Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding
| Title | Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Cheng, Xiao, Wang, Haoyu, Hua, Jiayi, Zhang, Miao, Xu, Guoai, Yi, Li, Sui, Yulei |
| Conference Name | 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS) |
| ISBN Number | 978-1-7281-4646-1 |
| Keywords | CFR vulnerabilities, composability, compositionality, Computer bugs, control-flow, control-flow-related vulnerabilities, Convolutional codes, feature extraction, general static analysis solutions, graph convolutional network, graph embedding, graph embedding approach, graph theory, high-level control-flow information, high-level control-flow related vulnerabilities, Human Behavior, learning (artificial intelligence), machine-learning-based approaches, program analysis, program behavioral problems, program compilers, program diagnostics, pubcrawl, resilience, Resiliency, security of data, Semantics, Software, static analysis, static analysis challenge, static code analysis, static detection, static vulnerability detection, static vulnerability detectors, Training, vulnerabilities, vulnerability detection, vulnerable program |
| Abstract | Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges. |
| URL | https://ieeexplore.ieee.org/document/8882745 |
| DOI | 10.1109/ICECCS.2019.00012 |
| Citation Key | cheng_static_2019 |
- static analysis challenge
- program compilers
- program diagnostics
- pubcrawl
- resilience
- Resiliency
- security of data
- Semantics
- Software
- static analysis
- program behavioral problems
- static code analysis
- static detection
- static vulnerability detection
- static vulnerability detectors
- Training
- vulnerabilities
- vulnerability detection
- vulnerable program
- graph embedding
- composability
- Computer bugs
- Compositionality
- control-flow
- control-flow-related vulnerabilities
- Convolutional codes
- feature extraction
- general static analysis solutions
- graph convolutional network
- CFR vulnerabilities
- graph embedding approach
- graph theory
- high-level control-flow information
- high-level control-flow related vulnerabilities
- Human behavior
- learning (artificial intelligence)
- machine-learning-based approaches
- program analysis