VCC-FINDER: FINDING POTENTIAL VULNERABILITIES IN OPEN-SOURCE PROJECTS TO ASSIST CODE AUDITS

: ACM CCS 2015 http://

www.sigsac.org/ccs/CCS2015/

Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar. 2015. VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 426-437. DOI=http://dx.doi.org/10.1145/2810103.2813604

: Kenta Yamamoto <ymkjp@jaist.ac.jp>

VCC

VCC-Finder

VCC

VCC

- VCC-FINDER

VCC-Finder

( false-positive)

“VCC” (Vulnerability-contributing Commits):

CVE GitHub

640 VCC

SVM

FlawFinder recall false-positive

99%

-

CVE

2000 1000

2010 4500

2014 8000

OSS

if-statement

switch-statement

FlawFinder

Flawfinder 53

true positive 5,460 false positive

1

FlawFinder Rats,

Prefast, Splint

Coventry

SCM (Software configuration management)

fix bug

SVM

C

3. VCC

66 , 170,860 , 718CVE

: C C++

VCC

https://www.dropbox.com/s/x1shbyw0nmd2x45/vcc-database.dump?dl=0

VCC

#1

e.g.

CVE

GitHub CVE

CVE 2

1. CVE

2. CVE ID

10%

718 CVE

#2 VCC

VCC

Git

(`git blame` )

VCC

718 CVE 640 VCC

VCC 1

CVE

#2 VCC

1.

2. `blame`

:

diff

3.

`blame`

: fix

4. `blame`

(VCC)

`blame`

VCC

VCC

15% VCC (96 )

3.1% (3 )

`blame`

`blame` 3

e.g. Update libtool to version 2.2.8. · vadz/libtiff@31040a3 https://github.com/vadz/libtiff/commit/31040a39

VCC-Finder

3.1%

VCC 640 169,502

CVE

3-2. VCC

* 1

Git GitHub

1

3-2. VCC

GitHub

GitHub

:

i.e. /

: 1 diff

(hunk)

: `bag of words`

: C C++

3-4.

Mann-Whitney U ( ;

2 )

VCC

VCC * 2

p < 0.000357, 0.01/28

( familywise error rate

)

effect size ( )

: `if` 70%

VCC

VCC

2

4. VCC

VCC

Generality ( ):

Scalability ( ):

Explainability ( ):

Generalised Bag-of-Words Model

(SVM)

Git, GitHub

S

4-1. BAG-OF-WORDS

S

email

φ

φ: X → ℝ^|S|, φ: x ⟼ (b(x, s))s∈S

X , x ∈ X

b(x, s) s x

0, 1

x

0

4-2.

1 linear Support Vector Machines (SVM)

Linear SVM

SVM

LibLinear

VCC-Finder Linear SVM

LibLinear

2 VCC

ω

ω

φ(x) ω φ(x)

f(x) = (x), ω = Σs∈S ωs b(x, s)

cf.

Linear SVM

VCC C = 1,

W = 100

5.

SVM (-2011) vs.

(2011-2014) cf.

(TP): SVM

CVE-2012-2119, Linux Karnel. ,

, `socket`

CVE-2013-0862, FFmpeg.

, 1

CVE-2014-1438, Linux Karnel. ,

, ,

`__input` `user`

CVE-2014-0148 Qemu.

"opaque", "*bs", "bytes"

(FP) : CVE

VCC

FFmpeg

cca1a42653 . :

, ,

(precision) - (recall)

1

(combined)

VCC-FINDER FLAWFINDER

2 VCC-Finder vs. Flawfinder (precision) -

(recall) Flawfinder

: PRECISION-RECALL CURVE

Precision (P), Recall (R), true positives (Tp), false positive (Fp), false negative (Fn)

P = Tp / (Tp + Fp)

R = Tp / (Fp + Fn)

Ref. “Image Matching in Large Scale Indoor Environment” -

http://www.cs.cmu.edu/~hebert/

indexing.html

VCC-FINDER

VCC goto

`goto` `out`

`error`

SVM `-EINVAL`

C goto

goto

`exception` `error-handling`

: Apple SSL/TSL

https://www.imperialviolet.org/2014/02/22/applebug.html

`sizeof` `len`, `length`

VCC `buf`, `net`, `socket`

1%

5 (

: p < 0.0001)

VCC-FINDER

C, C++

VCC-Finder

Flawfinder

C C++ 170,860

2010 2011 2014

Flawfinder

99% 219 53

Flawfinder 5460 36

VCC

Flawfinder

APPENDIX:

C C++

(Linux, Kerberos, OpenSSL, etc.)

66 GitHub

Portspoof, GnuPG, Kerberos, PHP, MapServer, HHVM, Mozilla Gecko, Quagga, libav, Libreswan, Redland Raptor RDF syntax library, charybdis, Jabberd2, ClusterLabs pacemaker, bdwgc, pango, qemu, glibc, OpenVPN, torque, curl, jansson, PostgreSQL, corosync, tinc, FFmpeg, nedmalloc, mosh, trojita, inspircd, nspluginwrapper, cherokee webserver, openssl, libfep, quassel, polarssl, radvd, tntnet, Android Platform Bionic, uzbl, LibRaw, znc, nbd, Pidgin, V8, SpiderLabs ModSecurity, file, graphviz, Linux Kernel, libti, ZRTPCPP, taglib, suhosin, Phusion passenger, monkey, memcached, lxc, libguestfs, libarchive, Beanstalkd, Flac, libX11, Xen, libvirt, Wireshark, and Apache HTTPD

1.

(e.g.

ref. https://twitter.com/

neubig/status/712857703241089024 ) VCC

Flawfinder

recall precision 99%

2

CVE

CVE-ID CVE

Linear SVM

2. Git

4.

5

5.

Prophet VCC-Finder

ref. http://people.csail.mit.edu/fanl/papers/prophet-popl16.pdf

THANK YOUFOR YOUR ATTENTIONDonating to OpenSSL https://www.openssl.org/support/donations.html