In Partial Fulfillment of the Requirements for the Degree of Master of Science
will defend his thesis
Machine Learning Methods for Software Vulnerability Detection
Software vulnerabilities are a primary concern in the IT security industry, as malicious hackers who discover these vulnerabilities can often exploit them for nefarious purposes. Numerous countermeasures, such as canaries, data execution prevention, and address space layout randomization, have been proposed to deter attackers from gaining full control over systems, but thus far, most of these techniques are only minor hurdles for a serious hacker. Currently, the only way to prevent systems from being exploited is by writing secure code. However, complex programs, particularly those written in a relatively low-level language like C, are difficult to fully scan for bugs, even when both manual and automated techniques are used. Companies can spend roughly 100 machine years per year using dynamic analysis to detect bugs in their code, but their software releases may still contain a significant number of bugs. Since analyzing code and making sure it is securely written is proven to be a non-trivial task, improving the existing techniques for automated bug detection is an important area of research. Both static analysis and dynamic analysis techniques have been heavily investigated, and this work focuses on the former.
The contribution of this paper is a demonstration of how it is possible to catch a large percentage of bugs by extracting features from C source code and analyzing them with a machine learning classifier. Relatively simple features were extracted from these functions, and so were complex features. The simpler features performed unexpectedly better compared to the non-trivial features. This suggests that simple code features might be worth researching further, since they are very cheap to analyze and seem to have a lot of potential for vulnerability detection.
Date: Thursday, July 25, 2017
Time: 1:00 PM
Place: PGH 563
Advisor: Dr. Rakesh Verma
Faculty, students, and the general public are invited.