Software is a critical element in a wide range of real-world applications. Attacks against computer software can cause substantial damage to the cyber-infrastructure of our modern society and economy. In fact, many new software security vulnerabilities are discovered on a daily basis. Therefore, it is vital to identify and resolve those security issues as early as possible. This research aims to investigate a scientific foundation and a novel methodology for automated detection, prevention, and resolution of prior-known software security vulnerabilities in software systems. The results will help to detect and prevent prior-known security vulnerabilities from recurring in other software systems.
In this research, the key philosophy is that the software systems having the same/similar software security vulnerabilities share the protocols, algorithms, procedures, libraries, frameworks, modules, or source code with the same flaws, and they suffer the same/similar exploitation mechanisms. Based on that, empirical studies are conducted to investigate the nature and the characteristics of recurring software vulnerabilities in different software systems, and to validate that hypothesis. Based on the knowledge gained from the studies, new vulnerability models, representations, and similarity measurements are developed to capture recurring software security vulnerabilities, and the corresponding vulnerable code and exploitation mechanisms. Novel algorithms and techniques are designed to (semi-)automatically build graph-based vulnerability models from vulnerability reports and from vulnerable code and patches, aiming to construct a database of prior-known vulnerabilities. A new methodology is developed to help to identify the prior-known vulnerabilities in other systems and to suggest the resolution. Specifically, the automated methods and advances include 1) an algorithm to compare and match against vulnerability models in the database, 2) a technique to map software concepts between security reports and from a report to the corresponding source code fragments, modules, or components; 3) an algorithm to determine the modules and source file locations in the new system that correspond to the vulnerable modules and locations in a system with a prior-known vulnerability; and 4) a technique to suggest the patch to the new system from the prior fixes. In brief, the results of this research help to resolve early software security vulnerabilities. They will lead to more reliable software because the process of detecting and patching for recurring security vulnerabilities will be more efficient and effective.
