软件安全漏洞是计算机安全领域的关键问题之一,在过去几十年中陆续提出了许多方法来减轻软件漏洞的损害。 机器学习和数据挖掘技术也是解决该问题的众多方法之一。 在本文中,回顾了基于机器学习和数据挖掘技术的软件漏洞分析和挖掘领域的工作,讨论了各种方法的优、缺点,并指出了该领域的挑战和一些未知领域。
Software vulnerability analysis, software vulnerability discovery, software security, machine-learning, data-mining, review, survey
计算机软件无处不在,并且人类生活在很大程度上依赖于各种各样的软件。不同形式的软件在不同平台上运行,既有手持移动设备上简单的应用程序,也有复杂的分布式企业软件系统。这些软件基于各种各样的技术,以不同的方法产生,每种技术都有自己的优点和局限。 在这个庞大的产业以及计算机安全领域中,一个重要的问题是软件安全漏洞。引用行业专家的话:
“In the context of software security, vulnerabilities are specific flaws or oversights in a piece of software that allow attackers to do something malicious: expose or alter sensitive information, disrupt or destroy a system, or take control of a computer system or program.” Dowd et al. (2007)
软件漏洞根据开发的复杂性和攻击面等因素,带来不同严重程度的危害(Nayak等,2014)。 在过去的二十年中,存在大量因为软件漏洞而对公司和个人造成了重大损害的事件。一个突出的例子是流行浏览器插件中的漏洞情况,这些漏洞威胁到数百万互联网用户的安全和隐私。例如,Adobe Flash Player (US-CERT 2015; Adobe Security Bulletin 2015) 和Oracle Java (US-CERT 2013)。此外,基础开源软件中的漏洞也威胁到全球数千家公司及其客户的安全(例如Heartbleed(Codenomicon 2014),ShellShock(赛门铁克安全响应2014)和Apache Commons(Breen 2015))。上述例子只是每年报告大量漏洞中的一小部分。
针对这个重要的问题,学术界、软件行业的研究人员已经提出了许多减弱危害的方法。 Shahriar和Zulkernine (2012) 针对安全漏洞的不同方法进行了广泛调研,包括测试,静态分析和混合分析,以及1994年至2010年期间发布的安全编程,程序转换和修补方法。
但在接下来的几年中(从2011年开始),研究界越来越关注另一类方法。这些方法利用来自数据科学和人工智能(AI)领域的技术来解决软件漏洞分析和发现问题。 Shahriar和Zulkernine (2012) 忽略了这类有趣的方法。
在本文中,调研了利用数据挖掘和机器学习技术的软件漏洞分析和发现方法。首先,定义了软件漏洞分析和挖掘的问题,并简要介绍了该领域的传统方法。简要介绍了机器学习和数据挖掘技术及其使用背后的动机。分别阐述了利用机器学习和数据挖掘技术解决软件漏洞分析和挖掘问题的工作。为这类方法进行分类,并讨论了它们的优点和局限性。最后,讨论了该领域的挑战,并指出了一些未知的领域,以激发这一新兴研究领域的工作。
首先给出前人对软件安全漏洞的定义
“an instance of an error in the specification, development, or configuration of software such that its execution can violate the security policy.” (Krsul 1998)
“A software vulnerability is an instance of a mistake in the specification, development, or configuration of software such that its execution can violate the explicit or implicit security policy.” Ozment (2007)
“In the context of software security, vulnerabilities are specific flaws or oversights in a piece of software that allow attackers to do something malicious: expose or alter sensitive information, disrupt or destroy a system, or take control of a computer system or program.” Dowd et al. (2007)
IEEE标准软件工程术语表(IEEE标准1990):
error: “the difference between a computed, observed, or measured value or condition and the true, specified, or theoretically correct value or condition” .
fault: “an incorrect step, process, or data definition in a computer program”. Faults are also known as flaws or bugs.
failure: “the inability of a system or component to perform its required functions within specified performance requirements”.
mistake: “a human action that produces an incorrect result”.
A summary and clarification of the relation of these terms is to “distinguish between the human action (a mistake), its manifestation (a hardware or software fault), the result of the fault (a failure), and the amount by which the result is incorrect (the error)” (IEEE Standards 1990).
本文定义:
A software vulnerability is an instance of a flaw, caused by a mistake in the design, development, or configuration of software such that it can be exploited to violate some explicit or implicit security policy.
软件漏洞的原因是人为错误,其表现形式是缺陷。执行对易受攻击软件的执行不一定违反安全策略; 直到某些特定数据(漏洞利用代码)或某些具有某些条件的随机数据到达有缺陷的语句,此时,其执行可能违反某些安全策略。
“In general, software vulnerabilities can be thought of as a subset of the larger phenomenon of software bugs. Security vulnerabilities are bugs that pack an extra hidden surprise: A malicious user can leverage them to launch attacks against the software and supporting systems.” Dowd et al. (2007)
程序漏洞分析是决定给定程序是否包含已知安全漏洞(根据安全策略)的问题。 基于图灵停止问题和赖斯定理的不可判定性,可以证明许多程序分析问题在一般情况下也是不可判定的 (Landi 1992; Reps 2000)。 对于从业者而言,不可判定性意味着不存在对问题完备的解决方案。
在数学逻辑中,如果系统没有无效参数被批准,则证明系统是可靠的。如果所有有效参数都可以被系统批准,则证明系统是完整的。通过推论,一个可靠的完备的证明系统是一个能够批准所有有效论证并反驳所有无效论证的系统(Xie et al.2005)。在软件安全的背景下,如果漏洞分析系统永远不会批准易受攻击的程序(没有漏掉漏洞),那么它就是可靠的。如果可以批准所有安全程序(没有虚假漏洞),则漏洞分析系统是完备的。
除了漏洞分析之外,更实用的系统是程序漏洞挖掘(或漏洞报告)系统。与批准或拒绝给定程序的安全性(即二进制输出)的漏洞分析系统相比,程序漏洞挖掘系统报告在程序中发现的每个漏洞更详细的信息(例如类型,位置等)程序。同样,一个完备且可靠的软件漏洞挖掘系统是不存在的。
在大量漏洞挖掘技术中,下面三种方法在软件产业种应用更为广泛。
在上文提到的传统方法之外,另一类不同的方法应用数据科学和人工智能领域技术的方法来处理软件漏洞分析和挖掘问题,在2011年以后收到了很大的关注。
AI领域的机器学习方法已经被证明在不同的应用场景都有着显著的效果。
“In their early days, computer security and artificial intelligence didn’t seem to have much to say to each other . . . Security researchers aimed to fix the leaks in the plumbing of the computing infrastructure or design infrastructures they deemed leakproof . . . But the two fields have grown closer over the years, particularly where attacks have aimed to simulate legitimate behaviors . . . We might imagine systems that would have a degree of self-awareness about the data that they process. The notion of reflective systems (systems that can reference and modify their own behavior) has its origins in the AI community . . . Imagine a plumbing system that contained a system of smart pipes that could detect incipient leaks. A cyber-infrastructure that incorporated the analog of smart pipes would be of great interest.” Landwehr (2008)
脆弱性预测模型基于通用的软件工程度量,利用数据挖掘,机器学习和统计分析技术预测软件开发中的漏洞(源代码文件,面向对象类等)。这些方法的主要思想来自于软件工程中的软件质量和可靠性保证领域。缺陷预测模型已应用于工业界((Khoshgoftaar et al. 1997)。
Table 1. Summary of Recent Works on Vulnerability Prediction Models Based on Software Metrics
Paper | Metrics | Granularity | Within/Cross-project | Vulnerability info |
---|---|---|---|---|
(Zimmermann et al. 2010) | Code-churn, complexity, coverage,dependency, organizational | Binary modules | Within-project | Public advisories |
(Meneely and Williams 2010) | Developer-activity | Source file | Within-project | Public advisories |
(Doyle and Walden 2011) | Code complexity, Security Resources Indicator | Source file | Within-project | Tool-based detection |
(Shin and Williams 2013) | Complexity, code-churn, fault-history | Source file | Within-project | Public advisories |
(Shin and Williams 2011) | Code complexity, dependency network complexity, execution complexity | Source file | Within-project | Public advisories |
(Shin et al. 2011) | Complexity, code-churn,developer-activity | Source file | Within-project | Public advisories |
(Moshtari et al. 2013) | Unit complexity, coupling | Source file | both | Self-developed detection framework |
(Meneely et al. 2013) | Code-churn, developer-activity | Code commits | Within-project | Public advisories |
(Bosu et al. 2014) | Developer-activity | Code commits | Within-project | Public advisories |
(Perl et al. 2015) | Code-churn, developer-activity, GitHub meta-data | Code commits | Cross-project | Public advisories |
(Walden et al. 2014) | Code complexity | Source file | both | Public advisories |
(Morrison et al. 2015) | Code-churn, complexity, coverage, dependency, organizational | Binary modules,source file | Within-project | Public advisories |
(Younis et al. 2016) | Code complexity, Information Flow,Functions, Invocations | Functions | Within-project | Public advisories |
Table 2. Summary of Reviewed Works on Anomaly Detection for Vulnerability Discovery
Paper | Type | Approach | Within/Cross-project | Security focused |
---|---|---|---|---|
(Engler et al. 2001) | API usage pattern | Template-based rule extraction | Within | Yes |
(Livshits and Zimmermann 2005) | API usage pattern | Association rule mining | Within | No |
(Li and Zhou 2005) | API usage pattern | Frequent closed itemset mining | Within | No |
(Wasylkowski et al. 2007) | API usage pattern | Frequent closed itemset mining | Within | No |
(Acharya et al. 2007) | API usage pattern | Frequent partial-order itemset mining | Cross | No |
(Chang et al. 2008) | Missing checks | Maximal frequent sub-graph mining | Within | No |
(Thummalapenta and Xie 2009) | API usage pattern + Missing checks | Imbalanced frequent itemset mining | Cross | No |
(Gruska et al. 2010) | API usage pattern | Frequent closed itemset mining | Cross | No |
(Yamaguchi et al. 2013) | Missing checks | k-Nearest neighbors + bag-of-words | Within | Yes |
Table 3. Summary of Reviewed Works on Vulnerable Code Pattern Recognition
Paper | Code Processing Approach | Learning Approach | Static/Hybrid | Source/Binary |
---|---|---|---|---|
(Yamaguchi et al. 2011, 2012) | Extracting AST with parser | Supervised (classification) | Static | Source |
(Shar and Tan 2012, 2013) | Static data flow analysis | Supervised (classification) | Static | Source |
(Shar et al. 2013, 2015) | Static program slicing and control flow analysis | Semi-supervised and supervised (classification) | Hybrid | Source |
(Scandariato et al. 2014) | Bag-of-words extraction from program source text | Supervised (classification) | Static | Source |
(Yamaguchi et al. 2014, 2015) | Extracting Code Property Graph | Unsupervised (clustering) | Static | Source |
(Pang et al. 2015) | N-gram analysis on program source text | Supervised (classification) | Static | Source |
(Grieco et al. 2015) | N-gram analysis on function call sequences | Supervised (classification) | Hybrid | Binary |
Table 4. Summary of Reviewed Miscellaneous Approaches
Paper | Approach Summary |
---|---|
(Sparks et al. 2007) | Used Genetic Algorithm (GA) for intelligently guiding the input selection process of black-box fuzz testing |
(Wijayasekara et al. 2012, 2014) | Used text mining (bag-of-words) on bug reports in open bug databases for identifying hidden impact bugs (HIBs) |
(Alvares et al. 2013) | Used a hybrid of static data-flow analysis and computational intelligence (GA and FSS) techniques for discovering exploitable memory corruption vulnerabilities |
(Medeiros et al. 2014) | Used classification techniques on the output of static tainted data-flow analysis for web application vulnerability discovery to identify false-positive reports |
(Sadeghi et al. 2014) | Used a probabilistic rule ranking approach based on the information contained in categorized software repositories to improve the efficiency and scalability of static vulnerability analysis tools |