OCTOPOCS: Automatic Verification of Propagated Vulnerable Code Using Reformed Proofs of Concept

Seongkyeong Kwon, Seunghoon Woo, Gangmo Seong, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Addressing vulnerability propagation has become a major issue in software ecosystems. Existing approaches hold the promise of detecting widespread vulnerabilities but cannot be applied to verify effectively whether propagated vulnerable code still poses threats. We present OCTOPOCS, which uses a reformed Proof-of-Concept (PoC), to verify whether a vulnerability is propagated. Using context-aware taint analysis, OCTOPOCS extracts crash primitives (the parts used in the shared code area between the original vulnerable software and propagated software) from the original PoC. OCTOPOCS then utilizes directed symbolic execution to generate guiding inputs that direct the execution of the propagated software from the entry point to the shared code area. Thereafter, OCTOPOCS creates a new PoC by combining crash primitives and guiding inputs. It finally verifies the propagated vulnerability using the created PoC. We evaluated OCTOPOCS with 15 real-world C and C++ vulnerable software pairs, with results showing that OCTOPOCS successfully verified 14 propagated vulnerabilities.

Original languageEnglish
Title of host publicationProceedings - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages174-185
Number of pages12
ISBN (Electronic)9781665435727
DOIs
Publication statusPublished - 2021 Jun
Event51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021 - Virtual, Online, Taiwan, Province of China
Duration: 2021 Jun 212021 Jun 24

Publication series

NameProceedings - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021

Conference

Conference51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
Country/TerritoryTaiwan, Province of China
CityVirtual, Online
Period21/6/2121/6/24

Keywords

  • Proofs-of-Concept
  • symbolic execution
  • taint analysis
  • Vulnerability propagation

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'OCTOPOCS: Automatic Verification of Propagated Vulnerable Code Using Reformed Proofs of Concept'. Together they form a unique fingerprint.

Cite this