Strategies for Pattern-Based Detection of Architecturally-Relevant Software Vulnerabilities

Abstract

Software vulnerabilities expose a system to security breaches. In this paper, we focus on vulnerabilities rooted in a system's architecture. Specifically, we describe our attempt at developing ways of depicting and detecting architectural vulnerabilities. Our guiding observation was that vulnerabilities that belong to the same category result in commonalities in the source code. This observation led us to hypothesize that it is possible to define patterns that can be used to detect similar vulnerabilities. To test this hypothesis, we collected a dataset of vulnerabilities reported for the Tomcat web server that spanned 20 different categories and 90 unique vulnerabilities. We represented each individual vulnerability with a Program Dependence Graph (PDG) and employed two approaches we believed to be especially promising based on the results they yielded when applied to similar problems. The first approach relied on graph-theory research to identify shared subgraphs in vulnerability PDGs. The second approach performed a multi-level hierarchical clustering on the PDGs to account for cases in which vulnerabilities of the same category exhibit more than one pattern. In the end, neither approach yielded successful results: the former was too computationally expensive to be practically applicable and had limited applicability, while the latter generated patterns that performed poorly when applied on real examples of vulnerabilities. Even though the two approaches were ultimately unsuccessful, we report on several important lessons that emerged from this endeavor.