Vulnerability code clone detection method based on context semantics and patch verification

A detection method and context technology, applied in the computer field, can solve the problems of difficulty in vulnerability detection, large execution time, limited application scenarios, etc., and achieve the effects of wide range of use, reduction of false positives, and high detection efficiency.

Active Publication Date: 2021-04-13
陕西阡陌通达科技有限公司
View PDF6 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This tree-based approach requires significant execution time, since the subgraph isomorphism problem is a notoriously time-consuming np-complete problem
But when code modification increases, such as adding and deleting lines of code, it will be affected, which also makes vulnerability detection more difficult and application scenarios are limited
Lack of contextual validation and filtering for patched code can lead to false negatives
Techniques at a fairly high level of abstraction (e.g., putting functions into token bags, or into syntax trees) may be effective for detecting clones, but they are not suitable for accurately detecting vulnerable code clones because security Questions are very context sensitive

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Vulnerability code clone detection method based on context semantics and patch verification
  • Vulnerability code clone detection method based on context semantics and patch verification
  • Vulnerability code clone detection method based on context semantics and patch verification

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0028] The application of software is becoming more and more extensive, the scale of software is also increasing, and the demand for software in scientific research and various industries is also increasing. The daily life of modern people is also inseparable from the support of software. Vulnerabilities inevitably appear in the software, and attackers can use the loopholes in the software to invade it, causing a large number of security incidents and threatening software security. Therefore, the detection of software loopholes can find loopholes in advance and reduce the probability of security incidents. Existing vulnerability detection methods cannot effectively detect code cloning of renaming and small additions, deletions and modifications of code, and lack of context and patch verification. The present invention proposes a vulnerability code cloning based on context semantics and patch verification after research and experiments on the above-mentioned status quo. Detectio...

Embodiment 2

[0042] The vulnerability code clone detection method based on context semantics and patch verification is the same as in embodiment 1, the vulnerability source code and patch described in step 3 are preprocessed with abstract normalization for renaming clones, first by deleting comments, spaces, tabulations Characters and line breaks, and convert all characters to lowercase letters, normalize the source code of the vulnerability, and eliminate the influence of factors that have nothing to do with grammar on the detection results. Then perform uniform alias replacement for parameter names, local variables, data types and function call names in the code; collect formal parameters from the parameters of the function header, and replace each parameter variable that appears in the function with the symbol FPARAM. The present invention replaces all local variables that appear in the code with the symbol LVAR; Replaces the data type with the symbol DTYPE; In the present invention, the...

Embodiment 3

[0045] The flow analysis code clone detection method based on the vulnerability fingerprint is the same as that of the embodiment 1-2, step 4 to construct the vulnerability function and the vulnerability code fingerprint library, including the following steps:

[0046] Step 4.1) By using the MD5 hash algorithm, process the vulnerable function of the vulnerable code, generate the fingerprint of the vulnerable function, and save the length of the vulnerable function, the CVE number of the vulnerable function and the fingerprint of the vulnerable function as three elements as a triplet. Enter the vulnerability function fingerprint library.

[0047] Step 4.2) Use the MD5 hash algorithm to process vulnerable codes, corresponding control statements, and patches, respectively generate vulnerable codes, corresponding control statements, and patch fingerprints line by line, store them in the vulnerable code fingerprint database in the order of statements, and then compare them with The...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a vulnerability code clone detection method based on context semantics and patch verification, and solves the problem that an existing vulnerability code clone detection method cannot obtain vulnerability context and patch repair. The method comprises the steps of obtaining vulnerability data; marking vulnerability code control statements; performing abstract normalization preprocessing on vulnerability source codes and patches; constructing a vulnerability function and a vulnerability vulnerability code fingerprint library; cloning and detecting a to-be-detected code; and judging a detection result and outputting the detection result to finish vulnerability clone detection of the software. Based on the code fingerprint, the problem of low accuracy of a high-level abstract technology is avoided; according to the method, the influence of renaming on the detection accuracy is eliminated for the code abstract preprocessing operation; the context relationship and the patch are verified, so that the false alarm rate is reduced; besides, fragile code, control statement and patch detection is carried out on the to-be-detected code, so that the application scene is expanded and the missing report rate is reduced. The method is used for detecting bugs caused by code cloning in software.

Description

technical field [0001] The invention belongs to the technical field of computers, in particular to software loophole detection, in particular to a loophole code clone detection method based on context semantics and patch verification, which is used for source code-oriented loophole clone detection. Background technique [0002] With the continuous development of science and technology, the application of software is becoming more and more extensive, and the scale of software is also increasing. The demand for software from all walks of life is also increasing. At the same time, attackers can exploit the loopholes in the software to intrude into it, causing a large number of security incidents. The number of open source software (OSS) programs is growing at a high speed. The large increase in the number of OSS programs naturally leads to the increase of software vulnerabilities caused by code cloning, which poses a serious threat to the security of software systems. For examp...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57G06F8/41
CPCG06F21/577G06F8/42G06F2221/033
Inventor 郭军军李浩南王正源
Owner 陕西阡陌通达科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap