Data-Flow Analysis Heuristic for Vulnerability Detection on Configurable Systems
ResumoConfigurable software systems offer a variety of benefits such as supporting easy configuration of custom behaviours for distinctive needs. However, it is known that the presence of configuration options in source code complicates maintenance tasks and requires additional effort from developers when adding or editing code statements. They need to consider multiple configurations when executing tests or performing static analysis to detect vulnerabilities. Therefore, vulnerabilities have been widely reported in configurable software systems. Unfortunately, the effectiveness of vulnerability detection depends on how the multiple configurations (i.e., samples sets) are selected. In this paper, we tackle the challenge of generating more adequate system configuration samples by taking into account the intrinsic characteristics of security vulnerabilities. We propose a new sampling heuristic based on data-flow analysis for recommending the subset of configurations that should be analyzed individually. Our results show that we can achieve high vulnerability-detection effectiveness with a small sample size.
Anley, C. (2007).The Shellcoder’s Handbook: Discovering and Exploiting SecurityHoles. Wiley, 2nd edition.
Brabrand, C., Ribeiro, M., Tolêdo, T., Winther, J., and Borba, P. (2013). Intraprocedu-ral dataflow analysis for software product lines. InTransactions on Aspect-OrientedSoftware Development X, pages 73–108. Springer.
Ferreira, G., K ̈astner, C., Pfeffer, J., and Apel, S. (2015). Characterizing complexity ofhighly-configurable systems with variational call graphs: Analyzing configuration op-tions interactions complexity in function calls. InProceedings of the 2015 Symposiumand Bootcamp on the Science of Security.
Ferreira, G., Malik, M., Kastner, C., Pfeffer, J., and Apel, S. (2016). Do ifdefs influencethe occurrence of vulnerabilities? an empirical study of the linux kernel. InInterna-tional Systems and Software Product Line Conference (SPLCˆa16).
Liebig, J., Von Rhein, A., K ̈astner, C., Apel, S., Dorre, J., and Lengauer, C. (2012).Large-scale variability-aware type checking and dataflow analysis.
Medeiros, F., K ̃Astner, C., Ribeiro, M., Gheyi, R., and Apel, S. (2016). A comparison of10 sampling algorithms for configurable systems. In2016 IEEE/ACM 38th Interna-tional Conference on Software Engineering (ICSE), pages 643–654.
Sampaio, L. and Garcia, A. (2016). Exploring context-sensitive data flow analysis forearly vulnerability detection.Journal of Systems and Software, 113:337–361.