the security patches. The taint-style vulnerability is described as a 3-tuples <inline-formula> <tex-math notation="LaTeX">$(S_{src},S_{san},S_{sink})$ </tex-math></inline-formula> here, which consist of sources<inline-formula> <tex-math notation="LaTeX">$(S_{src})$ </tex-math></inline-formula>, sanitization <inline-formula> <tex-math notation="LaTeX">$(S_{san})$ </tex-math></inline-formula>, and sinks<inline-formula> <tex-math notation="LaTeX">$(S_{sink})$ </tex-math></inline-formula>. For each pair of vulnerable and patched programs, we extract the sanitizations from the changes between the vulnerable code and corresponding patches, infer the sinks with the impact analysis, and determine the sources through the backward traversal on the control flow graph. Finally, the complete-linkage clustering method is applied to the extracted triples to summary the patterns. We evaluate our method with open source projects. The results show our method is effective: 1) our method infers vulnerability patterns for taint-style vulnerabilities; 2) compared with the method inferring patterns from the code base, new patterns are discovered; and 3) the inferred patterns are applied to search the similar vulnerabilities successfully.

[1]  Yan Zhang,et al.  AntMiner: Mining More Bugs by Reducing Noise Interference , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[2]  Syed Nadeem Ahsan,et al.  Predicting bug inducing source code change patterns , 2016, 2016 International Conference on Open Source Systems & Technologies (ICOSST).

[3]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[4]  Danny Dig,et al.  API code recommendation using statistical learning from fine-grained changes , 2016, SIGSOFT FSE.

[5]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[6]  Bing Mao,et al.  Vanguard: Detecting Missing Checks for Prognosing Potential Vulnerabilities , 2018, Internetware.

[7]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[8]  Zhenmin Li,et al.  PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code , 2005, ESEC/FSE-13.

[9]  Wanlei Zhou,et al.  E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile IoT , 2019, IEEE Internet of Things Journal.

[10]  Yang Liu,et al.  SPAIN: Security Patch Analysis for Binaries towards Understanding the Pain and Pills , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[11]  Yan Zhang,et al.  Detecting Bugs by Discovering Expectations and Their Violations , 2019, IEEE Transactions on Software Engineering.

[12]  Raúl A. Santelices,et al.  Method-level program dependence abstraction and its application to impact analysis , 2016, J. Syst. Softw..

[13]  Michael R. Anderberg,et al.  Cluster Analysis for Applications , 1973 .

[14]  Andreas Zeller,et al.  Mining version histories to guide software changes , 2005, Proceedings. 26th International Conference on Software Engineering.

[15]  Andreas Zeller,et al.  Learning from 6,000 projects: lightweight cross-project anomaly detection , 2010, ISSTA '10.

[16]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[17]  Haipeng Cai,et al.  Leveraging Historical Versions of Android Apps for Efficient and Precise Taint Analysis , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[18]  Petar Tsankov,et al.  Inferring crypto API rules from code changes , 2018, PLDI.

[19]  Konrad Rieck,et al.  Automatic Inference of Search Patterns for Taint-Style Vulnerabilities , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Christopher Krügel,et al.  Static analysis for detecting taint-style vulnerabilities in web applications , 2010, J. Comput. Secur..

[21]  Isil Dillig,et al.  Automated Inference of Library Specifications for Source-Sink Property Verification , 2013, APLAS.

[22]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[23]  Francisco Bavera,et al.  An user configurable clang static analyzer taint checker , 2016, 2016 35th International Conference of the Chilean Computer Science Society (SCCC).

[24]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[25]  Harald C. Gall,et al.  Comparing fine-grained source code changes and code churn for bug prediction , 2011, MSR '11.

[26]  Trent Jaeger,et al.  JIGSAW: Protecting Resource Access by Inferring Programmer Expectations , 2014, USENIX Security Symposium.

[27]  Yao Zhang,et al.  CSP-E2: An abuse-free contract signing protocol with low-storage TTP for energy-efficient electronic transaction ecosystems , 2019, Inf. Sci..

[28]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[29]  Jean-Pierre Seifert,et al.  Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing , 2017, WOOT.

[30]  Alexander Aiken,et al.  Specification Inference Using Context-Free Language Reachability , 2015, POPL.

[31]  Wei Le,et al.  Patch verification via multiversion interprocedural control flow graphs , 2014, ICSE.

[32]  Haipeng Cai Cost-effective dependency analysis for reliable software evolution , 2015 .

[33]  Shouhuai Xu,et al.  VulPecker: an automated vulnerability detection system based on code similarity analysis , 2016, ACSAC.

[34]  Alexander Aiken,et al.  Modelgen: mining explicit information flow specifications from concrete executions , 2015, ISSTA.

[35]  Per Runeson,et al.  Supporting Change Impact Analysis Using a Recommendation System: An Industrial Case Study in a Safety-Critical Context , 2017, IEEE Transactions on Software Engineering.

[36]  David Brumley,et al.  Saluki: Finding Taint-style Vulnerabilities with Static Property Checking , 2018 .