AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
Powered by AMiner. Clicking this button will take you away from SciOpen.
Home Tsinghua Science and Technology Article
PDF (608.1 KB)
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

A Memory-Related Vulnerability Detection Approach Based on Vulnerability Features

Jinchang HuJinfu Chen( )Lin ZhangYisong LiuQihao BaoHilary Ackah-ArthurChi Zhang
School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China.
Show Author Information

Abstract

Developing secure software systems is a major challenge in the software industry due to errors or weaknesses that bring vulnerabilities to the software system. To address this challenge, researchers often use the source code features of vulnerabilities to improve vulnerability detection. Notwithstanding the success achieved by these techniques, the existing studies mainly focus on the conceptual description without an accurate definition of vulnerability features. In this study, we introduce a novel and efficient Memory-Related Vulnerability Detection Approach using Vulnerability Features (MRVDAVF). Our framework uses three distinct strategies to improve vulnerability detection. In the first stage, we introduce an improved Control Flow Graph (CFG) and Pointer-related Control Flow Graph (PCFG) to describe the features of some common vulnerabilities, including memory leak, double-free, and use-after-free. Afterward, two algorithms, namely Vulnerability Judging algorithm based on Vulnerability Feature (VJVF) and Feature Judging (FJ) algorithm, are employed to detect memory-related vulnerabilities. Finally, the proposed model is validated using three test cases obtained from Juliet Test Suite. The experimental results show that the proposed approach is feasible and effective.

Keywords

vulnerability featureControl Flow Graph (CFG)Memory Leak (ML)Double-Free (DF)Use-After-Free (UAF)

References

[1]
W. R. Fitriani, P. Rahayu, and D. I. Sensuse, Challenges in agile software development: A systematic literature review, in Proc. of the 8th International Conference on Advanced Computer Science and Information Systems, Bali, Indonesia, 2017, pp. 155-164.
Crossref
[2]
L. J. Liu, Y. Q. Shi, and R. Tao, The research of component-based software development application on data management in smart education, Advances in Intelligent Systems and Computing, vol. 279, no. 7, pp. 1099-1108, 2014.
Crossref Google Scholar
[3]
Z. B. Xu, J. Zhang, and Z. X. Xu, Melton: A practical and precise memory leak detection tool for C programs, Frontiers of Computer Science, vol. 9, no. 1, pp. 34-54, 2015.
Crossref Google Scholar
[4]
J. Caballero, G. Grieco, M. Marron, and A. Nappa, Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities, in Proc. of International Symposium on Software Testing and Analysis, Minneapolis, MN, USA, 2012, pp. 188-195.
Crossref
[5]
H. Yan, Y. L. Sui, S. P. Chen, and J. L. Xue, Spatio-temporal context reduction: A pointer-analysis-based static approach for detecting use-after-free vulnerabilities, in Proc. of International Conference on Software Engineering, Gothenburg, Sweden, 2018, pp. 327-337.
Crossref
[6]
J. S. Liu, Y. S. Chen, L. X. Zhang, J. Deng, and W. X. Zhang, The evaluation of the embedded software quality based on the binary code, in Proc. of IEEE International Conference on Software Quality, Reliability and Security Companion, Vienna, Austria, 2016, pp. 167-170.
Crossref
[7]
J. C. Liu, L. Q. Chen, L. M. Dong, and J. Wang, UC Bench: A user-centric benchmark suite for C code static analyzers, in Proc. of International Conference on Information Science and Technology, Wuhan, China, 2012, pp. 230-237.
Crossref
[8]
H. Shahriar, H. M. Haddad, and I. Vaidya, Buffer overflow patching for C and C++ programs: Rule-based approach, ACM Sigapp Applied Computing Review, vol. 13, no. 2, pp. 8-19, 2013.
Crossref Google Scholar
[9]
C. Chahar, V. S. Chauhan, and M. L. Das, Code analysis for software and system security using open source tools, Information Security Journal: A Global Perspective, vol. 21, no. 6, pp. 346-352, 2012.
Crossref Google Scholar
[10]
F. Yamaguchi, N. Golde, D. Arp, and K. Rieck, Modeling and discovering vulnerabilities with code property graphs, in Proc. of IEEE Symposium on Security and Privacy, San Jose, CA, USA, 2014, pp. 590-604.
Crossref
[11]
J. P. Zeng, Q. H. Yang, H. L. Wang, B. P. Xu, and W. Huang, Design and implementation of memory leak detection tool of C/C++ based on dynamic instrumentation, (in Chinese), Application Research of Computers, vol. 32, no. 6, pp. 1737-1741, 2015.
Google Scholar
[12]
T. Wang, L. S. Han, C. Fu, D. Q. Zhou, and M. Liu, Static software vulnerability detection model and detection framework, (in Chinese), Computer Science, vol. 43, no. 5, pp. 80-86, 2016.
Google Scholar
[13]
Z. Q. Liu, B. Xu, D. Liang, C. Liu, Z. J. Jiang, and C. L. Du, Semantics-based memory leak detection for C programs, in Proc. of International Conference on Fuzzy Systems and Knowledge Discovery, Changsha, China, 2016, pp. 2283-2287.
[14]
X. H. Han, S. Wei, J. Y. Ye, C. Zhang, and Z. Y. Ye, Detect use-after-free vulnerabilities in binaries, (in Chinese), Journal of Tsinghua University, vol. 57, no. 10, pp. 1022-1029, 2017.
Google Scholar
[15]
K. S. Kumar and D. Malathi, A novel method to find time complexity of an algorithm by using control flow graph, in Proc. of International Conference on Technical Advancements in Computers and Communications, Melmaurvathur, India, 2017, pp. 66-68.
Crossref
[16]
A. V. Phan, M. L. Nguyen, and L. T. Bui, Convolutional neural networks over control flow graphs for software defect prediction, in Proc. of International Conference on Tools with Artificial Intelligence, Boston, MA, USA, 2017, pp. 45-52.
[17]
Q. Gao, Y. F. Xiong, Y. Q. Mi, L. Zhang, W. K. Yang, Z. P. Zhou, B. Xie, and H. Mei, Safe memory-leak fixing for C programs, in Proc. of International Conference on Software Engineering, Firenze, Italy, 2015, pp. 459-470.
Crossref
[18]
X. H. Sun, S. H. Xu, C. K. Guo, J. Xu, N. P. Dong, X. J. Ji, and S. Zhang, A projection-based approach for memory leak detection, in Proc. of Computer Software and Applications Conference, Tokyo, Japan, 2018, pp. 430-435.
Crossref
[19]
Y. Chen, M. Khandaker, and Z. Wang, Pinpointing vulnerabilities, in Proc. of ACM Asia Conference on Computer and Communications Security, New York, NY, USA, 2017, pp. 334-345.
Crossref
[20]
D. Dewey, B. Reaves, and P. Traynor, Uncovering use-after-free conditions in compiled code, in Proc. of International Conference on Availability, Reliability and Security, Washington, DC, USA, 2015. pp. 90-99.
Crossref
[21]
J. Feist, L. Mounier, and M. L. Potet, Statically detecting use after free on binary code, Journal of Computer Virology and Hacking Techniques, vol. 10, no. 3, pp. 211-217, 2014.
Crossref Google Scholar
[22]
S. Liu and X. J. Qin, Parallelly refill SLUB objects freed in slow paths: An approach to exploit the use-after-free vulnerabilities in linux kernel, in Proc. of International Conference on Parallel and Distributed Computing, Applications and Technologies, Taipei, China, 2017, pp. 387-390.
[23]
NSA center for assured software, Juliet test suite 1.2 for C/C++, https://samate.nist.gov/SRD/around.php#juliet_documents, 2018.
[24]
A. Ibing and A. Mai, A fixed-point algorithm for automated static detection of infinite loops, in Proc. of IEEE International Symposium on High Assurance Systems Engineering, Daytona Beach, FL, USA, 2015, pp. 44-51.
Crossref
[25]
A. Wagner and J. Sametinger, Using the Juliet test suite to compare static security scanners, in Proc. of International Conference on Security and Cryptography, Vienna, Austria, 2014, pp. 244-252.
Crossref
Tsinghua Science and Technology
Volume 25 Issue 5,
October 2020
Pages 604-613
DOI: 10.26599/TST.2019.9010068
Cite this article:
Hu J, Chen J, Zhang L, et al. A Memory-Related Vulnerability Detection Approach Based on Vulnerability Features. Tsinghua Science and Technology, 2020, 25(5): 604-613. https://doi.org/10.26599/TST.2019.9010068

931

Views

67

Downloads

15

Crossref

N/A

Web of Science

16

Scopus

0

CSCD

Altmetrics
Received: 24 October 2019
Accepted: 05 November 2019
Published: 16 March 2020
© The author(s) 2020

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).
Return