Visible to the public Biblio

Filters: Keyword is vulnerability detection  [Clear All Filters]
Conference Paper
Letychevskyi, Oleksandr, Peschanenko, Volodymyr, Radchenko, Viktor, Hryniuk, Yaroslav, Yakovlev, Viktor.  2019.  Algebraic Patterns of Vulnerabilities in Binary Code. 2019 10th International Conference on Dependable Systems, Services and Technologies (DESSERT). :70–73.
This paper presents an algebraic approach for formalizing and detecting vulnerabilities in binary code. It uses behaviour algebra equations for creating patterns of vulnerabilities and algebraic matching methods for vulnerability detection. Algebraic matching is based on symbolic modelling. This paper considers a known vulnerability, buffer overflow, as an example to demonstrate an algebraic approach for pattern creation.
Bruillard, P., Nowak, K., Purvine, E..  2016.  Anomaly Detection Using Persistent Homology. 2016 Cybersecurity Symposium (CYBERSEC). :7–12.

Many aspects of our daily lives now rely on computers, including communications, transportation, government, finance, medicine, and education. However, with increased dependence comes increased vulnerability. Therefore recognizing attacks quickly is critical. In this paper, we introduce a new anomaly detection algorithm based on persistent homology, a tool which computes summary statistics of a manifold. The idea is to represent a cyber network with a dynamic point cloud and compare the statistics over time. The robustness of persistent homology makes for a very strong comparison invariant.

Pechenkin, Alexander, Demidov, Roman.  2018.  Applying Deep Learning and Vector Representation for Software Vulnerabilities Detection. Proceedings of the 11th International Conference on Security of Information and Networks. :13:1–13:6.

This paper 1 addresses a problem of vulnerability detection in software represented as assembly code. An extended approach to the vulnerability detection problem is proposed. This work concentrates on improvement of neural network-based approach described in previous works of authors. The authors propose to include the morphology of instructions in vector representations. The bidirectional recurrent neural network is used with access to the execution traces of the program. This has significantly improved the vulnerability detecting accuracy.

Zhang, Xun, Zhao, Jinxiong, Yang, Fan, Zhang, Qin, Li, Zhiru, Gong, Bo, Zhi, Yong, Zhang, Xuejun.  2019.  An Automated Composite Scanning Tool with Multiple Vulnerabilities. 2019 IEEE 3rd Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC). :1060–1064.
In order to effectively do network security protection, detecting system vulnerabilities becomes an indispensable process. Here, the vulnerability detection module with three functions is assembled into a device, and a composite detection tool with multiple functions is proposed to deal with some frequent vulnerabilities. The tool includes a total of three types of vulnerability detection, including cross-site scripting attacks, SQL injection, and directory traversal. First, let's first introduce the principle of each type of vulnerability; then, introduce the detection method of each type of vulnerability; finally, detail the defenses of each type of vulnerability. The benefits are: first, the cost of manual testing is eliminated; second, the work efficiency is greatly improved; and third, the network is safely operated in the first time.
Mohammadi, M., Chu, B., Lipford, H. R., Murphy-Hill, E..  2016.  Automatic Web Security Unit Testing: XSS Vulnerability Detection. 2016 IEEE/ACM 11th International Workshop in Automation of Software Test (AST). :78–84.

Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.

Ibrahim, Ahmed, El-Ramly, Mohammad, Badr, Amr.  2019.  Beware of the Vulnerability! How Vulnerable are GitHub's Most Popular PHP Applications? 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA). :1–7.
The presence of software vulnerabilities is a serious threat to any software project. Exploiting them can compromise system availability, data integrity, and confidentiality. Unfortunately, many open source projects go for years with undetected ready-to-exploit critical vulnerabilities. In this study, we investigate the presence of software vulnerabilities in open source projects and the factors that influence this presence. We analyzed the top 100 open source PHP applications in GitHub using a static analysis vulnerability scanner to examine how common software vulnerabilities are. We also discussed which vulnerabilities are most present and what factors contribute to their presence. We found that 27% of these projects are insecure, with a median number of 3 vulnerabilities per vulnerable project. We found that the most common type is injection vulnerabilities, which made 58% of all detected vulnerabilities. Out of these, cross-site scripting (XSS) was the most common and made 43.5% of all vulnerabilities found. Statistical analysis revealed that project activities like branching, pulling, and committing have a moderate positive correlation with the number of vulnerabilities in the project. Other factors like project popularity, number of releases, and number of issues had almost no influence on the number of vulnerabilities. We recommend that open source project owners should set secure code development guidelines for their project members and establish secure code reviews as part of the project's development process.
Wang, Kai, Zhang, Yuqing, Liu, Peng.  2016.  Call Me Back!: Attacks on System Server and System Apps in Android Through Synchronous Callback. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :92–103.

Android is the most commonly used mobile device operation system. The core of Android, the System Server (SS), is a multi-threaded process that provides most of the system services. Based on a new understanding of the security risks introduced by the callback mechanism in system services, we have discovered a general type of design flaw. A vulnerability detection tool has been designed and implemented based on static taint analysis. We applied the tool on all the 80 system services in the SS of Android 5.1.0. With its help, we have discovered six previously unknown vulnerabilities, which are further confirmed on Android 2.3.7-6.0.1. According to our analysis, about 97.3% of the entire 1.4 billion real-world Android devices are vulnerable. Our proof-of-concept attack proves that the vulnerabilities can enable a malicious app to freeze critical system functionalities or soft-reboot the system immediately. It is a neat type of denial-of-service at-tack. We also proved that the attacks can be conducted at mission critical moments to achieve meaningful goals, such as anti anti-virus, anti process-killer, hindering app updates or system patching. After being informed, Google confirmed our findings promptly. Several suggestions on how to use callbacks safely are also proposed to Google.

Gupta, M.K., Govil, M.C., Singh, G..  2014.  A context-sensitive approach for precise detection of cross-site scripting vulnerabilities. Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on. :7-12.

Currently, dependence on web applications is increasing rapidly for social communication, health services, financial transactions and many other purposes. Unfortunately, the presence of cross-site scripting vulnerabilities in these applications allows malicious user to steals sensitive information, install malware, and performs various malicious operations. Researchers proposed various approaches and developed tools to detect XSS vulnerability from source code of web applications. However, existing approaches and tools are not free from false positive and false negative results. In this paper, we propose a taint analysis and defensive programming based HTML context-sensitive approach for precise detection of XSS vulnerability from source code of PHP web applications. It also provides automatic suggestions to improve the vulnerable source code. Preliminary experiments and results on test subjects show that proposed approach is more efficient than existing ones.

Meng, Ruijie, Zhu, Biyun, Yun, Hao, Li, Haicheng, Cai, Yan, Yang, Zijiang.  2019.  CONVUL: An Effective Tool for Detecting Concurrency Vulnerabilities. 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). :1154—1157.

Concurrency vulnerabilities are extremely harmful and can be frequently exploited to launch severe attacks. Due to the non-determinism of multithreaded executions, it is very difficult to detect them. Recently, data race detectors and techniques based on maximal casual model have been applied to detect concurrency vulnerabilities. However, the former are ineffective and the latter report many false negatives. In this paper, we present CONVUL, an effective tool for concurrency vulnerability detection. CONVUL is based on exchangeable events, and adopts novel algorithms to detect three major kinds of concurrency vulnerabilities. In our experiments, CONVUL detected 9 of 10 known vulnerabilities, while other tools only detected at most 2 out of these 10 vulnerabilities. The 10 vulnerabilities are available at https://github.com/mryancai/ConVul.

Settanni, G., Shovgenya, Y., Skopik, F., Graf, R., Wurzenberger, M., Fiedler, R..  2016.  Correlating cyber incident information to establish situational awareness in Critical Infrastructures. 2016 14th Annual Conference on Privacy, Security and Trust (PST). :78–81.

Protecting Critical Infrastructures (CIs) against contemporary cyber attacks has become a crucial as well as complex task. Modern attack campaigns, such as Advanced Persistent Threats (APTs), leverage weaknesses in the organization's business processes and exploit vulnerabilities of several systems to hit their target. Although their life-cycle can last for months, these campaigns typically go undetected until they achieve their goal. They usually aim at performing data exfiltration, cause service disruptions and can also undermine the safety of humans. Novel detection techniques and incident handling approaches are therefore required, to effectively protect CI's networks and timely react to this type of threats. Correlating large amounts of data, collected from a multitude of relevant sources, is necessary and sometimes required by national authorities to establish cyber situational awareness, and allow to promptly adopt suitable countermeasures in case of an attack. In this paper we propose three novel methods for security information correlation designed to discover relevant insights and support the establishment of cyber situational awareness.

Böhme, Marcel, Pham, Van-Thuan, Roychoudhury, Abhik.  2016.  Coverage-based Greybox Fuzzing As Markov Chain. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :1032–1043.

Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few "high-frequency" paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFAST exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFAST produces at least an order of magnitude more unique crashes than AFL.

Zekri, M., Kafhali, S. E., Aboutabit, N., Saadi, Y..  2017.  DDoS attack detection using machine learning techniques in cloud computing environments. 2017 3rd International Conference of Cloud Computing Technologies and Applications (CloudTech). :1–7.

Cloud computing is a revolution in IT technology that provides scalable, virtualized on-demand resources to the end users with greater flexibility, less maintenance and reduced infrastructure cost. These resources are supervised by different management organizations and provided over Internet using known networking protocols, standards and formats. The underlying technologies and legacy protocols contain bugs and vulnerabilities that can open doors for intrusion by the attackers. Attacks as DDoS (Distributed Denial of Service) are ones of the most frequent that inflict serious damage and affect the cloud performance. In a DDoS attack, the attacker usually uses innocent compromised computers (called zombies) by taking advantages of known or unknown bugs and vulnerabilities to send a large number of packets from these already-captured zombies to a server. This may occupy a major portion of network bandwidth of the victim cloud infrastructures or consume much of the servers time. Thus, in this work, we designed a DDoS detection system based on the C.4.5 algorithm to mitigate the DDoS threat. This algorithm, coupled with signature detection techniques, generates a decision tree to perform automatic, effective detection of signatures attacks for DDoS flooding attacks. To validate our system, we selected other machine learning techniques and compared the obtained results.

Wang, Xinda, Sun, Kun, Batcheller, Archer, Jajodia, Sushil.  2019.  Detecting "0-Day" Vulnerability: An Empirical Study of Secret Security Patch in OSS. 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). :485–492.
Security patches in open source software (OSS) not only provide security fixes to identified vulnerabilities, but also make the vulnerable code public to the attackers. Therefore, armored attackers may misuse this information to launch N-day attacks on unpatched OSS versions. The best practice for preventing this type of N-day attacks is to keep upgrading the software to the latest version in no time. However, due to the concerns on reputation and easy software development management, software vendors may choose to secretly patch their vulnerabilities in a new version without reporting them to CVE or even providing any explicit description in their change logs. When those secretly patched vulnerabilities are being identified by armored attackers, they can be turned into powerful "0-day" attacks, which can be exploited to compromise not only unpatched version of the same software, but also similar types of OSS (e.g., SSL libraries) that may contain the same vulnerability due to code clone or similar design/implementation logic. Therefore, it is critical to identify secret security patches and downgrade the risk of those "0-day" attacks to at least "n-day" attacks. In this paper, we develop a defense system and implement a toolset to automatically identify secret security patches in open source software. To distinguish security patches from other patches, we first build a security patch database that contains more than 4700 security patches mapping to the records in CVE list. Next, we identify a set of features to help distinguish security patches from non-security ones using machine learning approaches. Finally, we use code clone identification mechanisms to discover similar patches or vulnerabilities in similar types of OSS. The experimental results show our approach can achieve good detection performance. A case study on OpenSSL, LibreSSL, and BoringSSL discovers 12 secret security patches.
Malik, Yasir, Campos, Carlos Renato Salim, Jaafar, Fehmi.  2019.  Detecting Android Security Vulnerabilities Using Machine Learning and System Calls Analysis. 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C). :109–113.
Android operating systems have become a prime target for cyber attackers due to security vulnerabilities in the underlying operating system and application design. Recently, anomaly detection techniques are widely studied for security vulnerabilities detection and classification. However, the ability of the attackers to create new variants of existing malware using various masking techniques makes it harder to deploy these techniques effectively. In this research, we present a robust and effective vulnerabilities detection approach based on anomaly detection in a system calls of benign and malicious Android application. The anomaly in our study is type, frequency, and sequence of system calls that represent a vulnerability. Our system monitors the processes of benign and malicious application and detects security vulnerabilities based on the combination of parameters and metrics, i.e., type, frequency and sequence of system calls to classify the process behavior as benign or malign. The detection algorithm detects the anomaly based on the defined scoring function f and threshold ρ. The system refines the detection process by applying machine learning techniques to find a combination of system call metrics and explore the relationship between security bugs and the pattern of system calls detected. The experiment results show the detection rate of the proposed algorithm based on precision, recall, and f-score for different machine learning algorithms.
Jiang, Yikun, Xie, Wei, Tang, Yong.  2018.  Detecting Authentication-Bypass Flaws in a Large Scale of IoT Embedded Web Servers. Proceedings of the 8th International Conference on Communication and Network Security. :56–63.

With the rapid development of network and communication technologies, everything is able to be connected to the Internet. IoT devices, which include home routers, IP cameras, wireless printers and so on, are crucial parts facilitating to build pervasive and ubiquitous networks. As the number of IoT devices around the world increases, the security issues become more and more serious. To handle with the security issues and protect the IoT devices from being compromised, the firmware of devices needs to be strengthened by discovering and repairing vulnerabilities. Current vulnerability detection tools can only help strengthening traditional software, nevertheless these tools are not practical enough for IoT device firmware, because of the peculiarity in firmware's structure and embedded device's architecture. Therefore, new vulnerability detection framework is required for analyzing IoT device firmware. This paper reviews related works on vulnerability detection in IoT firmware, proposes and implements a framework to automatically detect authentication-bypass flaws in a large scale of Linux-based firmware. The proposed framework is evaluated with a data set of 2351 firmware images from several target vendors, which is proved to be capable of performing large-scale and automated analysis on firmware, and 1 known and 10 unknown authentication-bypass flaws are found by the analysis.

Kaur, Gurpreet, Malik, Yasir, Samuel, Hamman, Jaafar, Fehmi.  2018.  Detecting Blind Cross-Site Scripting Attacks Using Machine Learning. Proceedings of the 2018 International Conference on Signal Processing and Machine Learning. :22–25.

Cross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a persistent manner on target servers. Most of the XSS detection techniques used to detect the XSS vulnerabilities are inadequate to detect blind XSS attacks. In this research, we present machine learning based approach to detect blind XSS attacks. Testing results help to identify malicious payloads that are likely to get stored in databases through web applications.

Ying, Huan, Zhang, Yanmiao, Han, Lifang, Cheng, Yushi, Li, Jiyuan, Ji, Xiaoyu, Xu, Wenyuan.  2019.  Detecting Buffer-Overflow Vulnerabilities in Smart Grid Devices via Automatic Static Analysis. 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). :813-817.

As a modern power transmission network, smart grid connects plenty of terminal devices. However, along with the growth of devices are the security threats. Different from the previous separated environment, an adversary nowadays can destroy the power system by attacking these devices. Therefore, it's critical to ensure the security and safety of terminal devices. To achieve this goal, detecting the pre-existing vulnerabilities of the device program and enhance the terminal security, are of great importance and necessity. In this paper, we propose a novel approach that detects existing buffer-overflow vulnerabilities of terminal devices via automatic static analysis (ASA). We utilize the static analysis to extract the device program information and build corresponding program models. By further matching the generated program model with pre-defined vulnerability patterns, we achieve vulnerability detection and error reporting. The evaluation results demonstrate that our method can effectively detect buffer-overflow vulnerabilities of smart terminals with a high accuracy and a low false positive rate.

Guowei Dong, Yan Zhang, Xin Wang, Peng Wang, Liangkun Liu.  2014.  Detecting cross site scripting vulnerabilities introduced by HTML5. Computer Science and Software Engineering (JCSSE), 2014 11th International Joint Conference on. :319-323.

Recent years, HTML5 is widely adopted in popular browsers. Unfortunately, as a new Web standard, HTML5 may expand the Cross Site Scripting (XSS) attack surface as well as improve the interactivity of the page. In this paper, we identified 14 XSS attack vectors related to HTML5 by a systematic analysis about new tags and attributes. Based on these vectors, a XSS test vector repository is constructed and a dynamic XSS vulnerability detection tool focusing on Webmail systems is implemented. By applying the tool to some popular Webmail systems, seven exploitable XSS vulnerabilities are found. The evaluation result shows that our tool can efficiently detect XSS vulnerabilities introduced by HTML5.

Nashaat, M., Ali, K., Miller, J..  2017.  Detecting Security Vulnerabilities in Object-Oriented PHP Programs. 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM). :159–164.

PHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications' development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.

Buja, G., Bin Abd Jalil, K., Bt Hj Mohd Ali, F., Rahman, T.F.A..  2014.  Detection model for SQL injection attack: An approach for preventing a web application from the SQL injection attack. Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on. :60-64.

Since the past 20 years the uses of web in daily life is increasing and becoming trend now. As the use of the web is increasing, the use of web application is also increasing. Apparently most of the web application exists up to today have some vulnerability that could be exploited by unauthorized person. Some of well-known web application vulnerabilities are Structured Query Language (SQL) Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). By compromising with these web application vulnerabilities, the system cracker can gain information about the user and lead to the reputation of the respective organization. Usually the developers of web applications did not realize that their web applications have vulnerabilities. They only realize them when there is an attack or manipulation of their code by someone. This is normal as in a web application, there are thousands of lines of code, therefore it is not easy to detect if there are some loopholes. Nowadays as the hacking tools and hacking tutorials are easier to get, lots of new hackers are born. Even though SQL injection is very easy to protect against, there are still large numbers of the system on the internet are vulnerable to this type of attack because there will be a few subtle condition that can go undetected. Therefore, in this paper we propose a detection model for detecting and recognizing the web vulnerability which is; SQL Injection based on the defined and identified criteria. In addition, the proposed detection model will be able to generate a report regarding the vulnerability level of the web application. As the consequence, the proposed detection model should be able to decrease the possibility of the SQL Injection attack that can be launch onto the web application.

Danyk, Y., Shestakov, V..  2018.  The detection of hybrid vulnerabilities and effects on the basis of analyzing the information activity in cyberspace. 2018 14th International Conference on Advanced Trends in Radioelecrtronics, Telecommunications and Computer Engineering (TCSET). :574–577.

The report presents the results of the investigations into the effects of the information hybrid threats through cyberspace on social, technical, socio and technical systems. The composition of the system of early efficient detection of the above hybrids is suggested. The results of the structural and parametric synthesis of the system are described. The recommendations related to the system implementation are given.

Kuze, N., Ishikura, S., Yagi, T., Chiba, D., Murata, M..  2016.  Detection of vulnerability scanning using features of collective accesses based on information collected from multiple honeypots. NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium. :1067–1072.

Attacks against websites are increasing rapidly with the expansion of web services. An increasing number of diversified web services make it difficult to prevent such attacks due to many known vulnerabilities in websites. To overcome this problem, it is necessary to collect the most recent attacks using decoy web honeypots and to implement countermeasures against malicious threats. Web honeypots collect not only malicious accesses by attackers but also benign accesses such as those by web search crawlers. Thus, it is essential to develop a means of automatically identifying malicious accesses from mixed collected data including both malicious and benign accesses. Specifically, detecting vulnerability scanning, which is a preliminary process, is important for preventing attacks. In this study, we focused on classification of accesses for web crawling and vulnerability scanning since these accesses are too similar to be identified. We propose a feature vector including features of collective accesses, e.g., intervals of request arrivals and the dispersion of source port numbers, obtained with multiple honeypots deployed in different networks for classification. Through evaluation using data collected from 37 honeypots in a real network, we show that features of collective accesses are advantageous for vulnerability scanning and crawler classification.

Leal, A. G., Teixeira, Í C..  2018.  Development of a suite of IPv6 vulnerability scanning tests using the TTCN-3 language. 2018 International Symposium on Networks, Computers and Communications (ISNCC). :1–6.

With the transition from IPv4 IPv6 protocol to improve network communications, there are concerns about devices and applications' security that must be dealt at the beginning of implementation or during its lifecycle. Automate the vulnerability assessment process reduces management overhead, enabling better management of risks and control of the vulnerabilities. Consequently, it reduces the effort needed for each test and it allows the increase of the frequency of application, improving time management to perform all the other complicated tasks necessary to support a secure network. There are several researchers involved in tests of vulnerability in IPv6 networks, exploiting addressing mechanisms, extension headers, fragmentation, tunnelling or dual-stack networks (using both IPv4 and IPv6 at the same time). Most existing tools use the programming languages C, Java, and Python instead of a language designed specifically to create a suite of tests, which reduces maintainability and extensibility of the tests. This paper presents a solution for IPv6 vulnerabilities scan tests, based on attack simulations, combining passive analysis (observing the manifestation of behaviours of the system under test) and an active one (stimulating the system to become symptomatic). Also, it describes a prototype that simulates and detects denial-of-service attacks on the ICMPv6 Protocol from IPv6. Also, a detailed report is created with the identified vulnerability and the possible existing solutions to mitigate such a gap, thus assisting the process of vulnerability management.

Nilizadeh, Shirin, Noller, Yannic, Pasareanu, Corina S..  2019.  DifFuzz: Differential Fuzzing for Side-Channel Analysis. 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). :176–187.
Side-channel attacks allow an adversary to uncover secret program data by observing the behavior of a program with respect to a resource, such as execution time, consumed memory or response size. Side-channel vulnerabilities are difficult to reason about as they involve analyzing the correlations between resource usage over multiple program paths. We present DifFuzz, a fuzzing-based approach for detecting side-channel vulnerabilities related to time and space. DifFuzz automatically detects these vulnerabilities by analyzing two versions of the program and using resource-guided heuristics to find inputs that maximize the difference in resource consumption between secret-dependent paths. The methodology of DifFuzz is general and can be applied to programs written in any language. For this paper, we present an implementation that targets analysis of Java programs, and uses and extends the Kelinci and AFL fuzzers. We evaluate DifFuzz on a large number of Java programs and demonstrate that it can reveal unknown side-channel vulnerabilities in popular applications. We also show that DifFuzz compares favorably against Blazer and Themis, two state-of-the-art analysis tools for finding side-channels in Java programs.
Kronjee, Jorrit, Hommersom, Arjen, Vranken, Harald.  2018.  Discovering Software Vulnerabilities Using Data-flow Analysis and Machine Learning. Proceedings of the 13th International Conference on Availability, Reliability and Security. :6:1–6:10.

We present a novel method for static analysis in which we combine data-flow analysis with machine learning to detect SQL injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities in PHP applications. We assembled a dataset from the National Vulnerability Database and the SAMATE project, containing vulnerable PHP code samples and their patched versions in which the vulnerability is solved. We extracted features from the code samples by applying data-flow analysis techniques, including reaching definitions analysis, taint analysis, and reaching constants analysis. We used these features in machine learning to train various probabilistic classifiers. To demonstrate the effectiveness of our approach, we built a tool called WIRECAML, and compared our tool to other tools for vulnerability detection in PHP code. Our tool performed best for detecting both SQLi and XSS vulnerabilities. We also tried our approach on a number of open-source software applications, and found a previously unknown vulnerability in a photo-sharing web application.