基于图神经网络和通用漏洞分析框架的C类语言漏洞检测方法

Detection Method for C Language Family Based on Graph Neural Network and Generic Vulnerability Analysis Framework

现有的自动化漏洞挖掘工具大多泛化能力较差,具有高误报率与漏报率。文章提出一种针对C类语言的多分类漏洞静态检测模型CSVDM。CSVDM运用代码相似性比对模块与通用漏洞分析框架模块从源码层面进行漏洞挖掘,代码相似性比对模块运用最长公共子序列(Longest Common Subsequence,LCS)算法与图神经网络对待检测源码与漏洞模板实施代码克隆与同源性检测,根据预设阈值生成漏洞相似度列表。通用漏洞分析框架模块对待检测源码进行上下文依赖的数据流与控制流分析,弥补了代码相似性比对模块在检测不是由代码克隆引起的漏洞时高假阴性的缺陷,生成漏洞分析列表。CSVDM综合漏洞相似度列表与漏洞分析列表,生成最终的漏洞检测报告。实验结果表明,CSVDM相较于Checkmarx等漏洞挖掘工具在评价指标方面有较大幅度提升。

Most of the existing automated vulnerability mining tools have poor generalization ability and high false positive and false negative rale.In this paper,a static detection model called CSVDM was proposed for multi-class vulnerabilities in C language family.CSVDM used code similarity detection and generic vulnerability analysis framework module to perform vulnerability mining at the source code level.The similarity detection module integrated longest common subsequence(LCS)algorithm and graph neural network to implement code cloning and homology detection,generating the vulnerability similarity list according to a preset threshold.The generic vulnerability analysis framework module performed context-dependent data flow and controled flow analysis of the source code to be tested to compensate for the the similarity detection module’s high false negatives in detecting vulnerabilities not caused by code cloning,and generated the vulnerability analysis list.CSVDM combined the vulnerability similarity list and the vulnerability analysis list to generate the final vulnerability detection report.The experimental results show that CSVDM has a substantial improvement in evaluation metrics compared to other vulnerability mining tools such as checkmarx.