Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms

Dongyu Meng, Michele Guerriero, Aravind Machiry, Hojjat Aghakhani, Priyanka Bose, Andrea Continella, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

4 Citations (Scopus)
95 Downloads (Pure)

Abstract

Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection tools by reducing their search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code property with neural networks. However, previous work generally failed in leveraging the rich metadata available for long-running, large code repositories. In this paper, we present an approach (Bran) to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlighted potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran’s effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identified 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.
Original languageEnglish
Title of host publicationACM ASIA Conference on Computer and Communications Security (ASIACCS)
Pages731-743
Number of pages13
DOIs
Publication statusPublished - 24 May 2021
Event16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021 - Virtual Event
Duration: 7 Jun 202111 Jun 2021
Conference number: 16
https://asiaccs2021.comp.polyu.edu.hk/

Conference

Conference16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021
Abbreviated titleACM ASIACCS 2021
CityVirtual Event
Period7/06/2111/06/21
Internet address

Keywords

  • Cybersecurity

Fingerprint

Dive into the research topics of 'Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms'. Together they form a unique fingerprint.

Cite this