Data-Flow Analysis Heuristic for Vulnerability Detection on Configurable Systems

Gleyberson Andrade; Elder Cirilo; Vinicius Durelli; Bruno Cafeo; Eiji Adachi

doi:10.5753/vem.2020.14525

Gleyberson Andrade Universidade Federal de São João del Rei
Elder Cirilo Universidade Federal de São João del Rei
Vinicius Durelli Universidade Federal de São João del Rei
Bruno Cafeo Universidade Federal do Mato Grosso do Sul
Eiji Adachi Universidade Federal do Rio Grande do Norte

DOI: https://doi.org/10.5753/vem.2020.14525

Resumo

Configurable software systems offer a variety of benefits such as supporting easy configuration of custom behaviours for distinctive needs. However, it is known that the presence of configuration options in source code complicates maintenance tasks and requires additional effort from developers when adding or editing code statements. They need to consider multiple configurations when executing tests or performing static analysis to detect vulnerabilities. Therefore, vulnerabilities have been widely reported in configurable software systems. Unfortunately, the effectiveness of vulnerability detection depends on how the multiple configurations (i.e., samples sets) are selected. In this paper, we tackle the challenge of generating more adequate system configuration samples by taking into account the intrinsic characteristics of security vulnerabilities. We propose a new sampling heuristic based on data-flow analysis for recommending the subset of configurations that should be analyzed individually. Our results show that we can achieve high vulnerability-detection effectiveness with a small sample size.

Palavras-chave: Vulnerability Detection, Software Product Lines, Sampling Strategies

Referências

Aggarwal, A. and Jalote, P. (2006). Integrating static and dynamic analysis for detecting vulnerabilities. In Computer Software and Applications Conference, 2006. COMP-SAC’06. 30th Annual International, volume 1, pages 343–350. IEEE.

Anley, C. (2007).The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. Wiley, 2nd edition.

Brabrand, C., Ribeiro, M., Tolêdo, T., Winther, J., and Borba, P. (2013). Intraprocedural dataflow analysis for software product lines. In Transactions on Aspect-Oriented Software Development X, pages 73–108. Springer.

Ferreira, G., K ̈astner, C., Pfeffer, J., and Apel, S. (2015). Characterizing complexity ofhighly-configurable systems with variational call graphs: Analyzing configuration options interactions complexity in function calls. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security.

Ferreira, G., Malik, M., Kastner, C., Pfeffer, J., and Apel, S. (2016). Do ifdefs influencethe occurrence of vulnerabilities? an empirical study of the linux kernel. In International Systems and Software Product Line Conference (SPLCa16).

Liebig, J., Von Rhein, A., Kästner, C., Apel, S., Dorre, J., and Lengauer, C. (2012). Large-scale variability-aware type checking and dataflow analysis.

Medeiros, F., Kãstner, C., Ribeiro, M., Gheyi, R., and Apel, S. (2016). A comparison of 10 sampling algorithms for configurable systems. In2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE), pages 643–654.

Sampaio, L. and Garcia, A. (2016). Exploring context-sensitive data flow analysis for early vulnerability detection. Journal of Systems and Software, 113:337–361.