CodeAuditor: A Vulnerability Detection Framework Based on Constraint Analysis and Model Checking
Open source applications have flourished over recent years. Meanwhile security vulnerabilities in such applications have grown. Since manual code auditing is error-prone, time-consuming and costly, automatic solutions have become necessary. In this paper we address program vulnerabilities by static...
Uloženo v:
| Vydáno v: | 2009 International Conference on Management and Service Science s. 1 - 4 |
|---|---|
| Hlavní autoři: | , , , , |
| Médium: | Konferenční příspěvek |
| Jazyk: | angličtina |
| Vydáno: |
IEEE
01.09.2009
|
| Témata: | |
| ISBN: | 1424446384, 9781424446384 |
| On-line přístup: | Získat plný text |
| Tagy: |
Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Abstract | Open source applications have flourished over recent years. Meanwhile security vulnerabilities in such applications have grown. Since manual code auditing is error-prone, time-consuming and costly, automatic solutions have become necessary. In this paper we address program vulnerabilities by static code analysis. First, we use flow-insensitive and interprocedural constraint-based analysis to extract the vulnerability detection model from the source code. Second, we employ model checking to solve the model. In addition, we do alias analysis to improve the correctness and precision of the detection model. The presented concepts are targeted at the general class of buffer-related vulnerabilities and can be applied to the detection of vulnerability types such as buffer overflow, format string attack, and code injection. CodeAuditor, the prototype implementation of our methods, is targeted at detecting buffer overflow vulnerabilities in C source code. It can be regarded as a vulnerability framework in which a variety of analysis and model checking tools can be incorporated. With this tool, 18 previously unknown vulnerabilities in six open source applications were discovered and the observed false positive rate was at around 23%. |
|---|---|
| AbstractList | Open source applications have flourished over recent years. Meanwhile security vulnerabilities in such applications have grown. Since manual code auditing is error-prone, time-consuming and costly, automatic solutions have become necessary. In this paper we address program vulnerabilities by static code analysis. First, we use flow-insensitive and interprocedural constraint-based analysis to extract the vulnerability detection model from the source code. Second, we employ model checking to solve the model. In addition, we do alias analysis to improve the correctness and precision of the detection model. The presented concepts are targeted at the general class of buffer-related vulnerabilities and can be applied to the detection of vulnerability types such as buffer overflow, format string attack, and code injection. CodeAuditor, the prototype implementation of our methods, is targeted at detecting buffer overflow vulnerabilities in C source code. It can be regarded as a vulnerability framework in which a variety of analysis and model checking tools can be incorporated. With this tool, 18 previously unknown vulnerabilities in six open source applications were discovered and the observed false positive rate was at around 23%. |
| Author | Qiang Zhang Lei Wang Pengchao Zhao Jianan Wang Gui Chen |
| Author_xml | – sequence: 1 surname: Lei Wang fullname: Lei Wang organization: Comput. Sch., Beijing Univ. of Aeronaut. & Astronaut., Beijing, China – sequence: 2 surname: Gui Chen fullname: Gui Chen organization: Comput. Sch., Beijing Univ. of Aeronaut. & Astronaut., Beijing, China – sequence: 3 surname: Jianan Wang fullname: Jianan Wang organization: Comput. Sch., Beijing Univ. of Aeronaut. & Astronaut., Beijing, China – sequence: 4 surname: Pengchao Zhao fullname: Pengchao Zhao organization: Comput. Sch., Beijing Univ. of Aeronaut. & Astronaut., Beijing, China – sequence: 5 surname: Qiang Zhang fullname: Qiang Zhang organization: Comput. Sch., Beijing Univ. of Aeronaut. & Astronaut., Beijing, China |
| BookMark | eNo1UNtKAzEUjGhBW_sD-pIfaM11s_FtXW-FFh9afK1pclZjt1lJUqR_74p1GDjMMAycGaKz0AVA6IqSKaVE38zqxXI5ZYToqeREMClP0FirkgomhCi4pqdo-C9KMUDD36wmgpfkHI1T-iQ9hGSqYBfore4cVHvncxdvcYVf922AaDa-9fmA7yGDzb4L-DGaHXx3cYvvTAKHe6vuQsrR-JBxFUx7SD5hExxe9I0trj_Abn14v0SDxrQJxsc7QqvHh1X9PJm_PM3qaj7xmuSJpAKostJulKDE8MJQBZpxDbw0PUtlrW64A6elcv3PRhVNyRqxaXhhBecjdP1X6wFg_RX9zsTD-jgQ_wHk5Fl8 |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/ICMSS.2009.5304255 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) - NZ IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) - NZ url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EISBN | 9781424446391 1424446392 |
| EndPage | 4 |
| ExternalDocumentID | 5304255 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IK 6IL 6IN AAJGR AARBI AAWTH ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK IERZE OCL RIE RIL |
| ID | FETCH-LOGICAL-i90t-514e17c5cb7410a36a17e9239e38a38a87cc9f3ded957d255a76f82f4bf36c433 |
| IEDL.DBID | RIE |
| ISBN | 1424446384 9781424446384 |
| IngestDate | Wed Aug 27 02:26:03 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| LCCN | 2009904380 |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i90t-514e17c5cb7410a36a17e9239e38a38a87cc9f3ded957d255a76f82f4bf36c433 |
| PageCount | 4 |
| ParticipantIDs | ieee_primary_5304255 |
| PublicationCentury | 2000 |
| PublicationDate | 2009-Sept. |
| PublicationDateYYYYMMDD | 2009-09-01 |
| PublicationDate_xml | – month: 09 year: 2009 text: 2009-Sept. |
| PublicationDecade | 2000 |
| PublicationTitle | 2009 International Conference on Management and Service Science |
| PublicationTitleAbbrev | ICMSS |
| PublicationYear | 2009 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0000452762 |
| Score | 1.4273586 |
| Snippet | Open source applications have flourished over recent years. Meanwhile security vulnerabilities in such applications have grown. Since manual code auditing is... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 1 |
| SubjectTerms | Application software Automatic control Buffer overflow Computer bugs Flow graphs Formal verification Instruments Pattern analysis Programming Prototypes |
| Title | CodeAuditor: A Vulnerability Detection Framework Based on Constraint Analysis and Model Checking |
| URI | https://ieeexplore.ieee.org/document/5304255 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3NS8MwFA_b8OBJZRO_ycGjde3y1Xib1aEHx2BDdptp8oIDaWV2gv-9SbpOBC9CD2kOIU1a3uvL7wOhS5UwY2EAkXDBLKKcQ5THNvWYhjiVYF3MUMFsQozH6XwuJy10teXCAEAAn8G1b4azfFPqtS-V9Zn_92asjdpC8Jqrta2neGlw92E33C3q3ivaSDo19w1pJpb9x-xpOq3lKjej_rJXCdFltPe_ee2j3g9ND0-2AegAtaDoopesNDD0XItydYOH-Hn95oWlAwb2C99BFbBXBR41qCx86wKZwa7Lm3cGy4gKN1olWBUGe7-0N5y9gvZ19R6aje5n2UO0sVGIljKuIpcRQSI007lLHmJFuEoEuLROAkmVu1KhtbTEgJFMGPcYSnCbDizNLeGaEnKIOkVZwBHCTCeS5Uq6FGRACYBUmjObUDciAZPzY9T1i7N4r4UyFpt1Ofm7-xTt1kczHrB1hjrVag3naEd_VsuP1UXY3W8fmaH- |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3NS8MwFA86BT2pbOK3OXi0rl2StvE2q2PDbQw2ZLeZJi84GK3MTvC_N0nXieBF6CHNIaRJy3t9-X0gdCMCpjS0wItMMPNoGIKX-jq2mAY_5qBNzBDObCIaDuPplI-20O2GCwMADnwGd7bpzvJVLle2VNZk9t-bsW20wyht-SVba1NRseLg5tOu2FvUvFm0EnWq7ivajM-bvWQwHpeCletxfxmsuPjSOfjfzA5R44eoh0ebEHSEtiCro9ckV9C2bIt8eY_b-GW1sNLSDgX7hR-hcOirDHcqXBZ-MKFMYdNl7TudaUSBK7USLDKFrWPaAidvIG1lvYEmnadJ0vXWRgrenPuFZ3IiCCLJZGrSB1-QUAQRmMSOA4mFueJISq6JAsVZpMxjiCjUcUvTVJNQUkKOUS3LMzhBmMmAs1Rwk4S0KAHgQoZMB9SMSECl4Smq28WZvZdSGbP1upz93X2N9rqTQX_W7w2fz9F-eVBj4VsXqFYsV3CJduVnMf9YXrmd_ga_LaVF |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2009+International+Conference+on+Management+and+Service+Science&rft.atitle=CodeAuditor%3A+A+Vulnerability+Detection+Framework+Based+on+Constraint+Analysis+and+Model+Checking&rft.au=Lei+Wang&rft.au=Gui+Chen&rft.au=Jianan+Wang&rft.au=Pengchao+Zhao&rft.date=2009-09-01&rft.pub=IEEE&rft.isbn=9781424446384&rft.spage=1&rft.epage=4&rft_id=info:doi/10.1109%2FICMSS.2009.5304255&rft.externalDocID=5304255 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781424446384/lc.gif&client=summon&freeimage=true |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781424446384/mc.gif&client=summon&freeimage=true |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781424446384/sc.gif&client=summon&freeimage=true |