MARVEL: a generic, scalable and effective vulnerability detection platform

Research output: Chapter in Book/Report/Conference proceedingConference PaperOther

1 Citation (Scopus)

Abstract

Identifying vulnerabilities in real-world applications is challenging. Currently, static analysis tools are concerned with false positives; runtime detection tools are free of false positives but inefficient to achieve a full spectrum examination. In this work, we propose MARVEL, a generic, scalable and effective vulnerability detection platform. Firstly, a lightweight static tool, LEOPARD, is designed and implemented to identify potential vulnerable functions through program metrics. LEOPARD uses complexity metrics to group functions into a set of bins and then ranks functions in each bin with vulnerability metrics. Top functions in each bin are identified as potentially vulnerable. Secondly, a directed grey-box fuzzer is designed to take the results from LEOPARD for further confirmation. Our design stands out with the ability to automatically group adjacent functions and orchestrate both the macro level function directed fuzzing and the micro level path-condition directed fuzzing. LEOPARD is evaluated to cover 74.0% of vulnerable function when identifying 20% of functions as vulnerable and outperforms the baseline approaches. Further, three applications are proposed to demonstrate the usefulness of LEOPARD. As a result, we discovered 22 new bugs and eight of them are new vulnerabilities.

Original languageEnglish
Title of host publicationProceedings - 2019 IEEE/ACM 41st International Conference on Software Engineering
Subtitle of host publicationCompanion Proceedings, ICSE-Companion 2019
EditorsJianwei Niu, Xiaoyin Wang, Mechelle Gittens
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages129-131
Number of pages3
ISBN (Electronic)9781728117645
DOIs
Publication statusPublished - May 2019
Externally publishedYes
EventInternational Conference on Software Engineering 2019 - Fairmont The Queen Elizabeth Hotel, Montreal, Canada
Duration: 25 May 201931 May 2019
Conference number: 41st
https://2019.icse-conferences.org/
https://ieeexplore.ieee.org/xpl/conhome/8790403/proceeding (Proceedings)

Publication series

NameProceedings 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings ICSE-Companion 2019
PublisherIEEE, Institute of Electrical and Electronics Engineers
ISSN (Print)2574-1926
ISSN (Electronic)2574-1934

Conference

ConferenceInternational Conference on Software Engineering 2019
Abbreviated titleICSE 2019
Country/TerritoryCanada
CityMontreal
Period25/05/1931/05/19
Internet address

Keywords

  • Fuzzing
  • Program metric
  • Vulnerability

Cite this