An Integration Testing Platform for Software Vulnerability Detection Method

Software vulnerability detecting is an important way of discovering the existing loopholes in software in order to ensure the information security. With the rapid development of the information technology in our society, a large variety of application software with various potentially vulnerabilities has emerged. Therefore, a timely discovery and repair of these loopholes before they are exploited by attackers can effectively reduce the threat in the information system. It is of great significance for us to take the initiative to explore and analyze the system security loopholes, so that the danger or threat to the system will be effectively reduced. From the previous research on the software vulnerability detection we have found that each of the existing vulnerability detection methods or tools can only perform well in some particular occasions. In order to overcome such shortcoming and improve these existing detection methods, we present a more accurate and complete analysis of current mainstream detection methods as well as design a set of evaluation criteria for different detection methods in this paper. Meanwhile, we also propose and design an integrated test framework, on which we can test the typical static analysis methods and dynamic mining methods as well as make the comparison, so that we can obtain an intuitive comparative analysis of the results. Finally, we report the experimental analysis to verify the feasibility and effectiveness of the proposed evaluation method and the testing framework, with the results showing that the final test results will serve as a form of guidance to aid the selection of the most appropriate and effective method or tools in vulnerability detection activity.

[1]  Priya Anand,et al.  Overview of Root Causes of Software Vulnerabilities - Technical and User-Side Perspectives , 2016, 2016 International Conference on Software Security and Assurance (ICSSA).

[2]  Zhuhua Cai,et al.  Software Vulnerability Discovery Techniques: A Survey , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.

[3]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[4]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[5]  Elizabeth N. Fong,et al.  Proceedings of Defining the State of the Art in Software Security Tools Workshop , 2005 .

[6]  M. Zhivich Dynamic Buffer Overflow Detection , 2005 .

[7]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[8]  Karen Scarfone,et al.  Improving the Common Vulnerability Scoring System , 2007, IET Inf. Secur..

[9]  Arafat Abdulgader Mohammed Elhag,et al.  Proposed security model for web based applications and services , 2017, 2017 International Conference on Communication, Control, Computing and Electronics Engineering (ICCCCEE).

[10]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[11]  Yi Wang,et al.  BRICK: A Binary Tool for Run-Time Detecting and Locating Integer-Based Vulnerability , 2009, 2009 International Conference on Availability, Reliability and Security.

[12]  Tao Wei,et al.  IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution , 2009, NDSS.

[13]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .

[14]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Peng Li,et al.  A comparative study on software vulnerability static analysis techniques and tools , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[16]  Roland Groz,et al.  Finding Software Vulnerabilities by Smart Fuzzing , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[17]  Adarsh Anand,et al.  Vulnerability Discovery Modeling and Weighted Criteria Based Ranking , 2016 .

[18]  P. K. Kapur,et al.  A comparative study of vulnerability discovery modeling and software reliability growth modeling , 2015, 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE).

[19]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.