Escolar Documentos
Profissional Documentos
Cultura Documentos
(1) Identification of (2) Neighborhood (3) Lightweight (4) Embedding of (5) Anomaly
sinks and sources discovery tainting functions detection
Figure 2: Overview of Chucky: (1) sources and sinks are identified, (2) functions with similar context are
grouped, (3) variables depending on the sources/sinks are tainted, (4) functions are embedded in a vector
space using tainted conditions, and (5) functions with anomalous or missing conditions are detected.
sources and sinks used in each of the functions are de- • Sources and sinks. All function parameters, func-
termined. The remaining four steps are then executed tion calls as well as global and local variables are poten-
for each source or sink independently. tial sources or sinks of information, each of which may
be tied to a unique set of conditions required for secure
2. Neighborhood discovery. The necessity of a check operation. Chucky therefore begins by extracting all
highly depends on the context code operates in. Our sources and sinks from each function. The granularity
method thus identifies functions in the code base oper- of the analysis is further increased by taking fields of
ating in a similar context to that of the selected func- structures into account. As an example, consider Fig-
tion using techniques inspired by natural language pro- ure 3 where all sources and sinks of the function foo
cessing (Section 3.2). are marked.
• API symbols. Additionally, we extract API symbols
3. Lightweight tainting. To determine only those checks
as a prerequisite for neighborhood discovery (see Sec-
associated with a given source or sink, lightweight taint-
tion 3.2). All types used in parameter and local vari-
ing is performed for the function under examination
able declarations as well as the names of all functions
and all its neighbors in top-down and bottom-up di-
called are considered as API symbols.
rection (Section 3.3).
• Assignments. Assignments describe the flow of in-
4. Embedding of functions. The selected function and formation between variables, which we exploit to de-
its neighbors are then embedded in a vector space using termine conditions related to a sink by performing
the tainted conditions such that they can be analyzed lightweight tainting (see Section 3.3). For each assign-
using machine learning techniques (Section 3.4). ment, we store the subtree of the AST referring to the
left- and right-value of the assignment.
5. Anomaly Detection. The embedding of functions
enables us to geometrically search for missing checks. • Conditions. Ultimately, functions are compared in
In particular, we compute a model of normality over terms of the conditions they impose when using a source
the functions, such that anomalous checks can be iden- or sink (see Sections 3.4 and 3.5). As conditions, we
tified by large distances from this model (Section 3.5). consider all expressions of control statements such as
those introduced by the keywords if, for or while as
well as those found in conditional expressions. To pro-
In the following sections, we describe these steps in more
vide access to partial expressions, we store conditions
detail and provide the necessary technical as well as theo-
as references to corresponding subtrees of the AST
retical background.
rather than as flat strings.
3.1 Robust Parsing Upon completion of this step, patterns can be determined
Reasoning about missing checks requires a deep under- for each of the extracted sources and sinks and analyzed for
standing of program syntax. Chucky therefore begins by missing checks, as explained in the following sections.
parsing code using a robust parser for C/C++ developed
during our research. The parser is based on an island gram- 3.2 Neighborhood Discovery
mar [see 20] for the parser generator ANTLR [25] and pro- Security checks are often highly context dependent. For
vides abstract syntax trees (ASTs) for all functions of a code example, omitting checks on string operations may be per-
base even when declarations can only be resolved partially. fectly acceptable when parsing configuration files, while pos-
This allows Chucky to be directly employed without requir- ing a serious threat when processing network data. Chucky
ing code to be compiled or a build environment to be config- accounts for this difference by only comparing the function
ured. To encourage more research in the area, we have made under examination to functions sharing a similar context.
our parser available as open-source software1 . Chucky em- This is achieved by identifying the neighborhood of the func-
ploys this parser to extract the following information from tion, that is, related functions using similar API symbols.
each function. The rationale behind this choice is that the combination of
interfaces used by a function is characteristic for the subsys-
1
https://github.com/fabsx00/joern tem it operates in as well as the functionality it implements.
1 int foo(char *user, char *str, size_t n)
2 { str user
3 char buf[BUF_SIZE], *ar; arg
arg
4 size_t len = strlen(str);
5
arg
6 if(!is_privileged(user))
strlen is_privileged
7 return ERROR;
8 assign
9 if(len >= BUF_SIZE) return ERROR;
10 memcpy(buf, str, len);
len arg memcpy arg buf
11
12 ar = malloc(n);
arg arg
13 if(!ar) return ERROR;
14
15 return process(ar, buf, len); ar arg process
16 }
assign
Figure 3: C function with sources and sinks: All
malloc arg n
parameters (line 1), global and local variables (lines
3,4 and 9) and function calls (line 4, 6, 10, 12 and
15) are marked for analysis.
Figure 4: Dependency graph for function foo. Nodes
reachable from memcpy are shaded, where the taint
For discovering these neighboring functions, we adapt the propagation stops at function boundaries. Isolated
classic bag-of-words model from natural language process- nodes are omitted.
ing that is commonly used to compare text documents [28].
Similar to the words in these documents, we represent each not trivial, as it requires the flow of data between variables
function in the code base by the API symbols it contains. We to be taken into account.
then map the functions to a vector space, whose dimensions To address this problem, Chucky performs lightweight
are associated with the frequencies of these symbols [see 41]. tainting of the code of the target function and all its neigh-
Functions using a similar API lie close to each other in this bors for each source or sink in two stages:
vector space, whereas functions with different context are
separated by large distances. 1. Dependency modelling. A directed graph is cre-
Formally, we define a mapping φ from the set of all func- ated to model the dependencies between variables. The
tions X = {x1 , . . . , xm } to R|A| where A is the set of all API nodes of the graph correspond to the identifiers used in
symbols contained in X. This mapping is given by the function (i.e., sources and sinks), while the edges
reflect assignments between identifiers. Edges are also
φ : X → R|A| , φ(x) 7→ I(x, a) · TFIDF(x, a, X) a∈A
added if identifiers are parameters of functions.
where I is an indicator function defined as 2. Taint propagation. Starting from the identifier cor-
( responding to a selected source or sink, the graph is
1 if x contains API symbol a
I(x, a) = traversed in top-down as well as bottom-up direction to
0 otherwise discover all related identifiers. The propagation stops
at function boundaries, that is, edges from parameters
and TFIDF(x, a, X) a standard weighting term from infor-
to functions are not followed.
mation retrieval [28]. The rationale behind the use of this
term is to lower the impact of very frequently used API An example of a dependency graph for the function foo
symbols on the similarity of functions. from Figure 3 is shown in Figure 4. The identifier memcpy has
This geometric representation enables us to identify the been picked as source/sink for the analysis. Three identi-
k-nearest neighbors N ⊂ X of the selected function x with fiers are tainted (gray shading) including directly connected
respect to the source or sink s. We determine this set N by nodes, such as len and buf, as well as indirectly linked nodes,
first extracting all functions of the code base that reference s. such as strlen.
We then calculate the cosine distance of their corresponding Once the tainted identifiers for a function are known, we
vectors to φ(x) and finally select those k functions with the examine its conditions (see Section 3.1) and remove a con-
smallest distance. dition if it does not reference at least one of the tainted
Note, that Chucky is not very sensitive to the choice identifiers. We thus restrict the conditions analyzed in sub-
of the parameter k, as we demonstrate in Section 4, where sequent steps only to those conditions related to the source
values between 10 and 30 provide good performance. As or sink under examination.
a result of the neighborhood discovery, only the function
under examination and its neighbors need to be processed 3.4 Embedding of Functions
in the following steps of the analysis. In the last two steps, we leverage the information dis-
tributed across the function neighborhood to determine typ-
3.3 Lightweight Tainting ical checks and deviations thereof using anomaly detection.
Among the many checks present in a regular function, Similar to the technique for neighborhood discovery (Sec-
only a subset is relevant for a chosen source or sink. An- tion 3.2), this method for anomaly detection operates on
alyzing the function in terms of its use of a specific source numerical vectors and thus the functions need to be again
or sink therefore requires unrelated checks to be discarded embedded in a suitable vector space. We implement this
automatically. However, this selection of relevant checks is embedding as follows.
foo
0 1
···
$ARG $CMP BUF_SIZE B 1 C $ARG $CMP BUF SIZE
!is_privileged
len >= BUF_SIZE ! ar B C
(user) B 1 C $ARG
$ARG B C
!
is_privileged
len >= BUF_SIZE ! ar
@ 1 A BUF SIZE
(user) BUF_SIZE
···
user
Figure 5: Schematic depiction of embedding. Conditions related to the specified source/sink are extracted
from the abstract syntax tree and mapped to a vector space using their expressions.
Upon completion of the previous step, conditions related to determine checks that are present in most neighbors but
to the source or sink s are known for each function. We pro- are missing in the examined function. This enables Chucky
ceed to extract all expressions (including sub-expressions) to pinpoint the exact missing check and report its absence
contained in each of these conditions. The expressions then to the analyst. Moreover, an anomaly score can be calcu-
undergo a simple normalization to account for small syntac- lated, allowing particularly interesting code to be returned
tical differences in the formulation of checks. In detail, the to the analyst for immediate inspection. Mathematically,
normalization consists of two transformations. this process is implemented as follows.
For each source or sink s used in a function x under
1. Removal of negations. Since Chucky does not ac- consideration, a model of normality is calculated based on
count for the actions taken upon evaluation of an ex- its neighbors N . Recalling that in the previous step, each
pression, negations are removed as the first step of neighbor is mapped to a vector in the space spanned by the
normalization. For the same reason, relational oper- expressions contained in its conditions, a natural choice for
ators are replaced by the symbol $CMP. Furthermore, this model is the center of mass of all embedded neighbor
numbers are replaced by $NUM since for example, the vectors. The model µ ∈ R|E| is thus computed over all k
expression x < 10 is equivalent to x < 1 + 9. embedded neighbour functions as
normalized. Finally, the vectorial representation is obtained that is, the anomaly score is given by the largest coefficient of
by applying the mapping ϕ. the vector d. Recalling that positive numbers denote missing
expressions, the rationale behind this choice is to rank func-
3.5 Anomaly Detection tions high if many neighbors contain an expression, which
Based on the embedding of functions, we are finally able is not present in the function of interest. Furthermore, the
to determine missing checks geometrically. To this end, a maximum norm is chosen, because functions deviating from
model of normality quantifying the importance of each ex- its neighbors in a single concrete expression—while contain-
pression contained in a check is derived from the embedded ing all other expressions—are usually more interesting than
neighbors. Measuring the distance to this model allows us functions differing from their neighbors entirely.
4. EMPIRICAL EVALUATION 1.0
To evaluate the detection performance of Chucky, the (a) Averaged ROC curve
security history of each of the five projects is reviewed. In
each code base, we uncover cases where a security check 1.0
Table 1: Overview of our dataset. For each project the missing-check vulnerability, the lines of code (LOC),
the number of functions and the number of functions involving the check is listed.
Figure 6(a) shows the ROC curves of our method averaged To ensure that all vulnerabilities found by Chucky are
over all projects for neigborhoods of different size k, where previously unknown, we update the code of both software
the detection rate is plotted against the false-positive rate projects to the most recent version. At the time of writing,
for different thresholds. For low values of k, such as k = these are version 4.0.3 for LibTIFF and 2.10.6 for Pidgin.
5, already 50% of the missing checks can be detected with
few false positives. With increasing k, Chucky is able to 4.2.1 LibTIFF Case Study
identify more missing conditions, where finally almost all In the first case study, we employ Chucky to uncover
missing checks in the five code bases are detected with k = vulnerabilities in LibTIFF, an image processing library and
20 at a detection rate of 96%. suite of tools for the Tagged Image File Format (TIFF). Im-
We further investigate the effect of the number of neigh- age processing libraries are a popular target for attackers as
bors on the detection performance by generating individual parsing images securely is a challenging task. In particu-
ROC curves for values of k between 1 and 100 using the Area lar, integer overflow vulnerabilities when dealing with image
Under Curve (AUC) as a performance measure [2]. Fig- dimensions (i.e., image width and height) are a common
ure 6(b) shows the results of this experiment. For k = 25 problem. We therefore use Chucky to rank all functions of
we attain perfect results across all code bases allowing all the code base according to anomalous use of any parameters
vulnerabilities to be detected with no false positives. While or local variables named width, height, w or h.
we do not assume that an optimal choice of k exists for ar-
bitrary code bases, for the projects under consideration, the 1 static int
average number of functions operating in a similar context 2 tiffcvt(TIFF* in, TIFF* out)
thus seems to be around 25. For all further evaluations we 3 {
4 uint32 width, height; /* image width & height */
thus fix k to 25. 5 uint16 shortv;
Moreover, we can observe that for those code bases where 6 float floatv;
APIs have been insecurely used (Firefox, LibPNG, LibTIFF 7 char *stringv;
8 uint32 longv;
and Pidgin), the maximum performance is achieved when k 9 uint16 v[1];
is chosen above a certain threshold. This confirms that in 10
these cases, the majority of functions employing the source 11 TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
12 TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
or sink perform the security check, thus making neighbor- 13
hood discovery rather dispensable. In the case of Linux, 14 CopyField(TIFFTAG_SUBFILETYPE, longv);
where missing checks in security logic need to be identified, 15 [...]
16 if( process_by_block && TIFFIsTiled( in ) )
the performance drops when k becomes too large. We ex- 17 return( cvt_by_tile( in, out ) );
amine this case in detail and find that the source dentry is 18 else if( process_by_block )
used many times across the code base while a security check 19 return( cvt_by_strip( in, out ) );
20 else
is only required in few cases. Neighborhood discovery thus 21 return( cvt_whole_image( in, out ) );
becomes essential in order to create a model of normality 22 }
only from functions that operate in a similar context.
This quantitative evaluation demonstrates the potential of Figure 7: Missing checks of the variables width and
Chucky. All of the considered vulnerabilities are success- height in the function tiffcvt.
fully identified by our method and would have been spot-
ted if Chucky had been applied to the respective software From the 74 functions dealing with these variables, Chucky
projects in the past. reports only a single function with an anomaly score of
100%. We examine the reported function tiffcvt (Figure 7)
4.2 Discovery of Vulnerabilities to find that the width and height fields are obtained directly
First and foremost, Chucky is designed to assist an an- from the image file at lines 11 and 12 and are not checked.
alyst in day-to-day auditing. In the following, we therefore Chucky reports that all neighbors of the function perform a
study our method’s ability to assist in the discovery of previ- check on the variable height while 79% additionally perform
ously unknown vulnerabilities in practice. In particular, we a check on the variable width.
describe how 7 previously unknown vulnerabilities have been Indeed, this missing check leads to an integer overflow
discovered by applying Chucky on two real-world projects, when calling the function cvt_by_strip shown in Figure 8,
namely, LibTIFF and Pidgin. We have conducted further for which 50% of its neighbors suggest an additional check
studies uncovering 5 more unknown vulnerabilities. For the for the width field. Triggering this overflow, a buffer smaller
sake of brevity however, we omit these and details of the than expected can be allocated at line 11, resulting in a
vulnerabilities here. heap-based buffer overflow when calling TIFFReadRGBAStrip
Score Source File Function Name 1 cvtRaster(TIFF* tif, uint32* raster,
2 uint32 width, uint32 height)
0.92 tools/thumbnail.c initScale 3 {
0.88, tools/rgb2ycbcr.c cvtRaster 4 uint32 y;
0.88 tools/rgb2ycbcr.c setupLuma 5 tstrip_t strip = 0;
6 tsize_t cc, acc;
0.88 tools/ycbcr.c setupLuma 7 unsigned char* buf;
0.84 tools/pal2rgb.c main 8 uint32 rwidth = roundup(width, horizSubSampling);
0.84 tools/tiff2bw.c main 9 uint32 rheight = roundup(height, vertSubSampling);
0.80 libtiff/tif print.c TIFFPrintDirectory 10 uint32 nrows = (rowsperstrip > rheight ?
11 rheight : rowsperstrip);
0.80 tools/raw2tiff.c guessSize 12 uint32 rnrows = roundup(nrows,vertSubSampling);
0.76 tools/sgisv.c svRGBContig 13
1 void
Table 3: Top ten functions returned for the sinks 2 msn_message_parse_payload(MsnMessage *msg, [...])
atoi and strchr in Pidgin’s implementation of the Mi- 3 {
crosoft Instant Messenger Protocol. Vulnerabilities 4 [...]
are indicated by dark shading. 5 for (cur = elems; *cur != NULL; cur++)
6 {
7 const char *key, *value; [...]
8 tokens = g_strsplit(*cur, ": ", 2);
9 key = tokens[0];
discover two cases among the top ten missing checks allowing 10 value = tokens[1];
attackers to remotely crash Pidgin. 11 [...]
12 if (!strcmp(key, "Content-Type"))
13 {
First Example. 14 char *charset, *c;
For the function msn_parse_oim_xml shown in Figure 10, 15 if ((c = strchr(value, ’;’)) != NULL)
Chucky reports that 72% of its neighbors validate argu- 16 {
17 [...]
ments passed to atoi while this function does not. Indeed, 18 }
this is the case on line 19 where the variable unread is passed 19 msn_message_set_content_type(msg, value);
to atoi unchecked. Moreover, Chucky reports that 75% 20 }
21 else
of the function neighbors check the return value of xmln- 22 {
ode_get_data while this function does not. Combined, these 23 msn_message_set_attr(msg, key, value);
two missing checks allow Pidgin to be crashed by sending 24 }
an XML-message with an empty “E/UI” node. This causes 25 g_strfreev(tokens);
26 }
xmlnode_get_data to return a NULL pointer on line 13, which 27 g_strfreev(elems);
is then propagated to atoi resulting in a crash. 28 /* Proceed to the end of the "\r\n\r\n" */
29 tmp = end + strlen(body_dem);
30 [...]
1 static void 31 g_free(tmp_base);
2 msn_parse_oim_xml(MsnOim *oim, xmlnode *node) 32 }
3 {
4 xmlnode *mNode;
5 xmlnode *iu_node; Figure 11: Missing check in the function msn_message
6 MsnSession *session = oim->session; _parse_payload of the instant messenger Pidgin.
7 [...]
8 iu_node = xmlnode_get_child(node, "E/IU");
9
10 if(iu_node != NULL &&
11 purple_account_get_check_mail(session->account)) 5. LIMITATIONS
12 { Similar to other methods for the discovery of security
13 char *unread = xmlnode_get_data(iu_node);
14 const char *passports[2] = flaws, Chucky cannot overcome the inherent limitations of
15 { msn_user_get_passport(session->user) }; vulnerability identification. While our method is able to
16 const char *urls[2] = expose missing security checks effectively, it cannot verify
17 { session->passport_info.mail_url };
18
whether these truly lead to vulnerabilities in practice. This
19 int count = atoi(unread); limitation, however, can be alleviated by the analyst, as he
20 can guide the search for vulnerabilities by only inspecting
21 /* XXX/khc: pretty sure this is wrong */
22 if (count > 0)
security-critical sources and sinks, such as common memory,
23 purple_notify_emails(session->account->gc, network and parsing functions. As our experiments demon-
24 count, FALSE, NULL, strate, this often enables Chucky to pinpoint missing checks
25 NULL, passports,
26 urls, NULL, NULL);
related to vulnerabilities with little manual effort.
27 g_free(unread); In contrast to other methods, Chucky does not require
28 } external information or code annotations to identify missing
29 [...] checks. The method is capable of operating on the code
30 }
base of a software project alone. This advantage comes at
price: our approach is based on the assumption that the
Figure 10: Missing check in the function msn_parse
majority of checks in a code base are correct and missing
_oim_xml of the instant messenger Pidgin.
checks are rare. While this assumption holds true for mature
software projects, it is not necessary satisfied by software at
an early stage of development. Consequently, Chucky is to web applications while Chucky can be applied in any
better suited for finding vulnerabilities in stable code. programming environment if a suitable parser is available.
It is also important to note that Chucky makes no at- In many approaches, infrequent but correct patterns might
tempts to evaluate expressions. Semantically equivalent checks cause false positives due to a biased notion of normality.
thus cannot be detected, which may lead to false positives in Thummalapenta and Xie [35] address this by introducing al-
practice. Moreover, our method is only able to detect checks ternative patterns. We discussed this limitation with respect
if they are missing entirely and cannot detect checks per- to Chucky in Section 5. Another more general method
formed too late. Combining our method with existing tech- coined as vulnerability extrapolation [41, 42] learns from
niques from data flow analysis and symbolic execution there- known security flaws and finds locations that might exhibit
fore seems to be an interesting direction for future work. a similar vulnerability. We build on this method for the
Finally, there exist many types of vulnerabilities that have neighborhood discovery described in Section 3.2.
no relation to missing checks and thus cannot be exposed by
Chucky. Nonetheless, it is a common practice of developers Taint Analysis and Symbolic Execution.
to add checks before potential vulnerabilities and security- Taint analysis or taint tracking is a method for perform-
critical code, for example for protecting buffers, limiting ac- ing information flow analysis. Data of interest is “tainted”
cess to resources or changing the program flow. All these and tracked from a source through the system to a specified
checks can be exposed by Chucky and hence our method sink. In principle one differentiates between static and dy-
addresses a wide range of possible security flaws. namic taint analysis. Dynamic taint tracking has been used
for the discovery of vulnerabilities [e.g., 23, 37]. However,
6. RELATED WORK since Chucky is strictly operating on source code, we do
The theory and practice of finding vulnerabilities in soft- not discuss dynamic approaches at this point. Static taint
ware is a classic field of computer security. Due to their tracking has been effectively used for detecting vulnerabili-
generic nature, missing-check vulnerabilities border on a ties such as format string vulnerabilities in C programs [30]
wide range of previous research. In the following, we point or SQL injections and cross-site scripting [13, 17].
out relations to this work and related approaches. Nevertheless, taint analysis implies some limitations that
come down to its passive view on the data flow. Symbolic ex-
Static Code Analysis. ecution can overcome these by actively exploring the code’s
In practice, checking tools such as Microsoft PREfast [15] state space and execution paths [1, 4, 9, 37]. Due to this
or PScan [5] are used to statically find vulnerabilities in state exploration, symbolic execution becomes intractable
source code. These tools possess built-in information about without heuristics to reduce the number of branches that
correct API usage and common programming mistakes, which need to be analyzed. As a result it hardly can be used for
severely limits the kind of vulnerabilities these tools can code auditing in practice [11].
detect. An alternative route is taken by scanners such as
Splint [7], which allow code annotations to be supplied by 7. CONCLUSIONS
analysts. However, creating these annotations and rules re- Vulnerabilities in software are a persistent problem and
garding API usage is both time consuming and challenging one of the root causes of many security incidents. Discover-
as it requires an intimate understanding of both internal and ing security flaws is a challenging and often daunting task,
external APIs of a target program. as automatic approaches are inherently limited in spotting
Several approaches seize the idea of inspecting the tempo- vulnerable code. As a remedy, we introduce Chucky in
ral properties of API usage [e.g., 6, 16, 38] and attempt to this paper, a method that can automatically detect missing
provide this information across projects [e.g., 10, 43]. Such checks in software and thereby help to accelerate the manual
properties would, for instance, indicate that a lock function auditing of source code. Instead of struggling with the lim-
call usually is followed by a call to the unlock function. Soft- its of automatic approaches, our method aims at assisting a
ware defects can thus be detected by identifying anomalies, human analyst by providing information about missing secu-
which do not comply with the derived set of rules. Con- rity checks and potential fixes. Our evaluation demonstrates
ditions, however, are not analyzed and therefore, these ap- the potential of this approach, since we are able to uncover
proaches are not suited for finding missing checks. 12 previously unknown vulnerabilities in popular software
Tan et al. [34] analyze API call sequences to identify nec- projects among the first missing checks.
essary security checks whereas the mapping between a spe- Finally, Chucky can interface with many other techniques
cific check and the event that is required to be checked is for finding vulnerabilities. For example, exposed missing
specified in advance. Similarly, Livshits et al. [18] focus on checks might be further analyzed using techniques for fuzzing
inferring information flow specifications by modelling prop- or symbolic execution. These techniques could allow to nar-
agation graphs. In contrast, Chucky attempts to find miss- row down the actual consequences of a missing check and
ing checks in a more general scope and without additional might help to rank detected flaws according to their sever-
specification of the sensitive code regions or functions. ity. Moreover, we currently plan to integrate Chucky in
Other work goes one step further and makes use of ad- a visual development environment and analyze its capabil-
ditional auxiliary information like software revision histo- ities to expose missing security checks directly during the
ries [19, 40] or different API implementations [32]. Similar development of software.
to Chucky, Son et al. [31] intend not to make use of anno-
tations or any external specifications. Instead they rely on
software engineering patterns commonly used in web appli- Acknowledgments
cations and SQL queries that alter the database as security- The authors acknowledge funding from BMBF under the
sensitive events. Therefore, this approach is tightly bound project PROSEC (FKZ 01BY1145).
References [17] Livshits, B., and Lam, M. S. Finding security vul-
[1] Avgerinos, T., Cha, S. K., Hao, B. L. T., and nerabilities in java applications with static analysis. In
Brumley, D. AEG: Automatic Exploit Generation. Proc. of USENIX Security Symposium (2005).
In Proc. of Network and Distributed System Security [18] Livshits, B., Nori, A. V., Rajamani, S. K., and
Symposium (NDSS) (2011). Banerjee, A. Merlin: specification inference for ex-
plicit information flow problems. In Proc. of ACM SIG-
[2] Bradley, A. The use of the area under the ROC curve PLAN International Conference on Programming Lan-
in the evaluation of machine learning algorithms. Pat- guages Design and Implementation (PLDI) (2009).
tern Recognition 30, 7 (1997), 1145–1159.
[19] Livshits, B., and Zimmermann, T. Dynamine: find-
[3] Chess, B., and Gerschefske, M. Rough auditing ing common error patterns by mining software revision
tool for security. Google Code, http://code.google. histories. In Proc. of European Software Engineering
com/p/rough-auditing-tool-for-security/, visited Conference (ESEC) (2005), pp. 296–305.
February, 2013.
[20] Moonen, L. Generating robust parsers using island
[4] Cova, M., Felmetsger, V., Banks, G., and Vigna, grammars. In Proc. of Working Conference on Reverse
G. Static detection of vulnerabilities in x86 executa- Engineering (WCRE) (2001), pp. 13–22.
bles. In Proc. of Annual Computer Security Applica-
tions Conference (ACSAC) (2006), pp. 269–278. [21] Moore, H. Security flaws in universal plug and play:
Unplug. don’t play. Tech. rep., Rapid 7, 2013.
[5] DeKok, A. Pscan: A limited problem scanner for
c source files. http://deployingradius.com/pscan/, [22] Mulliner, C., Golde, N., and Seifert, J.-P. Sms of
visited February, 2013. death: From analyzing to attacking mobile phones on
a large scale. In Proc. of USENIX Security Symposium
[6] Engler, D., Chen, D. Y., Hallem, S., Chou, A., (2011).
and Chelf, B. Bugs as deviant behavior: A general
approach to inferring errors in systems code. In Proc. [23] Newsome, J., and Song, D. Dynamic taint analysis
of ACM Symposium on Operating Systems Principles for automatic detection, analysis, and signature gener-
(SOSP) (2001), pp. 57–72. ation of exploits on commodity software. In Proc. of
Network and Distributed System Security Symposium
[7] Evans, D., and Larochelle, D. Improving security (NDSS) (2005).
using extensible lightweight static analysis. IEEE Soft-
ware 19, 1 (2002), 42–51. [24] Oh, J. W. Recent Java exploitation trends and mal-
ware. Presentation at Black Hat Las Vegas, 2012.
[8] Falliere, N., Murchu, L. O., , and Chien, E.
W32.stuxnet dossier. Symantec Corporation, 2011. [25] Parr, T., and Quong, R. ANTLR: A predicated-
LL(k) parser generator. Software Practice and Experi-
[9] Godefroid, P., Levin, M. Y., and Molnar, D. ence 25 (1995), 789–810.
SAGE: whitebox fuzzing for security testing. Commu-
nications of the ACM 55, 3 (2012), 40–44. [26] Portokalidis, G., Slowinska, A., and Bos, H. Ar-
gos: an emulator for fingerprinting zero-day attacks for
[10] Gruska, N., Wasylkowski, A., and Zeller, A. advertised honeypots with automatic signature gener-
Learning from 6,000 projects: lightweight cross-project ation. ACM SIGOPS Operating Systems Review 40, 4
anomaly detection. In Proc. of the International Sympo- (Apr. 2006), 15–27.
sium on Software Testing and Analysis (ISSTA) (2010), [27] Rieck, K., and Laskov, P. Linear-time computation
pp. 119–130. of similarity measures for sequential data. Journal of
[11] Heelan, S. Vulnerability detection systems: Think Machine Learning Research (JMLR) 9, Jan (Jan. 2008),
cyborg, not robot. IEEE Security & Privacy 9, 3 (2011), 23–48.
74–77. [28] Salton, G., and McGill, M. J. Introduction to Mod-
ern Information Retrieval. McGraw-Hill, 1986.
[12] Hopcroft, J., and Motwani, R. Ullmann, J. In-
troduction to Automata Theory, Languages, and Com- [29] Schwartz, E., Avgerinos, T., and Brumley, D. All
putation, 2 ed. Addison-Wesley, 2001. you ever wanted to know about dynamic taint analysis
and forward symbolic execution (but might have been
[13] Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: afraid to ask). In Proc. of IEEE Symposium on Security
A static analysis tool for detecting web application vul- and Privacy (2010), pp. 317–331.
nerabilities. In Proc. of IEEE Symposium on Security
and Privacy (2006), pp. 6–263. [30] Shankar, U., Talwar, K., Foster, J. S., and Wag-
ner, D. Detecting format string vulnerabilities with
[14] Kupsch, J. A., and Miller, B. P. Manual vs. auto- type qualifiers. In Proc. of USENIX Security Sympo-
mated vulnerability assessment: A case study. In Proc. sium (2001), pp. 201–218.
of Workshop on Managing Insider Security Threats
(MIST) (2009), pp. 83–97. [31] Son, S., McKinley, K. S., and Shmatikov, V. Role-
cast: finding missing security checks when you do not
[15] Larus, J. R., Ball, T., Das, M., DeLine, R., know what checks are. In Proc. of ACM International
Fähndrich, M., Pincus, J., Rajamani, S. K., and Conference on Object Oriented Programming Systems
Venkatapathy, R. Righting software. IEEE Software Languages and Applications (SPLASH) (2011).
21, 3 (2004), 92–100.
[32] Srivastava, V., Bond, M. D., Mckinley, K. S.,
[16] Li, Z., and Zhou, Y. PR-Miner: automatically ex- and Shmatikov, V. A security policy oracle: Detect-
tracting implicit programming rules and detecting vio- ing security holes using multiple API implementations.
lations in large software code. In Proc. of European Soft- In Proc. of ACM SIGPLAN International Conference
ware Engineering Conference (ESEC) (2005), pp. 306– on Programming Languages Design and Implementa-
315. tion (PLDI) (2011).
[33] Sutton, M., Greene, A., and Amini, P. Fuzzing: pean Software Engineering Conference (ESEC) (2007),
Brute Force Vulnerability Discovery. Addison-Wesley pp. 35–44.
Professional, 2007.
[39] Wheeler, D. A. Flawfinder. http://www.dwheeler.
[34] Tan, L., Zhang, X., Ma, X., Xiong, W., and Zhou, com/flawfinder/, visited February, 2013.
Y. Autoises: automatically inferring security specifica-
tions and detecting violations. In Proc. of USENIX [40] Williams, C. C., and Hollingsworth, J. K. Au-
Security Symposium (2008). tomatic mining of source code repositories to improve
bug finding techniques. IEEE Transactions on Software
[35] Thummalapenta, S., and Xie, T. Alattin: Mining Engineering 31 (2005), 466–480.
alternative patterns for detecting neglected conditions.
In Proc. of the International Conference on Automated [41] Yamaguchi, F., Lindner, F., and Rieck, K. Vulner-
Software Engineering (ASE) (2009), pp. 283–294. ability extrapolation: Assisted discovery of vulnerabil-
ities using machine learning. In Proc. of 5th USENIX
[36] Viega, J., Bloch, J., Kohno, Y., and McGraw, G. Workshop on Offensive Technologies (WOOT) (Aug.
ITS4: A static vulnerability scanner for C and C++ 2011), pp. 118–127.
code. In Proc. of Annual Computer Security Applica-
tions Conference (ACSAC) (2000), pp. 257–267. [42] Yamaguchi, F., Lottmann, M., and Rieck, K.
Generalized vulnerability extrapolation using abstract
[37] Wang, T., Wei, T., Lin, Z., and Zou, W. IntScope: syntax trees. In Proc. of 28th Annual Computer Se-
Automatically detecting integer overflow vulnerability curity Applications Conference (ACSAC) (Dec. 2012),
in x86 binary using symbolic execution. In Proc. of pp. 359–368.
Network and Distributed System Security Symposium
(NDSS) (2009). [43] Zhong, H., Xie, T., Zhang, L., Pei, J., and Mei, H.
Mapo: Mining and recommending API usage patterns.
[38] Wasylkowski, A., Zeller, A., and Lindig, C. De- In Proc. of the European Conference on Object-Oriented
tecting object usage anomalies. In Proc. of Euro- Programming(ECOOP) (2009), pp. 318–343.