Skip to main content

A Fine-Grained Approach for Vulnerabilities Discovery Using Augmented Vulnerability Signatures

  • 411 Accesses

Part of the Lecture Notes in Computer Science book series (LNAI,volume 13370)

Abstract

Code similarity analysis quantitatively measures the similarity between two existing source codes by matching their signatures defined by code analyst. It is proven to be a promising way to discover hidden clone vulnerabilities when a vulnerability database is given. However, due to the slight differences between vulnerable code and patched code as well as the high modifications between original vulnerability and clone vulnerability, existing methods suffer from low accuracy, high false negative and coarse granularity. In this work, we present VCCD, a system focusing on discovering C/C++ clone vulnerabilities with fine granularity, which is more sensitive to code modification and keeps general to all kinds of vulnerability. We achieve this by presenting an augmented vulnerability signature comprising three components, i.e., contextual lines of code, vulnerable lines of code and fixed hunks of code. We propose a triplet matching algorithm to compare each target code signature as well as all vulnerability signatures to determine whether the target code is vulnerable or not. We compare VCCD with other state-of-the-art clone vulnerability discovery methods on eight popular real-world open-source projects. The evaluation result shows our approach discovers 21% more clone vulnerabilities compared with ReDeBug and 22% more clone vulnerabilities with VUDDY in acceptable time.

Keywords

  • Code similarity
  • Vulnerability discovery
  • Signature matching
  • Fine granularity

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-10989-8_3
  • Chapter length: 12 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-031-10989-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

References

  1. Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4), 1–36 (2017)

    CrossRef  Google Scholar 

  2. Islam, M.R., Zibran, M.F., Nagpal, A.: Security vulnerabilities in categories of clones and non-cloned code: an empirical study. In: 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 20–29 (2017)

    Google Scholar 

  3. Wi, S., Woo, S., et al.: HiddenCPG: large-scale vulnerable clone detection using subgraph isomorphism of code property graphs. In: Proceedings of the ACM Web Conference 2022, WWW 2022, pp. 755–766 (2022)

    Google Scholar 

  4. Song, Z., Wang, J., Liu, S., Fang, Z., Yang, K.: HGVul: a code vulnerability detection method based on heterogeneous source-level intermediate representation. Secur. Commun. Netw. (2022)

    Google Scholar 

  5. Mishra, S., Polychronakis, M.: Saffire: context-sensitive function specialization against code reuse attacks. In: 2020 IEEE European Symposium on Security and Privacy (EuroSP), pp. 17–33 (2020)

    Google Scholar 

  6. Hum, Q., Tan, W.J., Tey, S.Y., et al.: Coinwatch: a clone-based approach for detecting vulnerabilities in cryptocurrencies. In: 2020 IEEE International Conference on Blockchain (Blockchain), pp. 17–25 (2020)

    Google Scholar 

  7. Kwon, S., Woo, S., Seong, G., Lee, H.: OCTOPOCS: automatic verification of propagated vulnerable code using reformed proofs of concept. In: 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 174–185 (2021)

    Google Scholar 

  8. Zhang, H., Sakurai, K.: A survey of software clone detection from security perspective. IEEE Access 9, 48157–48173 (2021)

    CrossRef  Google Scholar 

  9. Li, J., Ernst, M.D.: CBCD: cloned buggy code detector. In: 2012 34th International Conference on Software Engineering (ICSE), pp. 310–320 (2012)

    Google Scholar 

  10. Li, Z., Shan, L., Myagmar, S., Zhou, Y.: CP-miner: finding copy-paste and related bugs in large-scale software code. IEEE Trans. Software Eng. 32(3), 176–192 (2006)

    CrossRef  Google Scholar 

  11. Jang, J., Agrawal, A., Brumley, D.: ReDeBug: finding unpatched code clones in entire OS distributions. In: 2012 IEEE Symposium on Security and Privacy, pp. 48–62. IEEE (2012)

    Google Scholar 

  12. Kim, S., Woo, S., Lee, H., Oh, H.: VUDDY: a scalable approach for vulnerable code clone discovery. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 595–614 (2017)

    Google Scholar 

  13. Zou, D., et al.: SCVD: a new semantics-based approach for cloned vulnerable code detection. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 325–344. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_15

    CrossRef  Google Scholar 

  14. Li, H., Kwon, H., Kwon, J., Lee, H.: CLORIFI: software vulnerability discovery using code clone verification. Concurr. Comput. Pract. Exp. 28(6), 1900–1917 (2016)

    CrossRef  Google Scholar 

  15. Inoue, K., Roy, C.K.: Code Clone Analysis: Research, Tools, and Practices. Springer, Singapore (2021). https://doi.org/10.1007/978-981-16-1927-4

    CrossRef  Google Scholar 

  16. Jiang, W.P., Wu, B., Jiang, Z., Yang, S.B.: Cloning vulnerability detection in driver layer of IoT devices. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds.) ICICS 2019. LNCS, vol. 11999, pp. 89–104. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41579-2_6

    CrossRef  Google Scholar 

  17. Bowman, B., Huang, H.H.: VGRAPH: a robust vulnerable code clone detection system using code property triplets. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 53–69. IEEE (2020)

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by the National Science Foundation of China under Grant 61902262, in part by the National Key Research and Development Program of China under Grant 2018YFB0804103, Sichuan Science and Technology Program, Key Research and Development Projects (no. 2020YFG0461).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Weina Niu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Zhou, X., Niu, W., Zhang, X., Chen, R., Wang, Y. (2022). A Fine-Grained Approach for Vulnerabilities Discovery Using Augmented Vulnerability Signatures. In: Memmi, G., Yang, B., Kong, L., Zhang, T., Qiu, M. (eds) Knowledge Science, Engineering and Management. KSEM 2022. Lecture Notes in Computer Science(), vol 13370. Springer, Cham. https://doi.org/10.1007/978-3-031-10989-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-10989-8_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-10988-1

  • Online ISBN: 978-3-031-10989-8

  • eBook Packages: Computer ScienceComputer Science (R0)