Towards Automatically Generating Security Analyses from Machine-Learned Library Models

Automatic code vulnerability scanners identify security antipatterns in application code, such as insecure uses of library methods. However, current scanners must regularly be updated manually with new library models, patterns, and corresponding security analyses. We propose a novel, two-phase approach called Mod4Sec for automatically generating static and dynamic code analyses targeting vulnerabilities based on library (mis)usage. In the first phase, we automatically infer semantic properties of libraries on a method and parameter level with supervised machine learning. In the second phase, we combine these models with high-level security policies. We present preliminary results from the first phase of Mod4Sec, where we identify security-relevant methods, with categorical f1-scores between 0.81 and 0.93.