Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits

294 views

Published on

セキュリティカンファレンス ACM CCS 2015 http://www.sigsac.org/ccs/CCS2015/ にて発表

Published in: Education
  • Be the first to comment

  • Be the first to like this

[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits

  1. 1. VCC-FINDER: FINDING POTENTIALVULNERABILITIES IN OPEN-SOURCE PROJECTSTO ASSIST CODE AUDITS : ACM CCS 2015 http:// www.sigsac.org/ccs/CCS2015/ Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, FabianYamaguchi, Konrad Rieck, Sascha Fahl, andYasemin Acar. 2015.VCCFinder: Finding PotentialVulnerabilities in Open-Source Projects to Assist Code Audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15).ACM, NewYork, NY, USA, 426-437. DOI=http://dx.doi.org/ 10.1145/2810103.2813604 : KentaYamamoto <ymkjp@jaist.ac.jp>
  2. 2. VCC VCC-Finder VCC VCC
  3. 3. -VCC-FINDER VCC-Finder ( false-positive) “VCC” (Vulnerability-contributing Commits):
 CVE GitHub 640 VCC SVM FlawFinder recall false-positive 99%
  4. 4. - CVE 2000 1000 2010 4500 2014 8000 OSS if-statement switch-statement FlawFinder Flawfinder 53 true positive 5,460 false positive 1
  5. 5. FlawFinder Rats, Prefast, Splint Coventry SCM (Software configuration management) fix bug SVM C
  6. 6. 3.VCC 66 , 170,860 , 718CVE : C C++ VCC https://www.dropbox.com/s/x1shbyw0nmd2x45/vcc- database.dump?dl=0 VCC
  7. 7. #1 e.g. CVE GitHub CVE CVE 2 1. CVE 2. CVE ID 10% 718 CVE
  8. 8. #2 VCC VCC Git (`git blame` ) VCC 718 CVE 640 VCC VCC 1 CVE
  9. 9. #2VCC 1. 2. `blame` : diff 3. `blame` : fix 4. `blame` (VCC) `blame` VCC
  10. 10. VCC 15% VCC (96 ) 3.1% (3 ) `blame` `blame` 3 e.g. Update libtool to version 2.2.8. · vadz/ libtiff@31040a3 https://github.com/vadz/libtiff/commit/ 31040a39 VCC-Finder 3.1% VCC 640 169,502 CVE
  11. 11. 3-2.VCC * 1 Git GitHub
  12. 12. 1
  13. 13. 3-2.VCC GitHub GitHub : i.e. / : 1 diff (hunk) : `bag of words` : C C++
  14. 14. 3-4. Mann-Whitney U ( ; 2 ) VCC VCC * 2 p < 0.000357, 0.01/28 ( familywise error rate ) effect size ( ) : `if` 70% VCC VCC
  15. 15. 2
  16. 16. 4. VCC VCC Generality ( ): Scalability ( ): Explainability ( ): Generalised Bag-of-Words Model (SVM) Git, GitHub S
  17. 17. 4-1. BAG-OF-WORDS S email φ φ: X → ℝ^|S|, φ: x ⟼ (b(x, s))s∈S X ,x ∈ X b(x, s) s x 0, 1 x 0
  18. 18. 4-2. 1 linear SupportVector Machines (SVM) Linear SVM SVM LibLinear VCC-Finder Linear SVM LibLinear 2 VCC ω ω φ(x) ω φ(x) f(x) = (x), ω = Σs∈S ωs b(x, s) cf. Linear SVM VCC C = 1, W = 100
  19. 19. 5. SVM (-2011) vs. (2011-2014) cf. (TP): SVM CVE-2012-2119, Linux Karnel. , , `socket` CVE-2013-0862, FFmpeg. , 1 CVE-2014-1438, Linux Karnel. , , , `__input` `user` CVE-2014-0148 Qemu. "opaque", "*bs", "bytes" (FP) : CVE VCC FFmpeg cca1a42653 . : , ,
  20. 20. (precision) - (recall) 1 (combined)
  21. 21. VCC-FINDER FLAWFINDER 2 VCC-Finder vs. Flawfinder (precision) - (recall) Flawfinder
  22. 22. : PRECISION-RECALL CURVE Precision (P), Recall (R), true positives (Tp), false positive (Fp), false negative (Fn) P = Tp / (Tp + Fp) R = Tp / (Fp + Fn) Ref.“Image Matching in Large Scale Indoor Environment” - http://www.cs.cmu.edu/~hebert/ indexing.html
  23. 23. VCC-FINDER VCC goto `goto` `out` `error` SVM `-EINVAL` C goto goto `exception` `error-handling` : Apple SSL/TSL https://www.imperialviolet.org/2014/02/22/applebug.html `sizeof` `len`, `length` VCC `buf`, `net`, `socket` 1% 5 ( : p < 0.0001)
  24. 24. VCC-FINDER C, C++
  25. 25. VCC-Finder Flawfinder C C++ 170,860 2010 2011 2014 Flawfinder 99% 219 53 Flawfinder 5460 36 VCC Flawfinder
  26. 26. APPENDIX: C C++ (Linux, Kerberos, OpenSSL, etc.) 66 GitHub Portspoof, GnuPG, Kerberos, PHP, MapServer, HHVM, Mozilla Gecko, Quagga, libav, Libreswan, Redland Raptor RDF syntax library, charybdis, Jabberd2, ClusterLabs pacemaker, bdwgc, pango, qemu, glibc, OpenVPN, torque, curl, jansson, PostgreSQL, corosync, tinc, FFmpeg, nedmalloc, mosh, trojita, inspircd, nspluginwrapper, cherokee webserver, openssl, libfep, quassel, polarssl, radvd, tntnet,Android Platform Bionic, uzbl, LibRaw, znc, nbd, Pidgin,V8, SpiderLabs ModSecurity, file, graphviz, Linux Kernel, libti, ZRTPCPP, taglib, suhosin, Phusion passenger, monkey, memcached, lxc, libguestfs, libarchive, Beanstalkd, Flac, libX11, Xen, libvirt,Wireshark, and Apache HTTPD
  27. 27. 1. (e.g. ref. https://twitter.com/ neubig/status/712857703241089024 ) VCC Flawfinder recall precision 99% 2 CVE CVE-ID CVE Linear SVM 2. Git 4. 5 5. Prophet VCC-Finder ref. http://people.csail.mit.edu/fanl/papers/prophet-popl16.pdf
  28. 28. THANKYOU FORYOUR ATTENTION Donating to OpenSSL https://www.openssl.org/support/donations.html

×