VUDDY: A Scalable Approach for Vulnerable Code Clone Discovery

2017 IEEE Symposium on Security and Privacy (SP) Pub Date : 2017-05-01 DOI:10.1109/SP.2017.62

Seulbae Kim, Seunghoon Woo, Heejo Lee, Hakjoo Oh

{"title":"VUDDY: A Scalable Approach for Vulnerable Code Clone Discovery","authors":"Seulbae Kim, Seunghoon Woo, Heejo Lee, Hakjoo Oh","doi":"10.1109/SP.2017.62","DOIUrl":null,"url":null,"abstract":"The ecosystem of open source software (OSS) has been growing considerably in size. In addition, code clones - code fragments that are copied and pasted within or between software systems - are also proliferating. Although code cloning may expedite the process of software development, it often critically affects the security of software because vulnerabilities and bugs can easily be propagated through code clones. These vulnerable code clones are increasing in conjunction with the growth of OSS, potentially contaminating many systems. Although researchers have attempted to detect code clones for decades, most of these attempts fail to scale to the size of the ever-growing OSS code base. The lack of scalability prevents software developers from readily managing code clones and associated vulnerabilities. Moreover, most existing clone detection techniques focus overly on merely detecting clones and this impairs their ability to accurately find \"vulnerable\" clones. In this paper, we propose VUDDY, an approach for the scalable detection of vulnerable code clones, which is capable of detecting security vulnerabilities in large software programs efficiently and accurately. Its extreme scalability is achieved by leveraging function-level granularity and a length-filtering technique that reduces the number of signature comparisons. This efficient design enables VUDDY to preprocess a billion lines of code in 14 hour and 17 minutes, after which it requires a few seconds to identify code clones. In addition, we designed a security-aware abstraction technique that renders VUDDY resilient to common modifications in cloned code, while preserving the vulnerable conditions even after the abstraction is applied. This extends the scope of VUDDY to identifying variants of known vulnerabilities, with high accuracy. In this study, we describe its principles and evaluate its efficacy and effectiveness by comparing it with existing mechanisms and presenting the vulnerabilities it detected. VUDDY outperformed four state-of-the-art code clone detection techniques in terms of both scalability and accuracy, and proved its effectiveness by detecting zero-day vulnerabilities in widely used software systems, such as Apache HTTPD and Ubuntu OS Distribution.","PeriodicalId":6502,"journal":{"name":"2017 IEEE Symposium on Security and Privacy (SP)","volume":"33 1","pages":"595-614"},"PeriodicalIF":0.0000,"publicationDate":"2017-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"240","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2017.62","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 240

Abstract

The ecosystem of open source software (OSS) has been growing considerably in size. In addition, code clones - code fragments that are copied and pasted within or between software systems - are also proliferating. Although code cloning may expedite the process of software development, it often critically affects the security of software because vulnerabilities and bugs can easily be propagated through code clones. These vulnerable code clones are increasing in conjunction with the growth of OSS, potentially contaminating many systems. Although researchers have attempted to detect code clones for decades, most of these attempts fail to scale to the size of the ever-growing OSS code base. The lack of scalability prevents software developers from readily managing code clones and associated vulnerabilities. Moreover, most existing clone detection techniques focus overly on merely detecting clones and this impairs their ability to accurately find "vulnerable" clones. In this paper, we propose VUDDY, an approach for the scalable detection of vulnerable code clones, which is capable of detecting security vulnerabilities in large software programs efficiently and accurately. Its extreme scalability is achieved by leveraging function-level granularity and a length-filtering technique that reduces the number of signature comparisons. This efficient design enables VUDDY to preprocess a billion lines of code in 14 hour and 17 minutes, after which it requires a few seconds to identify code clones. In addition, we designed a security-aware abstraction technique that renders VUDDY resilient to common modifications in cloned code, while preserving the vulnerable conditions even after the abstraction is applied. This extends the scope of VUDDY to identifying variants of known vulnerabilities, with high accuracy. In this study, we describe its principles and evaluate its efficacy and effectiveness by comparing it with existing mechanisms and presenting the vulnerabilities it detected. VUDDY outperformed four state-of-the-art code clone detection techniques in terms of both scalability and accuracy, and proved its effectiveness by detecting zero-day vulnerabilities in widely used software systems, such as Apache HTTPD and Ubuntu OS Distribution.

查看原文本刊更多论文

VUDDY:一种可扩展的易受攻击代码克隆发现方法

开源软件(OSS)生态系统的规模一直在显著增长。此外，代码克隆——在软件系统内部或系统之间复制和粘贴的代码片段——也在激增。尽管代码克隆可以加快软件开发过程，但它通常会严重影响软件的安全性，因为漏洞和错误很容易通过代码克隆传播。这些易受攻击的代码克隆随着OSS的发展而增加，潜在地污染了许多系统。尽管研究人员几十年来一直试图检测代码克隆，但大多数这些尝试都无法适应不断增长的OSS代码库的规模。缺乏可伸缩性使软件开发人员无法轻松地管理代码克隆和相关的漏洞。此外，大多数现有的克隆检测技术过分关注于仅仅检测克隆，这削弱了它们准确发现“易受攻击”克隆的能力。本文提出了一种可扩展的漏洞克隆检测方法VUDDY，该方法能够高效、准确地检测大型软件程序中的安全漏洞。通过利用函数级粒度和减少签名比较次数的长度过滤技术，实现了其极致的可伸缩性。这种高效的设计使VUDDY能够在14小时17分钟内预处理十亿行代码，之后需要几秒钟来识别代码克隆。此外，我们还设计了一种安全感知抽象技术，使VUDDY对克隆代码中的常见修改具有弹性，同时即使在应用抽象之后也保留了易受攻击的条件。这扩展了VUDDY的范围，以高精度识别已知漏洞的变体。在本研究中，我们描述了其原理，并通过与现有机制的比较来评估其有效性和有效性，并介绍了其检测到的漏洞。VUDDY在可扩展性和准确性方面优于四种最先进的代码克隆检测技术，并通过检测广泛使用的软件系统(如Apache HTTPD和Ubuntu OS Distribution)中的零日漏洞证明了其有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量