Skip to main content
SpringerLink
Log in
Book cover

International Conference on Broadband and Wireless Computing, Communication and Applications

BWCCA 2018: Advances on Broadband and Wireless Computing, Communication and Applications pp 316–325Cite as

ASVG: Automated Software Vulnerability Sample Generation Technology Based on Source Code

  • Conference paper
  • First Online:

  • 1178 Accesses

Part of the book series: Lecture Notes on Data Engineering and Communications Technologies ((LNDECT,volume 25))

Abstract

Software Fuzzing technology is widely used in automated software vulnerability mining. In order to improve efficiency, various techniques such as symbolical execution and taint tracking have been applied to software Fuzzing. Due to the lack of uniform and standardized test samples, researchers can only use existing software for testing. Therefore, there are sample differences when compared with existing technologies, and it is impossible to accurately measure the advantages and disadvantages of different technologies. In this paper, we propose a source-based software vulnerability auto-generation technology, through the analysis of the source code structure characteristics, to find the potential vulnerability insertion point, combined with known types of vulnerabilities, and automatically insert the vulnerability into the source code. We selected some open source projects such as coreutils as the test target, and inserted multiple vulnerabilities in the source code. We create a basis of judgement by providing a standardized sample of vulnerability programs.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Chena, C., Cui, B., Ma, J., Wu, R.: A systematic review of fuzzing technology (2017)

    Google Scholar 

  2. Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing (2008)

    Google Scholar 

  3. Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution (2016)

    Google Scholar 

  4. Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware evolutionary fuzzing (2017)

    Google Scholar 

  5. Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection (2010)

    Google Scholar 

  6. Böhme, M., Pham, V.-T., Roychoudhury, A.: Coverage-based Greybox Fuzzing as Markov Chain (2017)

    Google Scholar 

  7. Aleph, O.: Smashing the stack for fun and profit. Phrack 7(49), November 1996

    Google Scholar 

  8. Dietz, W., Li, P., Regehr, J., Adve, V.: Understanding integer overflow in C/C++. In: International Conference on Software Engineering (ICSE) (2012)

    Google Scholar 

  9. Wang, X., Chen, H., Cheung, A., Jia, Z., Zeldovich, Z., Kaashoek, M.F.: Undefined behavior: what happened to my code? In Asia-Pacific Workshop on Systems (APSYS) (2012)

    Google Scholar 

  10. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Usenix Conference on Operating Systems Design and Implementation, pp. 209–224. USENIX Association (2009)

    Google Scholar 

  11. Serebryany, K., Bruening, D., Potapenko, A., et al.: AddressSanitizer: a fast address sanity checker. In: USENIX Annual Technical Conference, pp. 309–318 (2012)

    Google Scholar 

  12. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: Whitebox Fuzzing for Security Testing (2006)

    Google Scholar 

  13. Dolan-Gavitt, B., Huliny, P., Kirdaz, E., Leeky, T., Mambrettiz, A., Robertsonz, W., Ulrichy, F., Whelan, R.: LAVA: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Proceedings of the Security and Privacy (SP) (2016)

    Google Scholar 

  14. Wilander, J., Kamkar, M.: A comparison of publicly available tools for static intrusion prevention. In: Proceedings of the 7th Nordic Workshop on Secure IT Systems (2002)

    Google Scholar 

  15. Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering, SIGSOFT ‘04/FSE-12, New York, NY, USA, pp. 97–106. ACM (2004)

    Google Scholar 

  16. Kass, M.: NIST software assurance metrics and tool evaluation (SAMATE) project. In: Workshop on the Evaluation of Software Defect Detection Tools (2005)

    Google Scholar 

  17. Shiraishi, S., Mohan, V., Marimuthu, H.: Test suites for benchmarks of static analysis tools. In: Proceedings of the 2015 IEEE International Symposium on Software Reliability Engineering, ISSRE 2015 (2015)

    Google Scholar 

Download references

Acknowledgments

Thanks Chen Chen, Baojiang Cui, Zijian Li for the reference during the research process and the preparation of the paper.

Author information

Authors and Affiliations

  1. National Engineering Laboratory for Mobile Network Security, School of Computer Science, Beijing University of Posts and Telecommunications, Beijing, 100876, China

    Jun Yang & Peng Zhou

  2. CTTL Terminal Labs, China Academy of Information and Communication Technology, Beijing, 100191, China

    Yunze Ni

Authors
  1. Jun Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peng Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yunze Ni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Jun Yang , Peng Zhou or Yunze Ni .

Editor information

Editors and Affiliations

  1. Department of Information and Communication Engineering, Faculty of Information Engineering, Fukuoka Institute of Technology, Fukuoka, Japan

    Leonard Barolli

  2. Tunghai University, Taichung, Taiwan

    Fang-Yie Leu

  3. Rissho University, Tokyo, Japan

    Tomoya Enokido

  4. Asia University, Taichung, Taiwan

    Hsing-Chung Chen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yang, J., Zhou, P., Ni, Y. (2019). ASVG: Automated Software Vulnerability Sample Generation Technology Based on Source Code. In: Barolli, L., Leu, FY., Enokido, T., Chen, HC. (eds) Advances on Broadband and Wireless Computing, Communication and Applications. BWCCA 2018. Lecture Notes on Data Engineering and Communications Technologies, vol 25. Springer, Cham. https://doi.org/10.1007/978-3-030-02613-4_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02613-4_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02612-7

  • Online ISBN: 978-3-030-02613-4

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation