Static detection of control-flow-related vulnerabilities using graph embedding

Xiao Cheng; Haoyu Wang; Jiayi Hua; Miao Zhang; Guoai Xu; Li Yi; Yulei Sui

doi:10.1109/ICECCS.2019.00012

Static detection of control-flow-related vulnerabilities using graph embedding

Xiao Cheng, Haoyu Wang^*, Jiayi Hua, Miao Zhang, Guoai Xu, Li Yi, Yulei Sui

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

51 Citations (Scopus)

Abstract

Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

Original language	English
Title of host publication	2019 24th International Conference on Engineering of Complex Computer Systems ICECCS 2019
Subtitle of host publication	proceedings
Place of Publication	Piscataway, NJ
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Pages	41-50
Number of pages	10
ISBN (Electronic)	9781728146461
ISBN (Print)	9781728146478
DOIs	https://doi.org/10.1109/ICECCS.2019.00012
Publication status	Published - Nov 2019
Externally published	Yes
Event	24th International Conference on Engineering of Complex Computer Systems, ICECCS 2019 - Guangzhou, China Duration: 10 Nov 2019 → 13 Nov 2019

Conference

Conference	24th International Conference on Engineering of Complex Computer Systems, ICECCS 2019
Country/Territory	China
City	Guangzhou
Period	10/11/19 → 13/11/19

Keywords

Control-flow
Graph embedding
Static analysis
Vulnerabilities

Access to Document

10.1109/ICECCS.2019.00012

Cite this

Cheng, X., Wang, H., Hua, J., Zhang, M., Xu, G., Yi, L., & Sui, Y. (2019). Static detection of control-flow-related vulnerabilities using graph embedding. In 2019 24th International Conference on Engineering of Complex Computer Systems ICECCS 2019: proceedings (pp. 41-50). Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/ICECCS.2019.00012

@inproceedings{21736af97b054fe6af189e055f2ebb5e,

title = "Static detection of control-flow-related vulnerabilities using graph embedding",

abstract = "Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.",

keywords = "Control-flow, Graph embedding, Static analysis, Vulnerabilities",

author = "Xiao Cheng and Haoyu Wang and Jiayi Hua and Miao Zhang and Guoai Xu and Li Yi and Yulei Sui",

year = "2019",

month = nov,

doi = "10.1109/ICECCS.2019.00012",

language = "English",

isbn = "9781728146478",

pages = "41--50",

booktitle = "2019 24th International Conference on Engineering of Complex Computer Systems ICECCS 2019",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

address = "United States",

note = "24th International Conference on Engineering of Complex Computer Systems, ICECCS 2019 ; Conference date: 10-11-2019 Through 13-11-2019",

}

Cheng, X, Wang, H, Hua, J, Zhang, M, Xu, G, Yi, L & Sui, Y 2019, Static detection of control-flow-related vulnerabilities using graph embedding. in 2019 24th International Conference on Engineering of Complex Computer Systems ICECCS 2019: proceedings. Institute of Electrical and Electronics Engineers (IEEE), Piscataway, NJ, pp. 41-50, 24th International Conference on Engineering of Complex Computer Systems, ICECCS 2019, Guangzhou, China, 10/11/19. https://doi.org/10.1109/ICECCS.2019.00012

Static detection of control-flow-related vulnerabilities using graph embedding. / Cheng, Xiao; Wang, Haoyu; Hua, Jiayi et al.
2019 24th International Conference on Engineering of Complex Computer Systems ICECCS 2019: proceedings. Piscataway, NJ: Institute of Electrical and Electronics Engineers (IEEE), 2019. p. 41-50.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - Static detection of control-flow-related vulnerabilities using graph embedding

AU - Cheng, Xiao

AU - Wang, Haoyu

AU - Hua, Jiayi

AU - Zhang, Miao

AU - Xu, Guoai

AU - Yi, Li

AU - Sui, Yulei

PY - 2019/11

Y1 - 2019/11

N2 - Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

AB - Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

KW - Control-flow

KW - Graph embedding

KW - Static analysis

KW - Vulnerabilities

UR - https://www.scopus.com/pages/publications/85074673248

UR - http://purl.org/au-research/grants/arc/DE170101081

U2 - 10.1109/ICECCS.2019.00012

DO - 10.1109/ICECCS.2019.00012

M3 - Conference proceeding contribution

SN - 9781728146478

SP - 41

EP - 50

BT - 2019 24th International Conference on Engineering of Complex Computer Systems ICECCS 2019

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Piscataway, NJ

T2 - 24th International Conference on Engineering of Complex Computer Systems, ICECCS 2019

Y2 - 10 November 2019 through 13 November 2019

ER -

Static detection of control-flow-related vulnerabilities using graph embedding

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this