Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding
Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-...
Saved in:
| Published in | 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS) pp. 41 - 50 |
|---|---|
| Main Authors | , , , , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
IEEE
01.11.2019
|
| Subjects | |
| Online Access | Get full text |
| DOI | 10.1109/ICECCS.2019.00012 |
Cover
| Abstract | Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges. |
|---|---|
| AbstractList | Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges. |
| Author | Zhang, Miao Wang, Haoyu Xu, Guoai Sui, Yulei Cheng, Xiao Yi, Li Hua, Jiayi |
| Author_xml | – sequence: 1 givenname: Xiao surname: Cheng fullname: Cheng, Xiao organization: Beijing University of Posts and Telecommunications, China – sequence: 2 givenname: Haoyu surname: Wang fullname: Wang, Haoyu organization: Beijing University of Posts and Telecommunications, China – sequence: 3 givenname: Jiayi surname: Hua fullname: Hua, Jiayi organization: Beijing University of Posts and Telecommunications, China – sequence: 4 givenname: Miao surname: Zhang fullname: Zhang, Miao organization: Beijing University of Posts and Telecommunications, China – sequence: 5 givenname: Guoai surname: Xu fullname: Xu, Guoai organization: Beijing University of Posts and Telecommunications, China – sequence: 6 givenname: Li surname: Yi fullname: Yi, Li organization: National Computer Network Emergency Response Technical Team Coordination Center, China – sequence: 7 givenname: Yulei surname: Sui fullname: Sui, Yulei organization: University of Technology Sydney, Australia |
| BookMark | eNotzEFLwzAYgOEIenDTHyBe8gda86VpmhwldnMwFJzzOtLmiwayZLQR8d8r6OnlubwLcp5yQkJugNUATN9tTG_MruYMdM0YA35GFtBxBUIKCZfkaVdsCSN9wIJjCTnR7KnJqUw5VquYv6oXjLago2-fMeFkhxBDCTjT_RzSO11P9vRB--OAzv36ilx4G2e8_u-S7Ff9q3msts_rjbnfVoGzplScO-RadlY7yWSjwPLWowIOoNCPKAbl1Th41jovlByEHIXTVoKw2uvONkty-_cNiHg4TeFop--DUop3om1-AOjRS0I |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/ICECCS.2019.00012 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EISBN | 1728146461 9781728146461 |
| EndPage | 50 |
| ExternalDocumentID | 8882745 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IL CBEJK RIE RIL |
| ID | FETCH-LOGICAL-i203t-22de2967a9d606381a25fe812118efce4b8f8cbf05df486b46c4d9a614a9f97a3 |
| IEDL.DBID | RIE |
| IngestDate | Thu Jun 29 18:38:33 EDT 2023 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i203t-22de2967a9d606381a25fe812118efce4b8f8cbf05df486b46c4d9a614a9f97a3 |
| PageCount | 10 |
| ParticipantIDs | ieee_primary_8882745 |
| PublicationCentury | 2000 |
| PublicationDate | 2019-Nov |
| PublicationDateYYYYMMDD | 2019-11-01 |
| PublicationDate_xml | – month: 11 year: 2019 text: 2019-Nov |
| PublicationDecade | 2010 |
| PublicationTitle | 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS) |
| PublicationTitleAbbrev | ICECCS |
| PublicationYear | 2019 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| Score | 1.9165668 |
| Snippet | Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR)... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 41 |
| SubjectTerms | Computer bugs control-flow Convolutional codes Feature extraction graph embedding Semantics Software Static analysis Training vulnerabilities |
| Title | Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding |
| URI | https://ieeexplore.ieee.org/document/8882745 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PS8MwFA7bTp5UNvE3OXg0W9emaXqum1PYEHSy22iSFxjOdkiL4F9vXjqniAdvIeQXSeB7L_ne9wi5inUEBqRiItGacRsqpngATATS5sbhA_iULNOZmMz5_SJetMj1LhYGADz5DPpY9H_5ptQ1PpUNnLfmnKi4TdrumjWxWtuPymGQDu6yUZY9IlsLJSgDzDH5I2GKx4vxPpl-zdTQRF76daX6-uOXCON_l3JAet-RefRhhzmHpAVFl8zQYlxpegOVJ1YVtLQ0azjobLwu35mnvIGhz_UaVaY9Ida5yNQTBugtilbT0asCg6P2yHw8esombJsnga3CIKpYGBoIU5HkqRFogQzzMLYgUbxNgtXAlbRSKxvExnIpFBeamzR3wJynNk3y6Ih0irKAY0KVkdyKoWujBE-MdtZdBKiZ6Lo728eekC7uxXLTSGEst9tw-nf1GdnD02hC985Jp3qr4cJheKUu_eF9Ap0Cn6I |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV09T8MwELVKGWAC1CK-8cCI2zRxHGcOLS20FRIt6lbF9lmqKAlCiZD49dhOKAgxsFmWv3Qe3p397h1CV6EMQAEXhEVSEqp9QQT1gDCP61QZfABXkmUyZcM5vVuEiwa63uTCAIAjn0HHNt1fvsplaZ_KuiZaM0FUuIW2QxNV8Cpbq_6q7Hlxd5T0k-TR8rWsCKVnq0z-KJniEGOwhyZfe1VEkedOWYiO_Pglw_jfw-yj9nduHn7YoM4BakDWQlPrM64kvoHCUasynGucVCx0Mljn78SR3kDhp3JtdaYdJdYEydhRBvCtla3G_RcByq7aRvNBf5YMSV0pgax8LyiI7yvwYxalsWLWB-mlfqiBW_k2DloCFVxzKbQXKk05E5RJquLUQHMa6zhKg0PUzPIMjhAWilPNemaMYDRS0vh3AVjVRDPdeD_6GLWsLZavlRjGsjbDyd_dl2hnOJuMl-PR9P4U7dqbqRL5zlCzeCvh3CB6IS7cRX4CMvei9Q |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2019+24th+International+Conference+on+Engineering+of+Complex+Computer+Systems+%28ICECCS%29&rft.atitle=Static+Detection+of+Control-Flow-Related+Vulnerabilities+Using+Graph+Embedding&rft.au=Cheng%2C+Xiao&rft.au=Wang%2C+Haoyu&rft.au=Hua%2C+Jiayi&rft.au=Zhang%2C+Miao&rft.date=2019-11-01&rft.pub=IEEE&rft.spage=41&rft.epage=50&rft_id=info:doi/10.1109%2FICECCS.2019.00012&rft.externalDocID=8882745 |