TeamUSEC

VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits

Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl and Yasemin Acar.
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015
PDF Abstract Cite DOI

Abstract

Despite the security community’s best effort, the number of serious vulnerabilities discovered in software is increasing rapidly. In theory, security audits should find and remove the vulnerabilities before the code ever gets deployed. However, due to the enormous amount of code being produced, as well as a the lack of manpower and expertise, not all code is sufficiently audited. Thus, many vulnerabilities slip into production systems. A best-practice approach is to use a code metric analysis tool, such as Flawfinder, to flag potentially dangerous code so that it can receive special attention. However, because these tools have a very high false-positive rate, the manual effort needed to find vulnerabilities remains overwhelming.

In this paper, we present a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. We combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work. The paper makes three contributions. First, we conducted the first large-scale mapping of CVEs to GitHub commits in order to create a vulnerable commit database. Second, based on this database, we trained a SVM classifier to flag suspicious commits. Compared to Flawfinder, our approach reduces the amount of false alarms by over 99 % at the same level of recall. Finally, we present a thorough quantitative and qualitative analysis of our approach and discuss lessons learned from the results. We will share the database as a benchmark for future research and will also provide our analysis tool as a web service.

Reference

@inproceedings{DBLP:conf/ccs/PerlD0AYRFA15,
 author = {Henning Perl and
Sergej Dechand and
Matthew Smith and
Daniel Arp and
Fabian Yamaguchi and
Konrad Rieck and
Sascha Fahl and
Yasemin Acar},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/ccs/PerlD0AYRFA15.bib},
 booktitle = {Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security, Denver, CO, USA, October 12-16, 2015},
 doi = {10.1145/2810103.2813604},
 editor = {Indrajit Ray and
Ninghui Li and
Christopher Kruegel},
 pages = {426--437},
 publisher = {ACM},
 title = {VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects
to Assist Code Audits},
 url = {https://doi.org/10.1145/2810103.2813604},
 year = {2015}
}