A Parallel Vulnerability Detection Framework via MPI

Open source applications have flourished recent years. Meanwhile, security vulnerabilities in such applications have grown. Since manual code auditing is error-prone, time-consuming and costly, it is necessary to find automatic solutions. To address this problem we propose an approach that combines constraint-based analysis and model checking together. Model checking technology as a constraint solver can be employed to solve the constraint-based system. CodeAuditor, the prototype implementation of our methods, is targeted at detecting vulnerabilities in C source code. With this tool, 9 previously unknown vulnerabilities in two open source applications were discovered and the observed false positive rate was at around 29%.

[1]  Patrick Cousot,et al.  Formal language, grammar and set-constraint-based program analysis by abstract interpretation , 1995, FPCA '95.

[2]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[3]  S. Zukowski Introduction to Lattice Theory , 1990 .

[4]  B. Balkay,et al.  Introduction to lattice theory , 1965 .

[5]  Alexander Aiken,et al.  Introduction to Set Constraint-Based Program Analysis , 1999, Sci. Comput. Program..

[6]  Qiang Zhang,et al.  Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[7]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.