Visible to the public Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding

TitleStatic Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding
Publication TypeConference Paper
Year of Publication2019
AuthorsCheng, Xiao, Wang, Haoyu, Hua, Jiayi, Zhang, Miao, Xu, Guoai, Yi, Li, Sui, Yulei
Conference Name2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS)
ISBN Number978-1-7281-4646-1
KeywordsCFR vulnerabilities, composability, compositionality, Computer bugs, control-flow, control-flow-related vulnerabilities, Convolutional codes, feature extraction, general static analysis solutions, graph convolutional network, graph embedding, graph embedding approach, graph theory, high-level control-flow information, high-level control-flow related vulnerabilities, Human Behavior, learning (artificial intelligence), machine-learning-based approaches, program analysis, program behavioral problems, program compilers, program diagnostics, pubcrawl, resilience, Resiliency, security of data, Semantics, Software, static analysis, static analysis challenge, static code analysis, static detection, static vulnerability detection, static vulnerability detectors, Training, vulnerabilities, vulnerability detection, vulnerable program

Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

Citation Keycheng_static_2019