[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code...
-
Upload
kenta-yamamoto -
Category
Education
-
view
192 -
download
1
Transcript of [論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code...
VCC-FINDER: FINDING POTENTIAL VULNERABILITIES IN OPEN-SOURCE PROJECTS TO ASSIST CODE AUDITS
: ACM CCS 2015 http://
www.sigsac.org/ccs/CCS2015/
Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar. 2015. VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 426-437. DOI=http://dx.doi.org/10.1145/2810103.2813604
: Kenta Yamamoto <[email protected]>
- VCC-FINDER
VCC-Finder
( false-positive)
“VCC” (Vulnerability-contributing Commits):
CVE GitHub
640 VCC
SVM
FlawFinder recall false-positive
99%
-
CVE
2000 1000
2010 4500
2014 8000
OSS
if-statement
switch-statement
FlawFinder
Flawfinder 53
true positive 5,460 false positive
1
3. VCC
66 , 170,860 , 718CVE
: C C++
VCC
https://www.dropbox.com/s/x1shbyw0nmd2x45/vcc-database.dump?dl=0
VCC
VCC
15% VCC (96 )
3.1% (3 )
`blame`
`blame` 3
e.g. Update libtool to version 2.2.8. · vadz/libtiff@31040a3 https://github.com/vadz/libtiff/commit/31040a39
VCC-Finder
3.1%
VCC 640 169,502
CVE
3-4.
Mann-Whitney U ( ;
2 )
VCC
VCC * 2
p < 0.000357, 0.01/28
( familywise error rate
)
effect size ( )
: `if` 70%
VCC
VCC
4. VCC
VCC
Generality ( ):
Scalability ( ):
Explainability ( ):
Generalised Bag-of-Words Model
(SVM)
Git, GitHub
S
4-2.
1 linear Support Vector Machines (SVM)
Linear SVM
SVM
LibLinear
VCC-Finder Linear SVM
LibLinear
2 VCC
ω
ω
φ(x) ω φ(x)
f(x) = (x), ω = Σs∈S ωs b(x, s)
cf.
Linear SVM
VCC C = 1,
W = 100
5.
SVM (-2011) vs.
(2011-2014) cf.
(TP): SVM
CVE-2012-2119, Linux Karnel. ,
, `socket`
CVE-2013-0862, FFmpeg.
, 1
CVE-2014-1438, Linux Karnel. ,
, ,
`__input` `user`
CVE-2014-0148 Qemu.
"opaque", "*bs", "bytes"
(FP) : CVE
VCC
FFmpeg
cca1a42653 . :
, ,
: PRECISION-RECALL CURVE
Precision (P), Recall (R), true positives (Tp), false positive (Fp), false negative (Fn)
P = Tp / (Tp + Fp)
R = Tp / (Fp + Fn)
Ref. “Image Matching in Large Scale Indoor Environment” -
http://www.cs.cmu.edu/~hebert/
indexing.html
VCC-FINDER
VCC goto
`goto` `out`
`error`
SVM `-EINVAL`
C goto
goto
`exception` `error-handling`
: Apple SSL/TSL
https://www.imperialviolet.org/2014/02/22/applebug.html
`sizeof` `len`, `length`
VCC `buf`, `net`, `socket`
1%
5 (
: p < 0.0001)
VCC-Finder
Flawfinder
C C++ 170,860
2010 2011 2014
Flawfinder
99% 219 53
Flawfinder 5460 36
VCC
Flawfinder
APPENDIX:
C C++
(Linux, Kerberos, OpenSSL, etc.)
66 GitHub
Portspoof, GnuPG, Kerberos, PHP, MapServer, HHVM, Mozilla Gecko, Quagga, libav, Libreswan, Redland Raptor RDF syntax library, charybdis, Jabberd2, ClusterLabs pacemaker, bdwgc, pango, qemu, glibc, OpenVPN, torque, curl, jansson, PostgreSQL, corosync, tinc, FFmpeg, nedmalloc, mosh, trojita, inspircd, nspluginwrapper, cherokee webserver, openssl, libfep, quassel, polarssl, radvd, tntnet, Android Platform Bionic, uzbl, LibRaw, znc, nbd, Pidgin, V8, SpiderLabs ModSecurity, file, graphviz, Linux Kernel, libti, ZRTPCPP, taglib, suhosin, Phusion passenger, monkey, memcached, lxc, libguestfs, libarchive, Beanstalkd, Flac, libX11, Xen, libvirt, Wireshark, and Apache HTTPD
1.
(e.g.
ref. https://twitter.com/
neubig/status/712857703241089024 ) VCC
Flawfinder
recall precision 99%
2
CVE
CVE-ID CVE
Linear SVM
2. Git
4.
5
5.
Prophet VCC-Finder
ref. http://people.csail.mit.edu/fanl/papers/prophet-popl16.pdf
THANK YOUFOR YOUR ATTENTIONDonating to OpenSSL https://www.openssl.org/support/donations.html