Research On Code Vulnerability Scanning Based On Patch Characteristics

Software vulnerabilities are defects in the code or certain types of problems arising from the use of computer systems.With the rapid development of the software industry today,various security problems caused by vulnerabilities in the software system come with it.In order to resist the hacker attack caused by the vulnerability and the threat generated by the vulnerability itself,there are currently two main methods to detect the vulnerability:(1)Source code vulnerability detection.This method is relatively simple,but there are problems such as high false alarm rate.(2)Binary vulnerability detection.Due to the lack of source code information,such algorithms have shortcomings such as low accuracy and low versatility.Therefore,binary detection at the code level is very challenging.At present,various open source software projects have release versions from different manufacturers.Take the Linux operating system as an example.Both the release version and the open source version are developed based on the Linux kernel.However,compared with the open source version,the release version is based on open source code development,which only contains binary code,lacks source code information,and is slower in iteration.Maintenance,updates and patches are not synchronized in time,resulting in known vulnerabilities that have not been fixed.In this case,the use of open source version detection information is conducive to applying source code-level information to binary code vulnerability detection and improving detection accuracy.In response to the problems of the above-mentioned releases,based on the related work of known vulnerability detection,this thesis proposes a vulnerability scanning model Bin Scan from source code to binary based on patch features.The specific content is as follows:(1)In source code vulnerability detection,by analyzing source code security patches,a source code known vulnerability detection algorithm based on patch characteristics is proposed,which includes patch-based positioning algorithm,matching algorithm and the method to solute version backtracking problem.Patching is an effective means to repair vulnerabilities.By detecting the existence of patches,the purpose of detecting software vulnerabilities can be achieved,and the current high false alarm rate and uncertain affected versions can be solved.(2)Based on the source code vulnerability detection,a binary file library before and after the patch of the open source version of the software is generated as a binary code vulnerability library;binary code vulnerabilities are detected through source code information,and a binary known vulnerability detection method based on similarity detection is designed.This method first uses CFG and Deep Bindiff algorithms to obtain the code embedding and intermediate features generated before and after the patch,and then detects the similarity between the binary code and the file before and after the patch,so that the source code level vulnerability detection method can be applied to the binary level in the similarity test,the issue of lack of maintenance and lack of source code support in the release version is solved.(3)In order to make full use of the known vulnerability information,the vulnerability detection tool Bin Scan was designed and developed to realize the vulnerability detection of source code and binary code.This thesis uses Linux kernel as an example to construct a software vulnerability data set,with a total of 2700 vulnerability data and 15,496 patch files.From the experimental results,compared with other methods,this thesis has obtained higher detection efficiency through systematic detection,and all source code vulnerabilities detection results can be obtained within the specified time.Among them,Bin Scan scans known vulnerabilities in source code based on patch features with good performance,strong pertinence,and wide applicability,effectively improving the accuracy of vulnerability detection,with a verification accuracy rate of 93%.The binary code vulnerability detection experiment of open source code and release code further verifies the feasibility and effectiveness of the method in this thesis.