Static detection of control-flow-related vulnerabilities using graph embedding

Cheng, X; Wang, H; Hua, J; Zhang, M; Xu, G; Yi, L; Sui, Y

Static detection of control-flow-related vulnerabilities using graph embedding

Cheng, X Wang, H Hua, J Zhang, M Xu, G Yi, L Sui, Y

Permalink

Publication Type:: Conference Proceeding
Citation:: Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS, 2019, 2019-November pp. 41 - 50
Issue Date:: 2019-11-01

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

The embargo period expires on 2 Nov 2021

Adobe PDF

Download Accepted ManuscriptAdobe PDF (1.04 MB)

View on publisher's site

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Cheng, X	en_US
dc.contributor.author	Wang, H	en_US
dc.contributor.author	Hua, J	en_US
dc.contributor.author	Zhang, M	en_US
dc.contributor.author	Xu, G	en_US
dc.contributor.author	Yi, L	en_US
dc.contributor.author	Sui, Y https://orcid.org/0000-0002-9510-6574	en_US
dc.date.issued	2019-11-01	en_US
dc.identifier.citation	Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS, 2019, 2019-November pp. 41 - 50	en_US
dc.identifier.isbn	9781728146461	en_US
dc.identifier.uri	http://hdl.handle.net/10453/137408
dc.description.abstract	© 2019 IEEE. Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.	en_US
dc.relation.ispartof	Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS	en_US
dc.relation.isbasedon	10.1109/ICECCS.2019.00012	en_US
dc.rights	info:eu-repo/semantics/embargoedAccess
dc.title	Static detection of control-flow-related vulnerabilities using graph embedding	en_US
dc.type	Conference Proceeding
utslib.citation.volume	2019-November	en_US
pubs.embargo.period	Not known	en_US
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
pubs.organisational-group	/University of Technology Sydney/Strength - CAI - Centre for Artificial Intelligence
utslib.copyright.status	open_access	*
utslib.copyright.embargo	2021-11-02T00:00:00+1100
pubs.publication-status	Published	en_US
pubs.volume	2019-November	en_US

Abstract:

© 2019 IEEE. Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/137408