ABSTRACT

Although much effort has been expended to detect and avoid software vulnerabilities, we are still plagued with exploits caused by those vulnerabilities whose costs are disruptive in terms of loss of work and overall loss of trust in information technologies. The statistics show that the total number of vulnerabilities cataloged in the US-CERT database is 7,236 in 2007, 8,064 in 2006 and 5,990 in 2005. To identify software vulnerabilities, dynamic detectors have been proposed. While helpful, they are not universally applicable due to the runtime overhead and impact for software availability. Static tools can potentially achieve full path coverage; however, they often report overwhelming false positives or incur high overhead. More precise and helpful information can be provided in detection if knowledge about the execution path is computed. If safe and infeasible paths that go through a potentially vulnerable statement are identified, they can be immediately excluded from inspection. Identification of vulnerable paths can help manual diagnosis by providing the context of how vulnerability is produced. Path information would also be useful in testing, in that it would focus the generation of test input on vulnerable paths. The goal of this proposed research is to address the challenges of vulnerability detection by an integrated approach using path-sensitive analysis. We will develop a comprehensive path-sensitive framework to detect, diagnose and test for vulnerabilities. For scalability, path-sensitive information will be gathered using a demand-driven algorithm. With path-sensitive analysis, we will classify paths that go through a potentially vulnerable statement as safe, vulnerable, infeasible and don't-know. Only the vulnerable and don't-know paths will be presented as warnings to help in manual and automatic diagnosis. Vulnerable paths will be prioritized as to the severity of potential exploits. Input will be generated for vulnerable and don't-know paths by the tester in an attempt to demonstrate an exploit and reclassify the don't-know paths. The framework will be general and applicable to a class of vulnerabilities we define, including memory errors, integer errors, incorrect enforcement for access controls, and software errors allowing for denial-of-service. Other Recent and Upcoming Colloquia