[Review] Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths

Link

Problem: Missing a security operation, such as a bound check.

Traditional Methods: Cross-checking. Locate the potential bugs by exploiting a large number of similar code snippets and compare their patterns.

The paper proposes a new approach to locating bugs, which do not need a large number of cases. Instead, only two code snippets are required. To be specific, object-based similar-path pairs are constructed.

Background

Large-scale programs usually enforce various kinds of security operations (e.g., security checks, locks, and reference counting) to ensure the safety.

Missing security operations is the cause of 61% vulnerabilities in the national vulnerability database (NVD).

Cross-checking:

• Collects a substantial number of functionally or semantically similar code pieces.
• Checks the behaviors of security operations across these code slices.
• Once we find that the majority of the code pieces have enforced a security operation, we assume that the majority is correct and report the minority cases that miss the security operation as bugs.

Problems:

• Many code pieces may be unique, and thus we may not be able to find enough similar cases to enable cross-checking.
• The granularity of code slicing is hard to control.
• The hypothesis that the majority is correct might not always hold.

Implementation

Designs IPPO (Inconsistent Path Pairs as a bug Oracle).

Requires only one pair of similar code paths to determine if a path misses a security operation.

Construct the object-based similar-path pairs (OSPP).

Four rules for extraction:

1. The two paths start at the same block and end at the same block in CFG.
2. The object has the same state in two paths.
3. The two paths have the same SO-influential operations.
4. The two paths have the same sets of pre- and post-conditions against the object.