LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program MetricsTechnical Track
Identifying potentially vulnerable locations in a code base is critical as a pre-step for effective vulnerability assessment; i.e., it can greatly help security experts put their time and effort to where it is needed most. Metric-based and pattern-based methods have been presented for attack surface identification. The former relies on machine learning and cannot work well due to the severe imbalance between non-vulnerable and vulnerable code or lack of features to characterize vulnerabilities. The latter needs the prior knowledge of known vulnerabilities and can only identify similar but not new types of vulnerabilities. In this paper, we propose and implement a generic, lightweight and extensible framework, LEOPARD, to identify attack surfaces at the function level through program metrics. LEOPARD does not require any prior knowledge about known vulnerabilities. It has two steps by combining two sets of systematically derived metrics. First, it uses complexity metrics to group the functions in a target application into a set of bins. Then, it uses vulnerability metrics to rank the functions in each bin and identifies the top ones as potentially vulnerable. Experimental results on 11 real-world projects have demonstrated that, LEOPARD can cover 74.0% of vulnerable functions by identifying 20% of functions as vulnerable and out- perform machine learning-based and static analysis-based techniques. We further propose three applications of LEOPARD for manual code review and fuzzing, through which we discovered 22 new bugs in real applications like PHP, Radre2 and FFmpeg, and eight among them are new vulnerabilities.
Wed 29 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:30 | Security 1Journal-First Papers / Papers / Technical Track / New Ideas and Emerging Results / Software Engineering in Practice at Van-Horne Chair(s): Corina S. Păsăreanu Carnegie Mellon University Silicon Valley, NASA Ames Research Center | ||
11:00 20mTalk | Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for DevelopersSEIPIndustry Program Software Engineering in Practice Charles Weir Lancaster University, Lynne Blair Lancaster University, Ingolf Becker University College London, M. Angela Sasse University College London, James Noble Victoria University of Wellington, Awais Rashid University of Bristol, UK | ||
11:20 20mTalk | Towards Better Utilizing Static Application Security TestingSEIPIndustry Program Software Engineering in Practice Jinqiu Yang Concordia University, Montreal, Canada, Lin Tan Purdue University, John Peyton HCL America, Kristofer A Duer AppScan Source | ||
11:40 20mTalk | LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program MetricsTechnical Track Technical Track Xiaoning Du Nanyang Technological University, Bihuan Chen Fudan University, Yuekang Li Nanyang Technological University, Jianmin Guo Tsinghua University, Yaqin Zhou Nanyang Technological University, Yang Liu Nanyang Technological University, Singapore, Yu Jiang | ||
12:00 10mTalk | A Screening Test for Disclosed Vulnerabilities in FOSS ComponentsIndustry ProgramJournal-First Journal-First Papers Stanislav Dashevskyi University of Luxembourg, Achim D. Brucker The University of Sheffield, Fabio Massacci University of Trento Link to publication DOI Pre-print | ||
12:10 10mTalk | VULTRON: Catching Vulnerable Smart Contracts Once and for AllNIER New Ideas and Emerging Results Haijun Wang Nanyang Technological University, Yi Li Nanyang Technological University, Shang-Wei Lin Nanyang Technological University, Lei Ma Kyushu University, Yang Liu Nanyang Technological University, Singapore | ||
12:20 10mTalk | Discussion Period Papers | ||