Software vulnerability has long been considered an important threat to the system safety and its growth rate is increasing rapidly on yearly basis.
In theory, detecting and removing vulnerabilities before the code gets ever deployed can greatly ensure the quality of software released. However, due to the enormous amount of code being developed as well as the lack of human resource and expertise, severe vulnerabilities still remain concealed or cannot be revealed effectively.
Current source code auditing approaches for vulnerability discovery either generate too many false positives or require overwhelming manual efforts to report actual software flaws. While dynamic execution analysis methods can precisely report vulnerabilities, they are ineffective in path exploration, which limits them to scale to large programs. With the purpose of detecting vulnerability in a scalable and automated way with more preciseness, in this paper, we propose a novel mechanism, called software vulnerability discovery using Code Clone Verification (CLORIFI), which scalably discovers vulnerabilities in real world programs using code clone verification.
CLORIFI uses a fast and scalable syntax-based way to find code clones as vulnerability candidates in program source codes based on released security patches. Subsequently, program source code is being instrumented by the leverage of CIL for vulnerability verification. Finally, code clones are being verified using concolic testing to verify and report the existence of an actual vulnerability. Experiments have been conducted with real-world open-source projects (recent Linux OS distributions and program packages). As a result, we found 7 real vulnerabilities out of 63 code clones from Ubuntu 14.04 LTS (Canonical, London, UK) and 10 vulnerabilities out of 40 code clones from CentOS 7.0 (The CentOS Project (community contributed)). Besides, we performed experiments with nearly 4000 test cases from Juliet Test Suite. The results show that our system can verify over 90% of test cases and it reports buffer overflow flaws with Precision = 100% (0 FP) and Recall = 94.91 %. In addition, the experiments with other types of vulnerability test cases in Juliet Test Suite indicates the extendability of the mechanism to cover more types of vulnerabilities.