LEOPARD: identifying vulnerable code for vulnerability assessment through program metrics

Xiaoning Du, Bihuan Chen, Yuekang Li, Jianmin Guo, Yaqin Zhou, Yang Liu, Yu Jiang

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

13 Citations (Scopus)

Abstract

Identifying potentially vulnerable locations in a code base is critical as a pre-step for effective vulnerability assessment; i.e., it can greatly help security experts put their time and effort to where it is needed most. Metric-based and pattern-based methods have been presented for identifying vulnerable code. The former relies on machine learning and cannot work well due to the severe imbalance between non-vulnerable and vulnerable code or lack of features to characterize vulnerabilities. The latter needs the prior knowledge of known vulnerabilities and can only identify similar but not new types of vulnerabilities. In this paper, we propose and implement a generic, lightweight and extensible framework, LEOPARD, to identify potentially vulnerable functions through program metrics. LEOPARD requires no prior knowledge about known vulnerabilities. It has two steps by combining two sets of systematically derived metrics. First, it uses complexity metrics to group the functions in a target application into a set of bins. Then, it uses vulnerability metrics to rank the functions in each bin and identifies the top ones as potentially vulnerable. Our experimental results on 11 real-world projects have demonstrated that, LEOPARD can cover 74.0% of vulnerable functions by identifying 20% of functions as vulnerable and outperform machine learning-based and static analysis-based techniques. We further propose three applications of LEOPARD for manual code review and fuzzing, through which we discovered 22 new bugs in real applications like PHP, radare2 and FFmpeg, and eight of them are new vulnerabilities.

Original languageEnglish
Title of host publication2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE 2019)
EditorsTevfik Bultan, Jon Whittle
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages60-71
Number of pages12
ISBN (Electronic)9781728108698
ISBN (Print)9781728108704
DOIs
Publication statusPublished - 2019
Externally publishedYes
EventInternational Conference on Software Engineering 2019 - Fairmont The Queen Elizabeth Hotel, Montreal, Canada
Duration: 25 May 201931 May 2019
Conference number: 41st
https://2019.icse-conferences.org/home
https://2019.icse-conferences.org/

Publication series

NameProceedings - International Conference on Software Engineering
PublisherInstitute of Electrical and Electronics Engineers, Inc.
Volume2019-May
ISSN (Print)0270-5257
ISSN (Electronic)1558-1225

Conference

ConferenceInternational Conference on Software Engineering 2019
Abbreviated titleICSE 2019
CountryCanada
CityMontreal
Period25/05/1931/05/19
OtherNew Ideas and Emerging Results 2019
Internet address

Keywords

  • Fuzzing
  • Program Metric
  • Vulnerability

Cite this