Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

VCCFinder: Finding potential vulnerabilities in open-source projects to assist code audits

: Perl, H.; Dechand, S.; Smith, M.; Arp, D.; Yamaguchi, F.; Rieck, K.; Fahl, S.; Acar, Y.


Association for Computing Machinery -ACM-:
CCS 2015, 22nd ACM SIGSAC Conference on Computer and Communications Security. Proceedings : Denver, Colorado, USA, October 12 - 16, 2015
New York: ACM, 2015
ISBN: 978-1-4503-3832-5
Conference on Computer and Communications Security (CCS) <22, 2015, Denver/Colo.>
Conference Paper
Fraunhofer FKIE ()

Despite the security community's best effort, the number of serious vulnerabilities discovered in software is increasing rapidly. In theory, security audits should find and remove the vulnerabilities before the code ever gets deployed. How-ever, due to the enormous amount of code being produced, as well as a the lack of manpower and expertise, not all code is sufficiently audited. Thus, many vulnerabilities slip into production systems. A best-practice approach is to use a code metric analysis tool, such as Flaw finder, to ag potentially dangerous code so that it can receive special attention. However, because these tools have a very high false-positive rate, the manual effort needed to find vulnerabilities remains overwhelming. In this paper, we present a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. We combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work. The paper makes three contributions. First, we conducted the first large-scale mapping of CVEs to GitHub commits in order to create a vulnerable commit database. Second, based on this database, we trained a SVM classifier to ag suspicious commits. Compared to Flaw finder, our approach reduces the amount of false alarms by over 99% at the same level of recall. Finally, we present a thorough quantitative and qualitative analysis of our approach and discuss lessons learned from the results. We will share the database as a benchmark for future research and will also provide our analysis tool as a web service.