A Machine Learning Approach to Detecting Security Vulnerabilities in Software.

检测软件中安全漏洞的机器学习方法。

• 批准号: RGPIN-2018-05931
• 负责人: Lie, David
• 金额: $ 2.04万
• 依托单位: University of Toronto
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=712433
• 关键词: Machine; Learning; Approach; Detecting; Security

This proposal aims to explore a new way of detecting software vulnerabilities using a novel combination of program analysis, dynamic test generation and machine learning. Currently, one of the most reliable methods for detecting software vulnerabilities is source code audits, where a developer manually inspects the source code of a program to see if vulnerabilities are present. Unfortunately, software systems are large, commonly containing tens of millions of lines of code, making it an impossible task to secure all software through manual code audits. In this proposal, we explore a better way to detect software vulnerabilities--by developing machine learning methods that will identify software vulnerabilities. The key to enabling machine learning to outperform existing vulnerability detection tools is to recognize that there are common programming patterns, embedded in the structure of code, as well as in the names of variables and functions, that can indicate the presence of a vulnerability, but for which there exists no explicit specification. Current solutions that try to mechanize the scanning of code for vulnerabilities all rely only on what is explicitly specified by the programming language or application binary interface (ABI), and do not take these implicit code patterns into account. Some tools do allow a human to hand-specify vulnerability patterns to overcome this limitation, but the huge variation in vulnerability patterns means that even with these specifications, many vulnerabilities will be missed by automated vulnerability detection tools. The key novel approach in this proposal is to use machine learning to automatically learn and utilize programming patterns, embedded in code structure and variable names, that indicate the presence of a vulnerability and use this to automatically detect vulnerabilities in software with high accuracy. We acknowledge that the capabilities of such machine-learning inference may not be completely accurate, and more likely will just indicate code that is very likely vulnerable. To make ensure the identified vulnerabilities are real, we propose combining the inference results with fuzzing, a dynamic testing method that searches for inputs that trigger vulnerabilities. Fuzzers are very effective at triggering vulnerabilities, but they have a critical weakness, which is that they must execute the vulnerable code to detect it, and without a guide to where that code might be, they are forced to generate inputs to execute every code path in a program, which is not only inefficient, but often intractable. We propose the development of new targeted fuzzers, which use hints from our machine learning to select sections of code to focus on, thus increasing the efficiency of fuzzing. Triggering the vulnerability gives unequivocal proof that the vulnerability exists, complementing the inherent imprecision of machine learning

该提案旨在探索一种新的方法来检测软件漏洞，使用一种新的组合程序分析，动态测试生成和机器学习。 目前，用于检测软件漏洞的最可靠的方法之一是源代码审计，其中开发人员手动检查程序的源代码以查看是否存在漏洞。 不幸的是，软件系统很大，通常包含数千万行代码，这使得通过手动代码审计来保护所有软件成为一项不可能的任务。 在这个提案中，我们探索了一种更好的方法来检测软件漏洞-通过开发机器学习方法来识别软件漏洞。 使机器学习优于现有漏洞检测工具的关键是认识到存在嵌入在代码结构以及变量和函数名称中的常见编程模式，这些模式可以指示漏洞的存在，但没有明确的规范。 当前试图机械化扫描漏洞代码的解决方案都只依赖于编程语言或应用程序二进制接口（ABI）显式指定的内容，而不考虑这些隐式代码模式。 一些工具确实允许人类手动指定漏洞模式以克服此限制，但漏洞模式的巨大变化意味着即使使用这些规范，自动漏洞检测工具也会遗漏许多漏洞。 该提案中的关键新方法是使用机器学习来自动学习和利用嵌入在代码结构和变量名称中的编程模式，这些模式指示漏洞的存在，并使用它来自动检测软件中的漏洞。 我们承认，这种机器学习推理的能力可能并不完全准确，更有可能只是指示很可能易受攻击的代码。 为了确保所识别的漏洞是真实的，我们提出了结合推理结果与模糊，一种动态测试方法，搜索触发漏洞的输入。 模糊器在触发漏洞方面非常有效，但它们有一个关键的弱点，那就是它们必须执行易受攻击的代码才能检测到它，并且没有代码可能在哪里的指导，它们被迫生成输入来执行程序中的每个代码路径，这不仅效率低下，而且往往难以处理。我们建议开发新的有针对性的模糊器，它使用我们的机器学习的提示来选择要关注的代码部分，从而提高模糊的效率。 触发漏洞可以明确证明漏洞存在，补充了机器学习固有的不精确性