Research On Software Vulnerability Evaluation Based On Representation Learning

Soft error can lead to silent data corruption(SDC),i.e.software outputs incorrect results,which affects the reliability of computer system.While the occurrence of SDC makes software untrusted,protection against SDC has been paid more and more attention.One prerequisite to prevent SDC is calculating vulnerability factor of the target program.Traditional methods were based on heuristics,calculating vulnerability factor by analyzing the fault propagation of instructions in the program.These methods were not capable of reflecting the fault propagation mechanism,which led to low prediction accuracy.Representation learning technology enables models to adapt to data from different domains by automatically learning data representations,provides new alternatives for solving software vulnerability analysis problems.This paper proposed a software vulnerability evaluation method based on representation learning technology,which achieved accurate prediction of program vulnerability factor whithout fault injection.The effectiveness of the above methods were verified by comparing with prior models.In summary,our main contributions are as follows:(1)To solve the characterization problem of software vulnerability,this paper proposed a program vulnerability factor evaluation method based on graph attention network(Epic GNN).Epic GNN used structural multi-head self-attention to quantify importance of fault propagations from one node to it’s neighbors and further to graph,different types of edges represent different instruction relationships.Then aggregated the information of node and graph to update the representation.It applied a regression model to predict vulnerability factor.Experimental on spec2000,spec2006,rodinia and other datasets achieved 0.037 ～ 0.258 lower average absolute error compared with traditional methods,and saved time cost 84.2%～95.9%.Moreover,Epic GNN was validated to obtain good performance on unseen graphs.(2)In order to study the impact of different inputs on software vulnerability,this paper proposed an input difference oriented program vulnerability evaluation method(In-Epic).Inspired by domain generalization,the dynamic execution of the program is regarded as domain-specific feature,and the static dependency is regarded as domain-invariant feature.Then aggregated the two feature to a new representation vector,which automatically captured the necessary static and dynamic semantics of the program.Experimental results show this method can evaluate the partial order relationship of the impact of different inputs on software vulnerability,with 0.046～0.468 lower average absolute error and 87% lower time cost compared with results from traditional methods on Siemens,spec2006 and rodinia datasets.Moreover,In-Epic was validated to obtain good performance on unseen graphs.