Automatic Security Bug Classification: A Compile-Time Approach

Abstract

Program security bugs pose a great threat to users' privacy and security. A great deal of effort, e.g., runtime defense, dynamic detection, and static detection, has been conducted to attempt to be aware of the existence of security bugs. Most of the prior work focuses on detecting the security bugs. They report a mixed set of security bugs, regardless of whether the elements in the set are useful to the developers for the debugging. In this paper, we are instead devoted to automatically classifying the security bugs for the purpose of the productivity to the developers. Our insight is that the existing common security bugs can be featured by a simple rule that can be further simplified into a mathematical assertion problem. Based on this insight, we propose a Compile Time Error Segregator (CTES), which can automatically classify the security bugs into three categories, including deterministic bugs, internal indeterministic bugs, and external indeterministic bugs. The core idea of achieving the above includes three steps: 1) building a rule library according to the feature of each type of security bugs (e.g., buffer overflow, null-pointer dereference, and divide-by-zero), 2) obtaining the requisite information appearing in the rule, 3) verifying if the rule is established. If so, a deterministic bug is found, otherwise, a novel inverse taint analysis is further performed to distinguish the remaining two categories. We implement CTES on top of LLVM (3.5.0), running in parallel with normal compile procedure. Our experimental results on micro-benchmark and 14 real programs demonstrate the efficiency of CTES, and also show that CTES is able to precisely make the reported security bugs well-classified into three-categories.