论文信息 - Source Code Vulnerabilities Detection Using Loosely Coupled Data and Control Flows

Source Code Vulnerabilities Detection Using Loosely Coupled Data and Control Flows

Applications are one of the most used attack surfaces, and they must be secured at source code level, early in the development phase. Static Analysis Security Testing solutions, able to detect vulnerabilities in source code are limited to the most used programming languages and development frameworks. The proposed method consists of a security scanning solution based on an Intermediate Representation of source code which is loosely coupled with the programming language structure and to the data flow, preserving at the same time the security vulnerability patterns. The ability to identify vulnerable source code snippets in the Intermediate Representation of the original source code is the core idea for this research project. Using loosely coupled control flows and data flows representations of the original source code enables the development of new security scanners, which in the future will be able to evaluate applications written in new and exotic languages.

[1] Onur Ozdemir,et al. Automated Vulnerability Detection in Source Code Using Deep Representation Learning , 2018, 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA).

[2] Shouhuai Xu,et al. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection , 2018, NDSS.

[3] Konrad Rieck,et al. Chucky: exposing missing checks in source code for vulnerability discovery , 2013, CCS.

[4] David Brumley,et al. ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions , 2012, 2012 IEEE Symposium on Security and Privacy.

[5] Stuart E. Schechter,et al. Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[6] Cristina V. Lopes,et al. SourcererCC: Scaling Code Clone Detection to Big-Code , 2015, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[7] Serguei A. Mokhov. The use of machine learning with signal- and NLP processing of source code to fingerprint, detect, and classify vulnerabilities and weaknesses with MARFCAT , 2011 .

[8] Konrad Rieck,et al. Automatic Inference of Search Patterns for Taint-Style Vulnerabilities , 2015, 2015 IEEE Symposium on Security and Privacy.

[9] Rong Jin,et al. Understanding bag-of-words model: a statistical framework , 2010, Int. J. Mach. Learn. Cybern..

[10] Sang Peter Chin,et al. Automated software vulnerability detection with machine learning , 2018, ArXiv.