Confiance: detecting vulnerabilities in Java Card applets

This study focuses on automatically detecting wrong implementations of specifications in Java Card programs, without any knowledge on the source code or the specification itself. To achieve this, an approach based on Natural Language Processing and machine-learning is proposed. First, an oracle gathering methods with similar semantics in groups, is created. This focuses on evaluating our approach performances during the neighborhood discovery. Based on the groups of similar methods automatically retrieved, the anomaly detection relies on the Control Flow Graph of programs of these groups. In order to benchmark our approach's ability to detect vulnerabilities, an oracle of anomaly is created. This oracle knows every anomaly the approach should automatically retrieve. Both the neighborhood discovery and the anomaly detection steps are benchmarked. This approach is implemented in a tool: Confiance, and it is compared to another machine-learning tool for automatic vulnerability detection. The results expose the better performances of Confiance to detect vulnerabilities in open-source programs available online.

[1]  Jean-Louis Lanet,et al.  Protection of Systems Against Fuzzing Attacks , 2018, FPS.

[2]  Jean-Louis Lanet,et al.  When time meets test , 2018, International Journal of Information Security.

[3]  Mike Joy,et al.  Evaluating the Performance of LSA for Source-code Plagiarism Detection , 2012, Informatica.

[4]  Peter W. Foltz,et al.  An introduction to latent semantic analysis , 1998 .

[5]  Bing Mao,et al.  Vanguard: Detecting Missing Checks for Prognosing Potential Vulnerabilities , 2018, Internetware.

[6]  Stephen E. Robertson,et al.  Understanding inverse document frequency: on theoretical arguments for IDF , 2004, J. Documentation.

[7]  Konrad Rieck,et al.  Chucky: exposing missing checks in source code for vulnerability discovery , 2013, CCS.

[8]  Sebastian Raschka,et al.  An Overview of General Performance Metrics of Binary Classifier Systems , 2014, ArXiv.

[9]  Aymerick Savary,et al.  Détection de vulnérabilités appliquée à la vérification de code intermédiaire de Java Card. (Vulnerability detection into Java Card bytecode verifier) , 2016 .

[10]  Kangjie Lu,et al.  Detecting Missing-Check Bugs via Semantic- and Context-Aware Criticalness and Constraints Inferences , 2019, USENIX Security Symposium.

[11]  Jean-Louis Lanet,et al.  JavaNeighbors: Improving ChuckyJava's neighborhood discovery algorithm , 2019, EUSPN/ICTH.

[12]  Jean-Louis Lanet,et al.  Normalization of Java Source Codes , 2018, SecITC.

[13]  Rong Jin,et al.  Understanding bag-of-words model: a statistical framework , 2010, Int. J. Mach. Learn. Cybern..