Approach of Leveraging Patches to Discover Unknown Vulnerabilities
Author:
Affiliation:

Clc Number:

Fund Project:

National Natural Science Foundation of China (91418206, 61472429)

  • Article
  • |
  • Figures
  • |
  • Metrics
  • |
  • Reference
  • |
  • Related
  • |
  • Cited by
  • |
  • Materials
  • |
  • Comments
    Abstract:

    In recent years,taking the known vulnerable function as the criteria to retrieve the similar implementation has been proven to be an effective vulnerabilities detection method.However,a vulnerable function often contains some statements that are irrelevant to the vulnerability of interest,which may heavily interfere with the similarity computation and lead to false positives and false negatives.This paper presents an approach to improve the precision of the retrieval-based vulnerabilities detection by leveraging the patch of the vulnerable function.The program slicing technique is adopted to exclude irrelevant statements from the original vulnerable function according to the patch.A denoised feature vector is generated from the obtained slice and is used to search the potential unknown vulnerabilities in the code base.This approach has been applied to some real-world projects.Experimental results show that the approach can effectively reduce the interference of irrelevant statements and improve the detection precision.Three confirmed unknown vulnerabilities are successfully detected from the projects.

    Reference
    Related
    Cited by
Get Citation

李赞,边攀,石文昌,梁彬.一种利用补丁的未知漏洞发现方法.软件学报,2018,29(5):1199-1212

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:July 02,2017
  • Revised:December 13,2017
  • Adopted:
  • Online: May 06,2018
  • Published:
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063