当前位置: X-MOL 学术Softw. Pract. Exp. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
SQVDT: A scalable quantitative vulnerability detection technique for source code security assessment
Software: Practice and Experience ( IF 3.5 ) Pub Date : 2020-10-02 , DOI: 10.1002/spe.2905
Junaid Akram 1 , Ping Luo 1
Affiliation  

Vulnerability detection and exploit is becoming a very important part of security, especially in malware code delivery, hacking a system, efforts to create patches, improving the source code, or updating a software. Vulnerabilities in applications, including browsers, media players, online services, document readers, and so forth. are often exploited and cause a serious damage. In this article, we propose a vulnerability detection technique to detect vulnerabilities in software, as well as shared libraries at source code level. We crawl the vulnerable source code by tracing and locating the patch files from different web sources according to their CVE‐numbers and built a fingerprint index of 2931 vulnerable files. Then we developed a vulnerability detection approach based on code clone detection technique and detect hundreds of vulnerabilities in thousands of GitHub open source projects, which are not noticed before as vulnerable. We detected vulnerabilities in some very famous recently available software, including latest version of Linux, HTC‐kernel, FindX‐8.1‐kernel, and in 7‐TB of C/C++ source code (152,823 open source projects). In this study, we discuss some of the very high severity level (CVSS) vulnerabilities that are detected by our approach. Furthermore, we performed an empirical evaluation and verification on these vulnerabilities, including intraproject clone vulnerabilities, copied‐kernel clone vulnerabilities, and library‐used clone vulnerabilities. Our technique is very fast, efficient, reliable, practical, scalable, and can be implemented at industrial level. The comparison with the state‐of‐the‐art tools shows the effectiveness of our approach.

中文翻译:

SQVDT:一种用于源代码安全评估的可扩展定量漏洞检测技术

漏洞检测和利用正在成为安全的一个非常重要的部分,尤其是在恶意软件代码交付、入侵系统、努力创建补丁、改进源代码或更新软件方面。应用程序中的漏洞,包括浏览器、媒体播放器、在线服务、文档阅读器等。经常被利用并造成严重破坏。在本文中,我们提出了一种漏洞检测技术来检测软件中的漏洞,以及源代码级别的共享库。我们通过根据其 CVE 编号跟踪和定位来自不同网络源的补丁文件来抓取易受攻击的源代码,并构建了 2931 个易受攻击文件的指纹索引。然后我们开发了一种基于代码克隆检测技术的漏洞检测方法,在数千个 GitHub 开源项目中检测到数百个漏洞,这些漏洞以前没有被注意到是易受攻击的。我们在一些最近可用的非常著名的软件中检测到漏洞,包括最新版本的 Linux、HTC-kernel、FindX-8.1-kernel,以及 7-TB 的 C/C++ 源代码(152,823 个开源项目)。在本研究中,我们讨论了我们的方法检测到的一些非常高的严重性级别 (CVSS) 漏洞。此外,我们对这些漏洞进行了实证评估和验证,包括项目内克隆漏洞、复制内核克隆漏洞和库使用克隆漏洞。我们的技术非常快速、高效、可靠、实用、可扩展,并且可以在工业层面实施。与最先进的工具的比较显示了我们方法的有效性。
更新日期:2020-10-02
down
wechat
bug