Detecting security vulnerabilities using clone detection and community knowledge
Paper in proceeding, 2019

Faced with the severe financial and reputation implications associated with data breaches, enterprises now recognize security as a top concern for software analysis tools. While software engineers are typically not equipped with the required expertise to identify vulnerabilities in code, community knowledge in the form of publicly available vulnerability databases could come to their rescue. For example, the Common Vulnerabilities and Exposures Database (CVE) contains data about already reported weaknesses. However, the support with available examples in these databases is scarce. CVE entries usually do not contain example code for a vulnerability, its exploit or patch. They just link to reports or repositories that provide this information. Manually searching these sources for relevant information is time-consuming and error-prone. In this paper, we propose a vulnerability detection approach based on community knowledge and clone detection. The key idea is to harness available example source code of software weaknesses, from a large-scale vulnerability database, which are matched to code fragments using clone detection. We leverage a clone detection technique from the literature, which we adapted to make it applicable to vulnerability databases. In an evaluation based on 20 reports and affected projects, our approach showed good precision and recall.

Security

Information systems

Code clones

Author

Fabien Patrick Viertel

University of Hanover

Wasja Brunotte

University of Hanover

Daniel Strüber

University of Gothenburg

Kurt Schneider

University of Hanover

Proceedings of the International Conference on Software Engineering and Knowledge Engineering, SEKE

23259000 (ISSN) 23259086 (eISSN)

Vol. 2019-July 245-252
1891706489 (ISBN)

31st International Conference on Software Engineering and Knowledge Engineering, SEKE 2019
Lisbon, Portugal,

Subject Categories

Software Engineering

Information Systemes, Social aspects

Computer Science

DOI

10.18293/SEKE2019-183

More information

Latest update

1/16/2023