Skip to main content
SpringerLink
Log in

A Security-Sensitive Function Mining Framework for Source Code

  • Conference paper
  • First Online:
Artificial Intelligence and Security (ICAIS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11635))

Included in the following conference series:

  • 2158 Accesses

Abstract

The security-sensitive functions can be effectively used to improve the efficiency of vulnerability mining techniques, but mining security-sensitive functions of the large-scale code base is difficult. An automatic mining framework for security-sensitive functions is proposed. Firstly, a class of high-resolution code features is used to extract suspected security-sensitive function sets, and then a class of code features is applied to measure the sensitivity of each suspected security-sensitive function. Ultimately, the final security-sensitive function set is ensured based on the measurement result. Established along the framework, a mining algorithm for a type security-sensitive function is proposed. Through the mining experiments on three well-known open source codes, the performance of this algorithm is better than the existing methods.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Acharya, M., Xie, T.: Mining API error-handling specifications from source code. In: Chechik, M., Wirsing, M. (eds.) FASE 2009. LNCS, vol. 5503, pp. 370–384. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00593-0_25

    Chapter  Google Scholar 

  2. Bian, P., Liang, B., Zhang, Y., Yang, C., Shi, W., Cai, Y.: Detecting bugs by discovering expectations and their violations. IEEE Trans. Softw. Eng. 1 (2018)

    Google Scholar 

  3. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, pp. 209–224. USENIX Association, Berkeley (2008)

    Google Scholar 

  4. Chen, L., Yang, C., Liu, F., Gong, D., Ding, S.: Automatic mining of security-sensitive functions from source code. CMC 56, 199–210 (2018)

    Google Scholar 

  5. Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, pp. 57–72. ACM, New York (2001)

    Google Scholar 

  6. Engler, D., Musuvathi, M.: Static analysis versus software model checking for bug finding. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 191–210. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24622-0_17

    Chapter  Google Scholar 

  7. Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering, pp. 474–484. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  8. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 213–223. ACM, New York (2005)

    Google Scholar 

  9. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10–13 February 2008, p. 16 (2008)

    Google Scholar 

  10. Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Proceedings of the 22nd USENIX Security Symposium, Washington, DC, USA, 14–16 August 2013, pp. 49–64 (2013)

    Google Scholar 

  11. Liang, B., Bian, P., Zhang, Y., Shi, W., You, W., Cai, Y.: AntMiner: mining more bugs by reducing noise interference. In: 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE), pp. 333–344. ACM Press, New York (2016)

    Google Scholar 

  12. Majumdar, R., Wang, Z.: BBS: a phase-bounded model checker for asynchronous programs. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 496–503. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_33

    Chapter  Google Scholar 

  13. Malhotra, R.: A systematic review of machine learning techniques for software fault prediction. Appl. Soft Comput. 27, 504–518 (2015)

    Google Scholar 

  14. Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797–812. IEEE (2015)

    Google Scholar 

  15. Xi, X., Sheng, S., Sun, B., Wang, L., Hu, F.: An empirical comparison on multi-target regression learning. CMC 56, 185–198 (2018)

    Google Scholar 

Download references

Acknowledgments

This study was supported in part by the National Natural Science Foundation of China (Nos. 61401512, 61602508, 61772549, U1636219, and U1736214), the National Key R&D Program of China (Nos. 2016YFB0801303 and 2016QY01W0105), the Key Technologies R&D Program of Henan Province (No. 162102210032), and the Key Science and Technology Research Project of Henan Province (No. 152102210005).

Author information

Authors and Affiliations

  1. Zhengzhou Science and Technology Institute, Zhengzhou, 450001, China

    Lin Chen, Chunfang Yang, Fenlin Liu & Daofu Gong

  2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, 450001, China

    Lin Chen, Chunfang Yang, Fenlin Liu & Daofu Gong

  3. University of Göttingen, Goldschmidtstr. 7, 37077, Göttingen, Germany

    Shichang Ding

Authors
  1. Lin Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chunfang Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fenlin Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daofu Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shichang Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chunfang Yang .

Editor information

Editors and Affiliations

  1. Nanjing University of Information Science and Technology, Nanjing, China

    Xingming Sun

  2. Nanjing University of Information Science and Technology, Nanjing, China

    Zhaoqing Pan

  3. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chen, L., Yang, C., Liu, F., Gong, D., Ding, S. (2019). A Security-Sensitive Function Mining Framework for Source Code. In: Sun, X., Pan, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science(), vol 11635. Springer, Cham. https://doi.org/10.1007/978-3-030-24268-8_39

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-24268-8_39

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-24267-1

  • Online ISBN: 978-3-030-24268-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation