Abstract
In recent years, many researches on automatic exploit generation and automatic patch techniques have been published. Typically, in the CGC (Cyber Grand Challenge) competition hosted by DARPA, a hacking competition was held between machines to find vulnerabilities, automatically generate exploits and automatically patch them. In the CGC competition, they implemented themselves to work on their own platform, allowing only 7 system calls. However, in a real environment, there are much more system calls and the software works on complicated architecture. In order to effectively apply the vulnerability detection and patching process to the actual real environment, it is necessary to identify the point causing the vulnerability. In this paper, we introduce a method to analyze root cause of vulnerabilities divided into three parts, fault localization, code pattern similarity analysis, and taint analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
U.S. National Vulnerability Database. http://cve.mitre.org/cve/
zzuf - Caca Labs. http://caca.zoy.org/wiki/zzuf
Peach Fuzzer. https://www.peach.tech/
Aitel, D.: An introduction to SPIKE, the fuzzer creation kit. In: BlackHat USA Conference (2002)
Bekrar, S., Bekrar, C., Groz, R., Mounier, L.: A taint based approach for smart fuzzing. In: IEEE Fifth International Conference on Software Testing, Verification and Validation, pp. 818–825 (2012)
Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS, vol. 8, pp. 151–166 (2008)
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209–224 (2008)
Ciortea, L., Zamfir, C., Bucur, S., Chipounov, V., Candea, G.: Cloud9: a software testing service. ACM SIGOPS Operating Syst. Rev., 5–10 (2010)
James, A., Mary, J.: Empirical evaluation of the tarantula automatic fault-localization technique. In: ASE Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 273–282 (2015)
Liblit, B., Mayur, N., Alice X.Z., Alex, A., Micheal, I.J.: Scalable statistical bug isolation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 15–26 (2015)
Chao, L., Long, F., Xifeng, Y., Jiawei, H., Samuel, P.M.: Statistical debugging: a hypothesis testing-based approach. IEEE Trans. Software Eng. 32(10), 831–848 (2006)
Zhao, L., Lina, W., Zouting, X., Dongming, G.: Execution-aware fault localization based on the control flow analysis. In: Information Computing and Applications, ICICA, pp. 158–165 (2010)
Seulbae, K., Seunghoon, W., Heejo, L., Hakjoo, O.: VUDDY: a scalable approach for vulnerable code clone discovery. In: IEEE Symposium on Security and Privacy, pp. 595–614 (2017)
Pewny, J., Garmany, B., Gawlik, R., Rossow, C., Holz, T.: Cross-architecture bug search in binary executables. In: IEEE Symposium on Security and Privacy, pp. 709–724 (2015)
Feng, Q., Wang, M., Zhang, M., Zhou, R., Henderson, A., Yin, H.: Extracting conditional formulas for cross-platform bug search. In: ASIA CCS 2017 (2017)
MinGyung, K., Stephen, M.C., Pongsin, P., Dawn, S.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: NDSS (2011)
James, C., Wanchun, L., Alessandro, O.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the International Symposium on Software Testing and Analysis, ISSTA 2007, pp. 196–206 (2007)
Weidong, C., Marcus, P., SangKil, C., Yanick, F., Vasileios, P.K.: RETracer: triaging crashes by reverse execution from partial memory dumps. In: Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, pp. 820–831 (2016)
Acknowledgments
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2017-0-00184, Self-Learning Cyber Immune Technology Development).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Jurn, J., Kim, T., Kim, H. (2019). A Survey of Automated Root Cause Analysis of Software Vulnerability. In: Barolli, L., Xhafa, F., Javaid, N., Enokido, T. (eds) Innovative Mobile and Internet Services in Ubiquitous Computing. IMIS 2018. Advances in Intelligent Systems and Computing, vol 773. Springer, Cham. https://doi.org/10.1007/978-3-319-93554-6_74
Download citation
DOI: https://doi.org/10.1007/978-3-319-93554-6_74
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93553-9
Online ISBN: 978-3-319-93554-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)