초록/요약

Common Weakness Enumeration (CWE) refers to a list of faults caused from software or hardware. The CWE includes the faults related to programming language and security. We propose a technique to detect the vulnerabilities from incorrect use of a variable in C language. There are various static/dynamic methods to detect the variable vulnerabilities. However, when analyzing the vulnerabilities, a static technique causes a lot of false alarms, meaning that there is no fault in the actual implementation. When monitoring the variable via the static analysis, there is a great overhead during execution, so its application is not easy in a real environment. In this paper, we propose a method to reduce false alarms and detect vulnerabilities by performing static analysis and dynamic verification using machine learning. Our method extracts information on variables through static analysis and detects defects through static analysis results and execution monitoring of the variables. In this process, it is determined whether the currently used variable values are valid and whether the variables are used in the correct order by learning the initial values and permissible range of the variables using machine learning techniques. We implemented our method as VVDUM (Variable Vulnerability Detector Using Machine learning). We conducted the comparative experiment with the existing static/dynamic analysis tools. As a result, compared with other tools with the rate of variable vulnerability detection between 9.17 similar to 18.5%, ours had that of 89.5%. In particular, VVDUM detects 'defects out of the range of valid' that are difficult to detect with existing methods, and the overhead due to defect detection is small. In addition, there were a few overheads at run time that were caused during data collection for detection of a fault.