セキュリティカンファレンス ACM CCS 2015 http://www.sigsac.org/ccs/CCS2015/ にて発表

1. VCC-FINDER: FINDING POTENTIALVULNERABILITIES
IN OPEN-SOURCE PROJECTSTO ASSIST CODE AUDITS
: ACM CCS 2015 http://
www.sigsac.org/ccs/CCS2015/
Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp,
FabianYamaguchi, Konrad Rieck, Sascha Fahl, andYasemin
Acar. 2015.VCCFinder: Finding PotentialVulnerabilities in
Open-Source Projects to Assist Code Audits. In
Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security (CCS '15).ACM,
NewYork, NY, USA, 426-437. DOI=http://dx.doi.org/
10.1145/2810103.2813604
: KentaYamamoto <ymkjp@jaist.ac.jp>

2. VCC
VCC-Finder
VCC
VCC

3. -VCC-FINDER
VCC-Finder
( false-positive)
“VCC” (Vulnerability-contributing Commits):
CVE GitHub
640 VCC
SVM
FlawFinder recall false-positive
99%

4. -
CVE
2000 1000
2010 4500
2014 8000
OSS
if-statement
switch-statement
FlawFinder
Flawfinder 53
true positive 5,460 false positive
1

5. FlawFinder Rats,
Prefast, Splint
Coventry
SCM (Software configuration management)
fix bug
SVM
C

6. 3.VCC
66 , 170,860 , 718CVE
: C C++
VCC
https://www.dropbox.com/s/x1shbyw0nmd2x45/vcc-
database.dump?dl=0
VCC

7. #1
e.g.
CVE
GitHub CVE
CVE 2
1. CVE
2. CVE ID
10%
718 CVE

8. #2 VCC
VCC
Git
(`git blame` )
VCC
718 CVE 640 VCC
VCC 1
CVE

9. #2VCC
1.
2. `blame`
:
diff
3.
`blame`
: fix
4. `blame`
(VCC)
`blame`
VCC

10. VCC
15% VCC (96 )
3.1% (3 )
`blame`
`blame` 3
e.g. Update libtool to version 2.2.8. · vadz/
libtiff@31040a3 https://github.com/vadz/libtiff/commit/
31040a39
VCC-Finder
3.1%
VCC 640 169,502
CVE

11. 3-2.VCC
* 1
Git GitHub

12. 1

13. 3-2.VCC
GitHub
GitHub
:
i.e. /
: 1 diff
(hunk)
: `bag of words`
: C C++

14. 3-4.
Mann-Whitney U ( ;
2 )
VCC
VCC * 2
p < 0.000357, 0.01/28
( familywise error rate
)
effect size ( )
: `if` 70%
VCC
VCC

15. 2

16. 4. VCC
VCC
Generality ( ):
Scalability ( ):
Explainability ( ):
Generalised Bag-of-Words Model
(SVM)
Git, GitHub
S

17. 4-1. BAG-OF-WORDS
S
email
φ
φ: X → ℝ^|S|, φ: x ⟼ (b(x, s))s∈S
X ,x ∈ X
b(x, s) s x
0, 1
x
0

18. 4-2.
1 linear SupportVector Machines (SVM)
Linear SVM
SVM
LibLinear
VCC-Finder Linear SVM
LibLinear
2 VCC
ω
ω
φ(x) ω φ(x)
f(x) = (x), ω = Σs∈S ωs b(x, s)
cf.
Linear SVM
VCC C = 1,
W = 100

19. 5.
SVM (-2011) vs.
(2011-2014) cf.
(TP): SVM
CVE-2012-2119, Linux Karnel. ,
, `socket`
CVE-2013-0862, FFmpeg.
, 1
CVE-2014-1438, Linux Karnel. ,
, ,
`__input` `user`
CVE-2014-0148 Qemu.
"opaque", "*bs", "bytes"
(FP) : CVE
VCC
FFmpeg
cca1a42653 . :
, ,

20. (precision) - (recall)
1
(combined)

21. VCC-FINDER FLAWFINDER
2 VCC-Finder vs. Flawfinder (precision) -
(recall) Flawfinder

22. : PRECISION-RECALL CURVE
Precision (P), Recall (R), true positives (Tp), false positive (Fp),
false negative (Fn)
P = Tp / (Tp + Fp)
R = Tp / (Fp + Fn)
Ref.“Image Matching in Large Scale Indoor Environment” -
http://www.cs.cmu.edu/~hebert/
indexing.html

23. VCC-FINDER
VCC goto
`goto` `out`
`error`
SVM `-EINVAL`
C goto
goto
`exception` `error-handling`
: Apple SSL/TSL
https://www.imperialviolet.org/2014/02/22/applebug.html
`sizeof` `len`, `length`
VCC `buf`, `net`, `socket`
1%
5 (
: p < 0.0001)

24. VCC-FINDER
C, C++

25. VCC-Finder
Flawfinder
C C++ 170,860
2010 2011 2014
Flawfinder
99% 219 53
Flawfinder 5460 36
VCC
Flawfinder

26. APPENDIX:
C C++
(Linux, Kerberos, OpenSSL, etc.)
66 GitHub
Portspoof, GnuPG, Kerberos, PHP, MapServer, HHVM, Mozilla
Gecko, Quagga, libav, Libreswan, Redland Raptor RDF syntax
library, charybdis, Jabberd2, ClusterLabs pacemaker, bdwgc,
pango, qemu, glibc, OpenVPN, torque, curl, jansson,
PostgreSQL, corosync, tinc, FFmpeg, nedmalloc, mosh, trojita,
inspircd, nspluginwrapper, cherokee webserver, openssl, libfep,
quassel, polarssl, radvd, tntnet,Android Platform Bionic, uzbl,
LibRaw, znc, nbd, Pidgin,V8, SpiderLabs ModSecurity, file,
graphviz, Linux Kernel, libti, ZRTPCPP, taglib, suhosin, Phusion
passenger, monkey, memcached, lxc, libguestfs, libarchive,
Beanstalkd, Flac, libX11, Xen, libvirt,Wireshark, and Apache
HTTPD

27. 1.
(e.g.
ref. https://twitter.com/
neubig/status/712857703241089024 ) VCC
Flawfinder
recall precision 99%
2
CVE
CVE-ID CVE
Linear SVM
2. Git
4.
5
5.
Prophet VCC-Finder
ref. http://people.csail.mit.edu/fanl/papers/prophet-popl16.pdf

28. THANKYOU
FORYOUR ATTENTION
Donating to OpenSSL https://www.openssl.org/support/donations.html