FaultMiner: Discovering Unknown Software Defects using Static Analysis and Data Mining

Get BibTex-formatted data

Download

PDF

Author

Rajeev Gopalakrishna, Eugene H. Spafford, and Jan Vitek

Tech report number

CERIAS TR 2006-07

Entry type

techreport

Abstract

Improving software assurance is of paramount importance given the impact of software on our lives. Static and dynamic approaches have been proposed over the years to detect security vulnerabilities. These approaches assume that the signature of a defect, for instance the use of a vulnerable library function, is known apriori. A greater challenge is detecting defects with signatures that are not known apriori -- unknown software defects. In this paper, we propose a general approach for detection of unknown defects. Software defects are discovered by applying data-mining techniques to pinpoint deviations from common program behavior in the source code and using statistical techniques to assign significance to each such deviation. We discuss the implementation of our tool, FaultMiner, and illustrate the power of the approach by inferring two types of security properties on four widely-used programs. We found two new potential vulnerabilities, four previously known bugs, and several other violations. This suggests that FaultMining is a useful and promising approach to finding unknown software defects.

Download

PDF

Institution

CERIAS

Key alpha

Gopalakrishna

School

Purdue University

Affiliation

CERIAS and Computer Sciences Department

Publication Date

2001-01-01

- Software Assurance - Static Analysis - Software Engineering - Data Mining

Subject

Software Assurance

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ Gopalakrishna,
	title = "FaultMiner: Discovering Unknown Software Defects using Static Analysis and Data Mining",
	author = "Rajeev Gopalakrishna, Eugene H. Spafford, and Jan Vitek",
	institution = "CERIAS",
	school = "Purdue University",
	abstract = "Improving software assurance is of paramount importance given the impact of software on our lives.  Static and dynamic approaches have been proposed over the years to detect security vulnerabilities. These approaches assume that the signature of a defect, for instance the use of a vulnerable library function, is known apriori. A greater challenge is detecting defects with signatures that are not known apriori -- unknown software defects.  In this paper, we propose a general approach for detection of unknown defects.  Software defects are discovered by applying data-mining techniques to pinpoint deviations from common program behavior in the source code and using statistical techniques to assign significance to each such deviation.  We discuss the implementation of our tool, FaultMiner, and illustrate the power of the approach by inferring two types of security properties on four widely-used programs.  We found two new potential vulnerabilities, four previously known bugs, and several other violations. This suggests that FaultMining is a useful and promising approach to finding unknown software defects.",
	affiliation = "CERIAS and Computer Sciences Department",
	contents = "- Software Assurance
- Static Analysis
- Software Engineering
- Data Mining",
	subject = "Software Assurance",
}

FaultMiner: Discovering Unknown Software Defects using Static Analysis and Data Mining

Download

Author

Tech report number

Entry type

Abstract

Download

Institution

Key alpha

School

Affiliation

Publication Date

Contents

Subject

BibTex-formatted data