Abstract
The security-sensitive functions can be effectively used to improve the efficiency of vulnerability mining techniques, but mining security-sensitive functions of the large-scale code base is difficult. An automatic mining framework for security-sensitive functions is proposed. Firstly, a class of high-resolution code features is used to extract suspected security-sensitive function sets, and then a class of code features is applied to measure the sensitivity of each suspected security-sensitive function. Ultimately, the final security-sensitive function set is ensured based on the measurement result. Established along the framework, a mining algorithm for a type security-sensitive function is proposed. Through the mining experiments on three well-known open source codes, the performance of this algorithm is better than the existing methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Acharya, M., Xie, T.: Mining API error-handling specifications from source code. In: Chechik, M., Wirsing, M. (eds.) FASE 2009. LNCS, vol. 5503, pp. 370–384. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00593-0_25
Bian, P., Liang, B., Zhang, Y., Yang, C., Shi, W., Cai, Y.: Detecting bugs by discovering expectations and their violations. IEEE Trans. Softw. Eng. 1 (2018)
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, pp. 209–224. USENIX Association, Berkeley (2008)
Chen, L., Yang, C., Liu, F., Gong, D., Ding, S.: Automatic mining of security-sensitive functions from source code. CMC 56, 199–210 (2018)
Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. In: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, pp. 57–72. ACM, New York (2001)
Engler, D., Musuvathi, M.: Static analysis versus software model checking for bug finding. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 191–210. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24622-0_17
Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering, pp. 474–484. IEEE Computer Society, Washington, DC (2009)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 213–223. ACM, New York (2005)
Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10–13 February 2008, p. 16 (2008)
Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Proceedings of the 22nd USENIX Security Symposium, Washington, DC, USA, 14–16 August 2013, pp. 49–64 (2013)
Liang, B., Bian, P., Zhang, Y., Shi, W., You, W., Cai, Y.: AntMiner: mining more bugs by reducing noise interference. In: 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE), pp. 333–344. ACM Press, New York (2016)
Majumdar, R., Wang, Z.: BBS: a phase-bounded model checker for asynchronous programs. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 496–503. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_33
Malhotra, R.: A systematic review of machine learning techniques for software fault prediction. Appl. Soft Comput. 27, 504–518 (2015)
Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797–812. IEEE (2015)
Xi, X., Sheng, S., Sun, B., Wang, L., Hu, F.: An empirical comparison on multi-target regression learning. CMC 56, 185–198 (2018)
Acknowledgments
This study was supported in part by the National Natural Science Foundation of China (Nos. 61401512, 61602508, 61772549, U1636219, and U1736214), the National Key R&D Program of China (Nos. 2016YFB0801303 and 2016QY01W0105), the Key Technologies R&D Program of Henan Province (No. 162102210032), and the Key Science and Technology Research Project of Henan Province (No. 152102210005).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, L., Yang, C., Liu, F., Gong, D., Ding, S. (2019). A Security-Sensitive Function Mining Framework for Source Code. In: Sun, X., Pan, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science(), vol 11635. Springer, Cham. https://doi.org/10.1007/978-3-030-24268-8_39
Download citation
DOI: https://doi.org/10.1007/978-3-030-24268-8_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24267-1
Online ISBN: 978-3-030-24268-8
eBook Packages: Computer ScienceComputer Science (R0)