Full Program »
Software vulnerabilities are the fundamental cause of many attacks. Even with rapid vulnerability patching, the problem is more complicated than it looks. One reason is that instances of the same vulnerability may exist in multiple software copies that are difficult to track in real life (e.g., different versions of libraries and applications). This calls for tools that can automatically search for vulnerable software with respect to a given vulnerability. In this paper, we move a step forward in this direction by presenting Vulnerability Pecker (VulPecker), a system for automatically detecting whether a piece of software source code contains a given vulnerability or not. The key insight underlying VulPecker is to leverage (i) a set of features that we define to characterize patches, and (ii) code-similarity algorithms that have been proposed for various purposes, while noting that no single code-similarity algorithm is effective for all kinds of vulnerabilities. Experiments show that VulPecker detects 40 vulnerabilities that are not published in the National Vulnerability Database (NVD). Among these vulnerabilities, 18 are not known for their existence and have yet to be confirmed by vendors at the time of writing (these vulnerabilities are “anonymized” in the present paper for ethical reasons), and the other 22 vulnerabilities have been “silently” patched by the vendors in the later releases of the vulnerable products.
Author(s):
Zhen Li
Huazhong University of Science and Technology; Hebei University
China
Deqing Zou
Huazhong University of Science and Technology
China
Shouhuai Xu
University of Texas at San Antonio
United States
Hai Jin
Huazhong University of Science and Technology
China
Hanchao Qi
Huazhong University of Science and Technology
China
Jie Hu
Huazhong University of Science and Technology
China