Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/association-for-computing-machinery/deepwukong-rYchRd0Qo5
References
References for this paper are not available at this time. We will be adding them shortly, thank you for your patience.
- Publisher
- Association for Computing Machinery
- Copyright
- Copyright © 2021 ACM
- ISSN
- 1049-331X
- eISSN
- 1557-7392
- DOI
- 10.1145/3436877
- Publisher site
- See Article on Publisher Site
Abstract
Static bug detection has shown its effectiveness in detecting well-defined memory errors, e.g., memory leaks, buffer overflows, and null dereference. However, modern software systems have a wide variety of vulnerabilities. These vulnerabilities are extremely complicated with sophisticated programming logic, and these bugs are often caused by different bad programming practices, challenging existing bug detection solutions. It is hard and labor-intensive to develop precise and efficient static analysis solutions for different types of vulnerabilities, particularly for those that may not have a clear specification as the traditional well-defined vulnerabilities. This article presents DeepWukong, a new deep-learning-based embedding approach to static detection of software vulnerabilities for C/C++ programs. Our approach makes a new attempt by leveraging advanced recent graph neural networks to embed code fragments in a compact and low-dimensional representation, producing a new code representation that preserves high-level programming logic (in the form of control- and data-flows) together with the natural language information of a program. Our evaluation studies the top 10 most common C/C++ vulnerabilities during the past 3 years. We have conducted our experiments using 105,428 real-world programs by comparing our approach with four well-known traditional static vulnerability detectors and three state-of-the-art deep-learning-based approaches. The experimental results demonstrate the effectiveness of our research and have shed light on the promising direction of combining program analysis with deep learning techniques to address the general static code analysis challenges.
Journal
ACM Transactions on Software Engineering and Methodology (TOSEM) – Association for Computing Machinery
Published: Apr 23, 2021
Keywords: Static analysis
Recommended Articles
Loading...
References
-
National Vulnerability DatabaseLaboratory, American Information Technology
-
Clang static analyzerInc, Apple
-
CoveritySynopsys,
-
HP FortifyFocus, Micro
-
FlawfinderWheeler, David A.
-
InferFacebook,
-
ITS4: A static vulnerability scanner for C and C++ codeViega, J.; Bloch, J. T.; Kohno, Y.; McGraw, G.
-
RATSSoftware, Inc Secure
-
CheckmarxIsrael,
-
SVF: Interprocedural Static Value-Flow Analysis in LLVMSui, Yulei; Xue, Jingling
-
Toward large-scale vulnerability discovery using machine learningGrieco, Gustavo; Grinblat, Guillermo Luis; Uzal, Lucas; Rawat, Sanjay; Feist, Josselin; Mounier, Laurent
-
The beauty and the beast: Vulnerabilities in red hat’s packagesNeuhaus, Stephan; Zimmermann, Thomas
-
Predicting vulnerable software componentsNeuhaus, Stephan; Zimmermann, Thomas; Holler, Christian; Zeller, Andreas
-
Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilitiesShin, Yonghee; Meneely, Andrew; Williams, Laurie; Osborne, Jason A.
-
Static detection of control-flow-related vulnerabilities using graph embeddingCheng, X.; Wang, H.; Hua, J.; Zhang, M.; Xu, G.; Yi, L.; Sui, Y.
-
Toward deep learning software repositoriesWhite, Martin; Vendome, Christopher; Linares-Vásquez, Mario; Poshyvanyk, Denys
-
Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networksZhou, YaQin; Liu, Shangqing; Siow, Jingkai; Du, Xiaoning; Liu, Yang
-
VulDeePecker: A deep learning-based system for vulnerability detectionLi, Zhen; Zou, Deqing; Xu, Shouhuai; Ou, Xinyu; Jin, Hai; Wang, Sujuan; Deng, Zhijun; Zhong, Yuyi
-
Distributed representations of words and phrases and their compositionalityMikolov, Tomas; Sutskever, Ilya; Chen, Kai; Corrado, Greg; Dean, Jeffrey
-
Distributed representations of sentences and documentsLe, Quoc V.; Mikolov, Tomas
-
Learning to represent programs with graphsAllamanis, Miltiadis; Brockschmidt, Marc; Khademi, Mahmoud
-
Software Assurance Reference DatasetLaboratory, American Information Technology
-
Semi-supervised classification with graph convolutional networksKipf, Thomas N.; Welling, Max
-
Graph attention networksVeličković, Petar; Cucurull, Guillem; Casanova, Arantxa; Romero, Adriana; Liò, Pietro; Bengio, Yoshua
-
Weisfeiler and Leman Go Neural: Higher-order graph neural networksMorris, Christopher; Ritzert, Martin; Fey, Matthias; Hamilton, William L.; Lenssen, Jan Eric; Rattan, Gaurav; Grohe, Martin
-
APT: A data structure for optimal control dependence computationPingali, Keshav; Bilardi, Gianfranco
-
Flow-sensitive pointer analysis for millions of lines of codeHardekopf, Ben; Lin, Calvin
-
StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacksCowan, Crispin; Pu, Calton; Maier, Dave; Hintony, Heather; Walpole, Jonathan; Bakke, Peat; Beattie, Steve; Grier, Aaron; Wagle, Perry; Zhang, Qian
-
Buffer overflows: Attacks and defenses for the vulnerability of the decadeCowan, C.; Wagle, F.; Pu, Calton; Beattie, S.; Walpole, J.
-
AntlrParr, Terence
-
Program slicingWeiser, Mark
-
DeepFix: Fixing common C language errors by deep learningGupta, Rahul; Pal, Soham; Kanade, Aditya; Shevade, Shirish K.
-
A stochastic approximation methodRobbins, H.
-
Towards Sparse Hierarchical Graph ClassifiersCangea, Cǎtǎline; Veličković, Petar; Jovanović, Nikola; Kipf, Thomas; Liò, Pietro
-
Representation learning on graphs with jumping knowledge networksXu, Keyulu; Li, Chengtao; Tian, Yonglong; Sonobe, Tomohiro; Kawarabayashi, Ken-ichi; Jegelka, Stefanie
-
How powerful are graph neural networks?CoRR abs/1810Xu, Keyulu; Hu, Weihua; Leskovec, Jure; Jegelka, Stefanie
-
Multilayer perceptron: Architecture optimization and training with mixed activation functionsRamchoun, H.; Idrissi, M. A. Janati; Ghanou, Y.; Ettaouil, M.
-
Cloud security engineering: Early stages of SDLCAljawarneh, Shadi A.; Alawneh, Ali; Jaradat, Reem
-
Evaluation of static analysis tools for software securityAlBreiki, H. H.; Mahmoud, Q. H.
-
Automated identification of security issues from commit messages and bug reportsZhou, Yaqin; Sharma, Asankhaya
-
Fast graph representation learning with PyTorch geometricFey, Matthias; Lenssen, Jan E.
-
Adam: A method for stochastic optimizationKingma, Diederik P.; Ba, Jimmy
-
A survey on systems security metricsPendleton, Marcus; Garcia-Lebron, Richard; Cho, Jin-Hee; Xu, Shouhuai
-
Evaluation: From precision, recall and F-measure to ROC, informedness, markedness & correlationPowers, D. M. W.
-
Algorithmic data science (invited talk)Mutzel, Petra
-
Code Injection in C and C++: A Survey of Vulnerabilities and CountermeasuresYounan, Yves; Joosen, Wouter; Piessens, Frank
-
The UC Davis Reducing Software Security Risk through an Integrated Approach Project
-
Smallfoot: Modular automatic assertion checking with separation logicBerdine, Josh; Calcagno, Cristiano; O’Hearn, Peter W.
-
Compositional shape analysis by means of bi-abductionCalcagno, Cristiano; Distefano, Dino; O’Hearn, Peter; Yang, Hongseok
-
Chucky: Exposing missing checks in source code for vulnerability discoveryYamaguchi, Fabian; Wressnegger, Christian; Gascon, Hugo; Rieck, Konrad
-
Automatic inference of search patterns for taint-style vulnerabilitiesYamaguchi, F.; Maier, A.; Gascon, H.; Rieck, K.
-
Automatic discovery and quantification of information leaksBackes, M.; Köpf, B.; Rybalchenko, A.
-
ReDeBug: Finding unpatched code clones in entire OS distributionsJang, J.; Agrawal, A.; Brumley, D.
-
VUDDY: A scalable approach for vulnerable code clone discoveryKim, S.; Woo, S.; Lee, H.; Oh, H.
-
Detection of recurring software vulnerabilitiesPham, Nam H.; Nguyen, Tung Thanh; Nguyen, Hoan Anh; Nguyen, Tien N.
-
DeepBugs: A learning approach to name-based bug detectionPradel, Michael; Sen, Koushik
-
Machine-learning-guided typestate analysis for static use-after-free detectionYan, Hua; Sui, Yulei; Chen, Shiping; Xue, Jingling
-
Identifying redundancy in source code using fingerprintsJohnson, J. Howard
-
Substring matching for clone detection and change trackingJohnson, J. Howard
-
Visualizing textual redundancy in legacy sourceJohnson, J. Howard
-
NICAD: Accurate detection of near-miss intentional clones using flexible pretty-printing and code normalizationRoy, C. K.; Cordy, J. R.
-
CCFinder: A multilinguistic token-based code clone detection system for large scale source codeKamiya, T.; Kusumoto, S.; Inoue, K.
-
CP-miner: Finding copy-paste and related bugs in large-scale software codeLi, Z.; Lu, S.; Myagmar, S.; Zhou, Y.
-
A parallel and efficient approach to large scale clone detectionSajnani, H.; Lopes, C.
-
SourcererCC: Scaling code clone detection to big-codeSajnani, Hitesh; Saini, Vaibhav; Svajlenko, Jeffrey; Roy, Chanchal K.; Lopes, Cristina V.
-
A novel neural source code representation based on abstract syntax treeZhang, Jian; Wang, Xu; Zhang, Hongyu; Sun, Hailong; Wang, Kaixuan; Liu, Xudong
-
Automatically learning semantic features for defect predictionWang, Song; Liu, Taiyue; Tan, Lin
-
Code2Vec: Learning distributed representations of codeAlon, Uri; Zilberstein, Meital; Levy, Omer; Yahav, Eran
-
Achieving accuracy and scalability simultaneously in detecting application clones on Android marketsChen, Kai; Liu, Peng; Zhang, Yingjun
-
Scalable detection of semantic clonesGabel, Mark; Jiang, Lingxiao; Su, Zhendong
-
Using slicing to identify duplication in source codeKomondoor, Raghavan; Horwitz, Susan
-
Identifying similar code with program dependence graphsKrinke, Jens
-
GPLAG: Detection of software plagiarism by program dependence graph analysisLiu, Chao; Chen, Fen; Han, Jiawei; Yu, Philip
-
Flow2Vec: Value-flow-based precise code embeddingSui, Yulei; Cheng, Xiao; Zhang, Guanqin; Wang, Haoyu
-
Deep learning code fragments for code clone detectionWhite, Martin; Tufano, Michele; Vendome, Christopher; Poshyvanyk, Denys