Abstract
Identifying vulnerabilities in real-world applications is challenging. Currently, static analysis tools are concerned with false positives; runtime detection tools are free of false positives but inefficient to achieve a full spectrum examination. In this work, we propose MARVEL, a generic, scalable and effective vulnerability detection platform. Firstly, a lightweight static tool, LEOPARD, is designed and implemented to identify potential vulnerable functions through program metrics. LEOPARD uses complexity metrics to group functions into a set of bins and then ranks functions in each bin with vulnerability metrics. Top functions in each bin are identified as potentially vulnerable. Secondly, a directed grey-box fuzzer is designed to take the results from LEOPARD for further confirmation. Our design stands out with the ability to automatically group adjacent functions and orchestrate both the macro level function directed fuzzing and the micro level path-condition directed fuzzing. LEOPARD is evaluated to cover 74.0% of vulnerable function when identifying 20% of functions as vulnerable and outperforms the baseline approaches. Further, three applications are proposed to demonstrate the usefulness of LEOPARD. As a result, we discovered 22 new bugs and eight of them are new vulnerabilities.
Original language | English |
---|---|
Title of host publication | Proceedings - 2019 IEEE/ACM 41st International Conference on Software Engineering |
Subtitle of host publication | Companion Proceedings, ICSE-Companion 2019 |
Editors | Jianwei Niu, Xiaoyin Wang, Mechelle Gittens |
Publisher | IEEE, Institute of Electrical and Electronics Engineers |
Pages | 129-131 |
Number of pages | 3 |
ISBN (Electronic) | 9781728117645 |
DOIs | |
Publication status | Published - May 2019 |
Externally published | Yes |
Event | International Conference on Software Engineering 2019 - Fairmont The Queen Elizabeth Hotel, Montreal, Canada Duration: 25 May 2019 → 31 May 2019 Conference number: 41st https://2019.icse-conferences.org/ https://ieeexplore.ieee.org/xpl/conhome/8790403/proceeding (Proceedings) |
Publication series
Name | Proceedings 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings ICSE-Companion 2019 |
---|---|
Publisher | IEEE, Institute of Electrical and Electronics Engineers |
ISSN (Print) | 2574-1926 |
ISSN (Electronic) | 2574-1934 |
Conference
Conference | International Conference on Software Engineering 2019 |
---|---|
Abbreviated title | ICSE 2019 |
Country/Territory | Canada |
City | Montreal |
Period | 25/05/19 → 31/05/19 |
Internet address |
Keywords
- Fuzzing
- Program metric
- Vulnerability