Software vulnerability code clone detection method based on characteristic metrics

被引：0

作者：

Gan, Shui-Tao ^{[1
]}

Qin, Xiao-Jun ^{[1
]}

Chen, Zuo-Ning ^{[1
]}

Wang, Lin-Zhang ^{[2
]}

机构：

[1] State Key Laboratory of Mathematical Engineering and Advanced Computing, Jiangnan Institute of Computing Technique, Wuxi

[2] State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing

来源：

Ruan Jian Xue Bao/Journal of Software | 2015年 / 26卷 / 02期

关键词：

Codeclone; Metrics of characteristics; Syntax parser tree; Vulnerabilitydetection;

D O I：

10.13328/j.cnki.jos.004786

中图分类号：

学科分类号：

摘要：

This article proposes a clone detection method based on a program characteristic metrics. Though analyzing the syntax and semantic characteristics of vulnerabilities, this detection method abstracts certain key nodes which describe different forms of vulnerability type from syntax parser tree, and expands four basic types of code clone to auxiliary classes. The characteristic metrics of the code then is finalized by obtaining the number of key nodes which are calculated via scanning corresponding code segment in the syntax parser tree. The clone detection based on a characteristic metrics creates basic knowledge base by extracting partial instances of open vulnerability database, and precisely locates the vulnerability codes by performing cluster calculation on the same codes responding to multiple types of code clone. Comparing with the detection method based on single characteristic vector, the proposed method produces more precise description about vulnerability. This detection method also offers a remedy to the drawbacks of formal detection method on its vulnerability type covering ability. Nine vulnerabilities are detected in an android-kernel system test. Testing on software of different code sizes shows that the performance of this method is linear with the size of the code. © Copyright 2015, Institute of Software. the Chinese Academy of Sciences, All Rights Reserved.

引用

页码：348 / 363

页数：15

共 30 条

[1]

Tripathi A., Towards standardization of vulnerability taxonomy, Proc. of 2010 the 2nd Int'l Conf. on Computer Technology and Development, pp. 379-384, (2010)

[2]

Howard M., LeBlanc D., Viega J., 19 Deadly Sins of Software Security Programming Flaws and How to Fix Them, (2006)

[3]

Viega J., Bloch J.T., Kohno Y., McGraw G., Its4: A static vulnerability scanner for c and c++ code, Proc. of the 16th Annual Computer Security Applications Conf. (ACSAC 2000), (2000)

[4]

Software R. RATs

[5]

Dwheeler, Flawﬁnder software, (2007)

[6]

Aiken A., Bugrara S., Dillig I., Saturn project

[7]

Rose/Compass static analysis tools user manual

[8]

Roy C.K., Cordy J.R., Koschke R., Comparison and evaluation of code clone detection techniques and tools: A qualitative approach, Science of Computer Programming, 74, 7, pp. 470-495, (2009)

[9]

Nguyen T.T., Nguyen H.A., Pham N.H., Al-Kofahi J.M., Nguyen T.N., Recurring bug fixes in object oriented programs, Proc. of the Int'l Conf. on Software Engineering (ICSE 2010), pp. 315-324, (2010)

[10]

Pham N.H., Nguyen T.T., Nguyen H.A., Nguyen T.N., Detection of recurring software vulnerabilities, Proc. of the Int'l Conf. on Automated Software Engineering, pp. 447-456, (2010)

← 1 2 3 →