New Version, New Answer: Investigating Cybersecurity Static-Analysis Tool Findings

2023 IEEE International Conference on Cyber Security and Resilience (CSR) Pub Date : 2023-07-31 DOI:10.1109/CSR57506.2023.10224930

A. Reinhold, Travis Weber, Colleen Lemak, Derek Reimanis, C. Izurieta

{"title":"New Version, New Answer: Investigating Cybersecurity Static-Analysis Tool Findings","authors":"A. Reinhold, Travis Weber, Colleen Lemak, Derek Reimanis, C. Izurieta","doi":"10.1109/CSR57506.2023.10224930","DOIUrl":null,"url":null,"abstract":"Automated detection of vulnerabilities and weaknesses in binary code is a critical need at the frontier of cybersecurity research. Cybersecurity static-analysis tools aim to detect and enumerate vulnerabilities and weaknesses. Two popular tools are CVE Binary Tool (cve-bin-tool) and cwe-checker. Cve-bin-tool reports vulnerabilities using Common Vulnerabilities and Exposures (CVE) whereas cwe-checker reports weaknesses using Common Weakness Enumeration (CWE). Despite widespread use, the consistency with which these tools report vulnerabilities and weaknesses (herein, “findings”) was unaddressed. We conducted a systematic investigation of 660 unique binaries taken from a Kali Linux distribution, evaluated each binary with multiple versions of the static-analysis tools, and investigated how the findings changed according to the version of the static-analysis tool used. We expected some variation in findings commensurate with the software-development life cycle. However, the number and magnitude of the changes in findings reported across versions were substantial. New versions gave new answers.","PeriodicalId":354918,"journal":{"name":"2023 IEEE International Conference on Cyber Security and Resilience (CSR)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE International Conference on Cyber Security and Resilience (CSR)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSR57506.2023.10224930","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Automated detection of vulnerabilities and weaknesses in binary code is a critical need at the frontier of cybersecurity research. Cybersecurity static-analysis tools aim to detect and enumerate vulnerabilities and weaknesses. Two popular tools are CVE Binary Tool (cve-bin-tool) and cwe-checker. Cve-bin-tool reports vulnerabilities using Common Vulnerabilities and Exposures (CVE) whereas cwe-checker reports weaknesses using Common Weakness Enumeration (CWE). Despite widespread use, the consistency with which these tools report vulnerabilities and weaknesses (herein, “findings”) was unaddressed. We conducted a systematic investigation of 660 unique binaries taken from a Kali Linux distribution, evaluated each binary with multiple versions of the static-analysis tools, and investigated how the findings changed according to the version of the static-analysis tool used. We expected some variation in findings commensurate with the software-development life cycle. However, the number and magnitude of the changes in findings reported across versions were substantial. New versions gave new answers.

查看原文本刊更多论文

新版本，新答案:调查网络安全静态分析工具的发现

自动检测二进制代码中的漏洞和弱点是网络安全研究前沿的一个关键需求。网络安全静态分析工具旨在检测和列举漏洞和弱点。两个常用的工具是CVE二进制工具(CVE -bin- Tool)和CVE -checker。CVE -bin-tool使用Common vulnerabilities and Exposures (CVE)报告漏洞，而CWE -checker使用Common Weakness Enumeration (CWE)报告漏洞。尽管被广泛使用，但这些工具报告漏洞和弱点(在这里称为“发现”)的一致性尚未得到解决。我们对Kali Linux发行版中的660个唯一二进制文件进行了系统调查，使用多个版本的静态分析工具对每个二进制文件进行了评估，并调查了结果如何根据所使用的静态分析工具的版本而变化。我们期望在与软件开发生命周期相称的结果中出现一些变化。然而，各版本报告的调查结果变化的数量和幅度是巨大的。新版本给出了新的答案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE International Conference on Cyber Security and Resilience (CSR)

自引率

0.00%

发文量