Abstract
With the spread of the Internet of Things (IoT), the IoT operating systems have correspondingly increased and brought more potential security risks. For instance, it is not hard to find that many driver layer codes in IoT operating systems could come directly from open source projects, where the vulnerabilities would also be propagated. These vulnerabilities could leak sensitive information and even lead to arbitrary code execution. However, existing clone detecting tools have limitations, especially for clones with minor modifications. In this paper, we propose a method that can detect not only exact clones, but also clones with additions, deletions, and partial modifications. The proposed method uses code patches and program slicing to get precisely fingerprint of the restructured clones. Then the fingerprint matching is achieved through a greedy-based optimization algorithm. Afterwards, the detecting tool called RCVD is implemented based on the proposed method. Finally, the experimental results indicate that the method has a significant effect on detecting restructured cloning vulnerabilities. By this means, the Orange Pi and WisCam have been detected dozens of clone-caused vulnerabilities in the code of driver.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kim, S., Woo, S., Lee, H., Oh, H.: Vuddy: a scalable approach for vulnerable code clone discovery. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 595–614. IEEE, May 2017
Li, Z., Zou, D., Xu, S., Jin, H., Qi, H., Hu, J.: VulPecker: an automated vulnerability detection system based on code similarity analysis. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 201–213. ACM, December 2016
Li, Z., et al.: VulDeePecker: a deep learning-based system for vulnerability detection. In: Proceedings of the 25th Annual Network and Distributed System Security Symposium, San Diego, California, USA (2018)
Kamiya, T., Kusumoto, S., Inoue, K.: CCFinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Trans. Software Eng. 28(7), 654–670 (2002)
Jiang, L., Misherghi, G., Su, Z., Glondu, S.: Deckard: scalable and accurate tree-based detection of code clones. In: Proceedings of the 29th International Conference on Software Engineering, pp. 96–105. IEEE Computer Society, May 2007
Pham, N.H., Nguyen, T.T., Nguyen, H.A., Wang, X., Nguyen, A.T., Nguyen, T.N.: Detecting recurring and similar software vulnerabilities. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering-Volume 2, pp. 227–230. ACM, May 2010
Li, J., Ernst, M.D.: CBCD: Cloned buggy code detector. In: Proceedings of the 34th International Conference on Software Engineering, pp. 310–320. IEEE Press, New Jersey, June 2012
Jang, J., Agrawal, A., Brumley, D.: ReDeBug: finding unpatched code clones in entire os distributions. In: 2012 IEEE Symposium on Security and Privacy, pp. 48–62. IEEE, May 2012
Li, H., Kwon, H., Kwon, J., Lee, H.: CLORIFI: software vulnerability discovery using code clone verification. Concurrency Comput. Pract. Experience 28(6), 1900–1917 (2016)
Gan, S., Qin, X., Chen, Z., Wang, L.: Software vulnerability code clone detection method based on characteristic metrics. J. Softw. 26(2), 348–363 (2015)
Liu, Z., Wei, Q., Cao, Y.: Vfdetect: a vulnerable code clone detection system based on vulnerability fingerprint. In: 2017 IEEE 3rd Information Technology and Mechatronics Engineering Conference (ITOEC), pp. 548–553. IEEE, October 2017
Nishi, M.A., Damevski, K.: Scalable code clone detection and search based on adaptive prefix filtering. J. Syst. Softw. 137, 130–142 (2018)
Lin, G., et al.: Cross-project transfer representation learning for vulnerable function discovery. IEEE Trans. Ind. Inform. 14(7), 3289–3297 (2018)
Zhang, Z.K., Cho, M.C.Y., Wang, C.W., Hsu, C.W., Chen, C.K., Shieh, S.: IoT security: ongoing challenges and research opportunities. In: 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, pp. 230–234. IEEE, November 2014
Weiser, M.: Program slicing. In: Proceedings of the 5th International Conference on Software Engineering, pp. 439–449. IEEE Press, New Jersey, March 1981
Korel, B., Laski, J.: Dynamic slicing of computer programs. J. Syst. Softw. 13(3), 187–195 (1990)
Roy, C.K., Cordy, J.R., Koschke, R.: Comparison and evaluation of code clone detection techniques and tools: a qualitative approach. Sci. Comput. Program. 74(7), 470–495 (2009)
Jiang, L., Su, Z., Chiu, E.: Context-based detection of clone-related bugs. In: Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and The ACM SIGSOFT Symposium on The Foundations of Software Engineering, pp. 55–64. ACM, September 2007
Li, Z., Lu, S., Myagmar, S., Zhou, Y.: CP-Miner: a tool for finding copy-paste and related bugs in operating system code. In: OSdi, vol. 4, no. 19, pp. 289–302, December 2004
Sajnani, H., Saini, V., Svajlenko, J., Roy, C.K., Lopes, C.V.: Sourcerercc: scaling code clone detection to big-code. In: 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE), pp. 1157–1168. IEEE, May 2016
joern. https://joern.readthedocs.io
Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX Conference on Offensive Technologies, pp. 13. USENIX Association, August 2011
Xu, B., Qian, J., Zhang, X., Wu, Z., Chen, L.: A brief survey of program slicing. ACM SIGSOFT Softw. Eng. Notes 30(2), 1–36 (2005)
Orange Pi. http://www.orangepi.org/
Common Vulnerabilities and Exposure. https://cve.mitre.org/index.html
Acknowledgements
This work was supported by the National Key R&D Program of China under Grant No. 2017YFC0821705, National Key R&D Program of China under Grant No. 2019QY(Y)0602 and National Natural Science Foundation of China under Grant No. U1536202.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Jiang, W., Wu, B., Jiang, Z., Yang, S. (2020). Cloning Vulnerability Detection in Driver Layer of IoT Devices. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-41579-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41578-5
Online ISBN: 978-3-030-41579-2
eBook Packages: Computer ScienceComputer Science (R0)