Blogs (1) >>
ICSE 2019
Sat 25 - Fri 31 May 2019 Montreal, QC, Canada
Wed 29 May 2019 11:40 - 12:00 at Van-Horne - Security 1 Chair(s): Corina S Pasareanu

Identifying potentially vulnerable locations in a code base is critical as a pre-step for effective vulnerability assessment; i.e., it can greatly help security experts put their time and effort to where it is needed most. Metric-based and pattern-based methods have been presented for attack surface identification. The former relies on machine learning and cannot work well due to the severe imbalance between non-vulnerable and vulnerable code or lack of features to characterize vulnerabilities. The latter needs the prior knowledge of known vulnerabilities and can only identify similar but not new types of vulnerabilities. In this paper, we propose and implement a generic, lightweight and extensible framework, LEOPARD, to identify attack surfaces at the function level through program metrics. LEOPARD does not require any prior knowledge about known vulnerabilities. It has two steps by combining two sets of systematically derived metrics. First, it uses complexity metrics to group the functions in a target application into a set of bins. Then, it uses vulnerability metrics to rank the functions in each bin and identifies the top ones as potentially vulnerable. Experimental results on 11 real-world projects have demonstrated that, LEOPARD can cover 74.0% of vulnerable functions by identifying 20% of functions as vulnerable and out- perform machine learning-based and static analysis-based techniques. We further propose three applications of LEOPARD for manual code review and fuzzing, through which we discovered 22 new bugs in real applications like PHP, Radre2 and FFmpeg, and eight among them are new vulnerabilities.

Wed 29 May

icse-2019-Paper-Presentations
11:00 - 12:30: Papers - Security 1 at Van-Horne
Chair(s): Corina S PasareanuCarnegie Mellon University Silicon Valley, NASA Ames Research Center
icse-2019-Software-Engineering-in-Practice11:00 - 11:20
Talk
Charles WeirLancaster University, Lynne BlairLancaster University, Ingolf BeckerUniversity College London, M. Angela SasseUniversity College London, James NobleVictoria University of Wellington, Awais RashidUniversity of Bristol, UK
icse-2019-Software-Engineering-in-Practice11:20 - 11:40
Talk
Jinqiu YangConcordia University, Montreal, Canada, Lin TanPurdue University, John PeytonHCL America, Kristofer A DuerAppScan Source
icse-2019-Technical-Papers11:40 - 12:00
Talk
Xiaoning DuNanyang Technological University, Bihuan ChenFudan University, Yuekang LiNanyang Technological University, Jianmin GuoTsinghua University, Yaqin ZhouNanyang Technological University, Yang LiuNanyang Technological University, Singapore, Yu Jiang
icse-2019-Journal-First-Paper12:00 - 12:10
Talk
Stanislav DashevskyiUniversity of Luxembourg, Achim D. BruckerThe University of Sheffield, Fabio MassacciUniversity of Trento
Link to publication DOI Pre-print
icse-2019-New-Ideas-and-Emerging-Reults12:10 - 12:20
Talk
Haijun WangNanyang Technological University, Yi LiNanyang Technological University, Shang-Wei LinNanyang Technological University, Lei MaKyushu University, Yang LiuNanyang Technological University, Singapore
icse-2019-Paper-Presentations12:20 - 12:30
Talk