Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms

Dongyu Meng; Michele Guerriero; Aravind Machiry; Hojjat Aghakhani; Priyanka Bose; Andrea Continella; Christopher Kruegel; Giovanni Vigna

doi:10.1145/3433210.3453115

Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms

Dongyu Meng, Michele Guerriero, Aravind Machiry, Hojjat Aghakhani, Priyanka Bose, Andrea Continella, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

4 Citations (Scopus)

95 Downloads (Pure)

Abstract

Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection tools by reducing their search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code property with neural networks. However, previous work generally failed in leveraging the rich metadata available for long-running, large code repositories. In this paper, we present an approach (Bran) to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlighted potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran’s effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identified 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.

Original language	English
Title of host publication	ACM ASIA Conference on Computer and Communications Security (ASIACCS)
Pages	731-743
Number of pages	13
DOIs	https://doi.org/10.1145/3433210.3453115
Publication status	Published - 24 May 2021
Event	16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021 - Virtual Event Duration: 7 Jun 2021 → 11 Jun 2021 Conference number: 16 https://asiaccs2021.comp.polyu.edu.hk/

Conference

Conference	16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021
Abbreviated title	ACM ASIACCS 2021
City	Virtual Event
Period	7/06/21 → 11/06/21
Internet address	https://asiaccs2021.comp.polyu.edu.hk/

Keywords

Cybersecurity

Access to Document

10.1145/3433210.3453115Licence: CC BY

branFinal published version, 819 KBLicence: CC BY

Cite this

@inproceedings{39f9ac2aa958464a915f376ba0b83ef4,

title = "Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms",

abstract = "Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection tools by reducing their search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code property with neural networks. However, previous work generally failed in leveraging the rich metadata available for long-running, large code repositories. In this paper, we present an approach (Bran) to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlighted potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran{\textquoteright}s effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identified 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.",

keywords = "Cybersecurity",

author = "Dongyu Meng and Michele Guerriero and Aravind Machiry and Hojjat Aghakhani and Priyanka Bose and Andrea Continella and Christopher Kruegel and Giovanni Vigna",

note = "Publisher Copyright: {\textcopyright} 2021 Owner/Author.; 16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021, ACM ASIACCS 2021 ; Conference date: 07-06-2021 Through 11-06-2021",

year = "2021",

month = may,

day = "24",

doi = "10.1145/3433210.3453115",

language = "English",

isbn = "978-1-4503-8287-8",

pages = "731--743",

booktitle = "ACM ASIA Conference on Computer and Communications Security (ASIACCS)",

url = "https://asiaccs2021.comp.polyu.edu.hk/",

}

Meng, D, Guerriero, M, Machiry, A, Aghakhani, H, Bose, P, Continella, A, Kruegel, C & Vigna, G 2021, Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms. in ACM ASIA Conference on Computer and Communications Security (ASIACCS). pp. 731-743, 16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021, Virtual Event, 7/06/21. https://doi.org/10.1145/3433210.3453115

TY - GEN

T1 - Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms

AU - Meng, Dongyu

AU - Guerriero, Michele

AU - Machiry, Aravind

AU - Aghakhani, Hojjat

AU - Bose, Priyanka

AU - Continella, Andrea

AU - Kruegel, Christopher

AU - Vigna, Giovanni

N1 - Conference code: 16

PY - 2021/5/24

Y1 - 2021/5/24

N2 - Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection tools by reducing their search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code property with neural networks. However, previous work generally failed in leveraging the rich metadata available for long-running, large code repositories. In this paper, we present an approach (Bran) to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlighted potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran’s effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identified 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.

AB - Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection tools by reducing their search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code property with neural networks. However, previous work generally failed in leveraging the rich metadata available for long-running, large code repositories. In this paper, we present an approach (Bran) to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlighted potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran’s effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identified 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.

KW - Cybersecurity

U2 - 10.1145/3433210.3453115

DO - 10.1145/3433210.3453115

M3 - Conference contribution

SN - 978-1-4503-8287-8

SP - 731

EP - 743

BT - ACM ASIA Conference on Computer and Communications Security (ASIACCS)

T2 - 16th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2021

Y2 - 7 June 2021 through 11 June 2021

ER -

Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this