Peng Wu, Liangze Yin, Xiang Du, Liyuan Jia, Wei Dong
{"title":"从切片代码中提取特征的基于图的漏洞检测","authors":"Peng Wu, Liangze Yin, Xiang Du, Liyuan Jia, Wei Dong","doi":"10.1109/QRS-C51114.2020.00018","DOIUrl":null,"url":null,"abstract":"With the development of open source software and open source community, there are more available codes on the Internet. And the open vulnerability information can be found on the Internet. In fact, using known vulnerabilities to calculate the similarity with the source code has been demonstrated a useful method to detect vulnerabilities. But the vulnerabilities often have many irrelevant codes, which may cause false positives and reduce the accuracy of vulnerability detection. Besides, the program code may have been patched. This also leads to false positives. We use code property graphs to extract source code and calculate the similarity between the vulnerable code and the source code to judge whether the software has vulnerabilities. By using the patched code, we can reduce the false positive. We use our approach on LibTIFF and Linux kernel. The experimental results show that the approach can effectively find vulnerabilities and reduce the false positive.","PeriodicalId":358174,"journal":{"name":"2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Graph-based Vulnerability Detection via Extracting Features from Sliced Code\",\"authors\":\"Peng Wu, Liangze Yin, Xiang Du, Liyuan Jia, Wei Dong\",\"doi\":\"10.1109/QRS-C51114.2020.00018\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the development of open source software and open source community, there are more available codes on the Internet. And the open vulnerability information can be found on the Internet. In fact, using known vulnerabilities to calculate the similarity with the source code has been demonstrated a useful method to detect vulnerabilities. But the vulnerabilities often have many irrelevant codes, which may cause false positives and reduce the accuracy of vulnerability detection. Besides, the program code may have been patched. This also leads to false positives. We use code property graphs to extract source code and calculate the similarity between the vulnerable code and the source code to judge whether the software has vulnerabilities. By using the patched code, we can reduce the false positive. We use our approach on LibTIFF and Linux kernel. The experimental results show that the approach can effectively find vulnerabilities and reduce the false positive.\",\"PeriodicalId\":358174,\"journal\":{\"name\":\"2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C)\",\"volume\":\"25 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/QRS-C51114.2020.00018\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/QRS-C51114.2020.00018","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Graph-based Vulnerability Detection via Extracting Features from Sliced Code
With the development of open source software and open source community, there are more available codes on the Internet. And the open vulnerability information can be found on the Internet. In fact, using known vulnerabilities to calculate the similarity with the source code has been demonstrated a useful method to detect vulnerabilities. But the vulnerabilities often have many irrelevant codes, which may cause false positives and reduce the accuracy of vulnerability detection. Besides, the program code may have been patched. This also leads to false positives. We use code property graphs to extract source code and calculate the similarity between the vulnerable code and the source code to judge whether the software has vulnerabilities. By using the patched code, we can reduce the false positive. We use our approach on LibTIFF and Linux kernel. The experimental results show that the approach can effectively find vulnerabilities and reduce the false positive.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
