Abstract
Computer system vulnerabilities, computer viruses, and cyber attacks are rooted in software vulnerabilities. Reducing software defects, improving software reliability and security are urgent problems in the development of software. The core content is the discovery and location of software vulnerability. However, traditional human experts-based approaches are labor-consuming and time-consuming. Thus, some automatic detection approaches are proposed to solve the problem. But, they have a high false negative rate. In this paper, a deep learning based static taint analysis approach is proposed to automatically locate Internet of Things (IoT) software vulnerability, which can relieve tedious manual analysis and improve detection accuracy. Deep learning is used to detect vulnerability since it considers the program context. Firstly, the taint from the difference file between the source program and its patched program selection rules are designed. Secondly, the taint propagation paths are got using static taint analysis. Finally, the detection model based on two-stage Bidirectional Long Short Term Memory (BLSTM) is applied to discover and locate software vulnerabilities. The Code Gadget Database is used to evaluate the proposed approach, which includes two types of vulnerabilities in C/C++ programs, buffer error vulnerability (CWE-119) and resource management error vulnerability (CWE-399). Experimental results show that our proposed approach can achieve an accuracy of 0.9732 for CWE-119 and 0.9721 for CWE-399, which is higher than that of the other three models (the accuracy of RNN, LSTM, and BLSTM is under than 0.97) and achieve a lower false negative rate and false positive rate than the other approaches.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.