Program Slice based Vulnerable Code Clone Detection

2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) Pub Date : 2020-12-01 DOI:10.1109/TrustCom50675.2020.00049

Xiaonan Song, Aimin Yu, Haibo Yu, Shirun Liu, Xin Bai, Lijun Cai, Dan Meng

{"title":"Program Slice based Vulnerable Code Clone Detection","authors":"Xiaonan Song, Aimin Yu, Haibo Yu, Shirun Liu, Xin Bai, Lijun Cai, Dan Meng","doi":"10.1109/TrustCom50675.2020.00049","DOIUrl":null,"url":null,"abstract":"Vulnerabilities in software will not only lead to security problems of the software itself, but also cause the spread of vulnerabilities through code clones. It is important to detect and locate vulnerabilities among the source code to facilitate the fix. Although many methods are proposed to detect code clones in source code, most of them fail to detect code clones that involve statement addition and deletion effectively or are not suitable for vulnerability detection. In this paper, we propose a method that can detect vulnerabilities caused by code clones. Program slices are used to filter statements that are not related to vulnerabilities and extract important vulnerable statements in function. Hash function and bitvector are applied to improve efficiency during the detection. The results are displayed in html, among which the vulnerable statements are highlighted to help subsequent patching work. Our method is evaluated on open source software (Openssl, Linux Kernel, FFmpeg and QEMU). The results of experiments show that our method detects 12.72% more vulnerable clones in acceptable time compared with Vuddy, proving the effectiveness of our method.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/TrustCom50675.2020.00049","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Vulnerabilities in software will not only lead to security problems of the software itself, but also cause the spread of vulnerabilities through code clones. It is important to detect and locate vulnerabilities among the source code to facilitate the fix. Although many methods are proposed to detect code clones in source code, most of them fail to detect code clones that involve statement addition and deletion effectively or are not suitable for vulnerability detection. In this paper, we propose a method that can detect vulnerabilities caused by code clones. Program slices are used to filter statements that are not related to vulnerabilities and extract important vulnerable statements in function. Hash function and bitvector are applied to improve efficiency during the detection. The results are displayed in html, among which the vulnerable statements are highlighted to help subsequent patching work. Our method is evaluated on open source software (Openssl, Linux Kernel, FFmpeg and QEMU). The results of experiments show that our method detects 12.72% more vulnerable clones in acceptable time compared with Vuddy, proving the effectiveness of our method.

查看原文本刊更多论文

基于程序切片的脆弱代码克隆检测

软件中的漏洞不仅会导致软件本身的安全问题，还会通过代码克隆导致漏洞的传播。检测和定位源代码中的漏洞以促进修复非常重要。虽然提出了许多方法来检测源代码中的代码克隆，但大多数方法都不能有效地检测到涉及语句添加和删除的代码克隆，或者不适合进行漏洞检测。本文提出了一种检测代码克隆漏洞的方法。程序切片用于过滤与漏洞无关的语句，并提取函数中重要的漏洞语句。采用哈希函数和位向量来提高检测效率。结果以html格式显示，其中易受攻击的语句会被高亮显示，以帮助后续的修补工作。我们的方法在开源软件(Openssl, Linux Kernel, FFmpeg和QEMU)上进行了评估。实验结果表明，与Vuddy相比，我们的方法在可接受的时间内检测出的脆弱克隆多12.72%，证明了我们方法的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)

自引率

0.00%

发文量