ABSTRACT
New software security vulnerabilities are discovered on almost daily basis and it is vital to be able to identify and resolve them as early as possible. Fortunately, many software vulnerabilities are recurring or very similar, thus, one could effectively detect and fix a vulnerability in a system by consulting the similar vulnerabilities and fixes from other systems. In this paper, we propose, SecureSync, an automatic approach to detect and provide suggested resolutions for recurring software vulnerabilities on multiple systems sharing/using similar code or API libraries. The core of SecureSync includes a usage model and a mapping algorithm for matching vulnerable code across different systems, a model for the comparison of vulnerability reports, and a tracing technique from a report to corresponding source code. Our preliminary evaluation with case studies showed the potential usefulness of SecureSync.
- ASF project security information. http://www.apache.org/security/projects.html.Google Scholar
- Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/.Google Scholar
- US-CERT bulletins. http://www.us-cert.gov/.Google Scholar
- Mozilla.org - Home of the Mozilla Project. www.mozilla.org/.Google Scholar
- H. A. Nguyen, T. T. Nguyen, N. H. Pham, J. M. Al-Kofahi, and T. N. Nguyen. Accurate and Efficient Structural Characteristic Feature Extraction Method for Clone Detection. In FASE'09. Springer-Verlag. Google ScholarDigital Library
- T. T. Nguyen, H. A. Nguyen, N. H. Pham, J. M. Al-Kofahi, and T. N. Nguyen. Graph-based Mining of Multiple Object Usage Patterns. In ESEC/FSE 2009. ACM Press, 2009. Google ScholarDigital Library
- J. A. Wang and M. Guo. OVM: an ontology for vulnerability management. In CSIIRW '09: 5th Annual Workshop on Cyber Security and Information Intelligence Research, pages 1--4. ACM Press, 2009. Google ScholarDigital Library
- H. Jiang, T. N. Nguyen, I.-X. Chen, H. Jaygarl, and C. K. Chang. Incremental Latent Semantic Indexing for Automatic Traceability Link Evolution Management. In ASE 2008. IEEE CS Press, 2008.Google Scholar
Index Terms
- Detecting recurring and similar software vulnerabilities
Recommendations
Detection of recurring software vulnerabilities
ASE '10: Proceedings of the 25th IEEE/ACM International Conference on Automated Software EngineeringSoftware security vulnerabilities are discovered on an almost daily basis and have caused substantial damage. Aiming at supporting early detection and resolution for them, we have conducted an empirical study on thousands of vulnerabilities and found ...
RecurScan: Detecting Recurring Vulnerabilities in PHP Web Applications
WWW '24: Proceedings of the ACM on Web Conference 2024Detecting recurring vulnerabilities has become a popular means of static vulnerability detection in recent years because they do not require labor-intensive vulnerability modeling. Recently, a body of work, with HiddenCPG as a representative, has ...
Detecting Software Vulnerabilities Using Neural Networks
ICMLC '21: Proceedings of the 2021 13th International Conference on Machine Learning and ComputingAs software vulnerabilities remain prevalent, automatically detecting software vulnerabilities is crucial for software security. Recently neural networks have been shown to be a promising tool in detecting software vulnerabilities. In this paper, we ...
Comments