基于漏洞指纹的软件脆弱性代码复用检测方法

Software vulnerable code reuse detection method based on vulnerability fingerprint

针对传统脆弱性代码复用检测技术漏报率高的问题,提出基于漏洞指纹的检测方法.分析开源项目漏洞补丁的结构与脆弱性代码特征,总结代码复用过程中常见修改手段的特点,设计基于哈希值的漏洞指纹模型.开展代码预处理消除无关因素的影响,选取固定行数的代码块作为特征抽象粒度,利用哈希算法抽取关键代码特征.通过搜集开源项目漏洞信息与相关代码片段构建漏洞样本库,利用基于LCS的相似性评估算法定位漏洞样本的复用并且标记为敏感代码,使用漏洞指纹进行检测并根据识别策略完成对脆弱性代码的判定.实验结果表明,基于漏洞指纹的检测方法能够有效地应对多种代码修改手段的影响,明显提高检测效率,检测时间与输入代码量呈线性增长关系.

A detection method for vulnerable code reuse based on vulnerability fingerprint was proposed to reduce the false negative rate of traditional methods.The structure of the vulnerability patch on open source projects and the feature of vulnerable code were analyzed,the common methods of code reuse were summarized and the fingerprint model based on hash value was presented.Code preprocessing was introduced to reduce the influence of irrelevant factors.The code block with fixed line number was used as the basic unit for feature abstraction and the hash algorithm was introduced to extract features from the code.The vulnerability instance database was established by collecting vulnerability details and relevant codes in open source project.The LCS-based similarity measuring method was employed to locate the reuse of the instance and mark them as sensitive codes.Under the instruction of the judging strategy,the vulnerability fingerprint was applied to identify vulnerable code reuse among the sensitive codes accurately.The experimental results showed that the proposed method can deal with the impact of the commonly used code modification methods effectively as well as improve the efficiency obviously,and there was linear dependence between the time cost and the amount of input code.