con未婚夫:检测Java Card小程序中的漏洞

Proceedings of the 15th International Conference on Availability, Reliability and Security Pub Date : 2020-07-30 DOI:10.1145/3407023.3407031

Léopold Ouairy, Hélène Le Bouder, Jean-Louis Lanet

{"title":"con未婚夫:检测Java Card小程序中的漏洞","authors":"Léopold Ouairy, Hélène Le Bouder, Jean-Louis Lanet","doi":"10.1145/3407023.3407031","DOIUrl":null,"url":null,"abstract":"This study focuses on automatically detecting wrong implementations of specifications in Java Card programs, without any knowledge on the source code or the specification itself. To achieve this, an approach based on Natural Language Processing and machine-learning is proposed. First, an oracle gathering methods with similar semantics in groups, is created. This focuses on evaluating our approach performances during the neighborhood discovery. Based on the groups of similar methods automatically retrieved, the anomaly detection relies on the Control Flow Graph of programs of these groups. In order to benchmark our approach's ability to detect vulnerabilities, an oracle of anomaly is created. This oracle knows every anomaly the approach should automatically retrieve. Both the neighborhood discovery and the anomaly detection steps are benchmarked. This approach is implemented in a tool: Confiance, and it is compared to another machine-learning tool for automatic vulnerability detection. The results expose the better performances of Confiance to detect vulnerabilities in open-source programs available online.","PeriodicalId":121225,"journal":{"name":"Proceedings of the 15th International Conference on Availability, Reliability and Security","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-07-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Confiance: detecting vulnerabilities in Java Card applets\",\"authors\":\"Léopold Ouairy, Hélène Le Bouder, Jean-Louis Lanet\",\"doi\":\"10.1145/3407023.3407031\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This study focuses on automatically detecting wrong implementations of specifications in Java Card programs, without any knowledge on the source code or the specification itself. To achieve this, an approach based on Natural Language Processing and machine-learning is proposed. First, an oracle gathering methods with similar semantics in groups, is created. This focuses on evaluating our approach performances during the neighborhood discovery. Based on the groups of similar methods automatically retrieved, the anomaly detection relies on the Control Flow Graph of programs of these groups. In order to benchmark our approach's ability to detect vulnerabilities, an oracle of anomaly is created. This oracle knows every anomaly the approach should automatically retrieve. Both the neighborhood discovery and the anomaly detection steps are benchmarked. This approach is implemented in a tool: Confiance, and it is compared to another machine-learning tool for automatic vulnerability detection. The results expose the better performances of Confiance to detect vulnerabilities in open-source programs available online.\",\"PeriodicalId\":121225,\"journal\":{\"name\":\"Proceedings of the 15th International Conference on Availability, Reliability and Security\",\"volume\":\"24 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-07-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 15th International Conference on Availability, Reliability and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3407023.3407031\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 15th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3407023.3407031","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

本研究的重点是在不了解源代码或规范本身的情况下，自动检测Java Card程序中规范的错误实现。为了实现这一目标，提出了一种基于自然语言处理和机器学习的方法。首先，创建一个oracle，将具有相似语义的方法分组。这侧重于评估我们的方法在邻域发现过程中的性能。基于自动检索到的相似方法组，异常检测依赖于这些组的程序控制流图。为了对我们的方法检测漏洞的能力进行基准测试，我们创建了一个异常oracle。这个oracle知道该方法应该自动检索的每一个异常。对邻域发现和异常检测步骤进行了基准测试。这种方法是在一个工具中实现的:con未婚夫，并将其与另一个用于自动漏洞检测的机器学习工具进行比较。结果表明，con未婚夫在检测在线可用的开源程序漏洞方面具有更好的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Confiance: detecting vulnerabilities in Java Card applets

This study focuses on automatically detecting wrong implementations of specifications in Java Card programs, without any knowledge on the source code or the specification itself. To achieve this, an approach based on Natural Language Processing and machine-learning is proposed. First, an oracle gathering methods with similar semantics in groups, is created. This focuses on evaluating our approach performances during the neighborhood discovery. Based on the groups of similar methods automatically retrieved, the anomaly detection relies on the Control Flow Graph of programs of these groups. In order to benchmark our approach's ability to detect vulnerabilities, an oracle of anomaly is created. This oracle knows every anomaly the approach should automatically retrieve. Both the neighborhood discovery and the anomaly detection steps are benchmarked. This approach is implemented in a tool: Confiance, and it is compared to another machine-learning tool for automatic vulnerability detection. The results expose the better performances of Confiance to detect vulnerabilities in open-source programs available online.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 15th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量