Test mimicry to assess the exploitability of library vulnerabilities

Author

Hong Jin KANG
Truong Giang NGUYEN
Bach LE
Corina S. PASAREANU
David LO, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

7-2022

Abstract

Modern software engineering projects often depend on open-source software libraries, rendering them vulnerable to potential security issues in these libraries. Developers of client projects have to stay alert of security threats in the software dependencies. While there are existing tools that allow developers to assess if a library vulnerability is reachable from a project, they face limitations. Call graphonly approaches may produce false alarms as the client project may not use the vulnerable code in a way that triggers the vulnerability, while test generation-based approaches faces difficulties in overcoming the intrinsic complexity of exploiting a vulnerability, where extensive domain knowledge may be required to produce a vulnerability-triggering input. In this work, we propose a new framework named Test Mimicry,that constructs a test case for a client project that exploits a vulnerability in its library dependencies. Given a test case in a software library that reveals a vulnerability, our approach captures the program state associated with the vulnerability. Then, it guides test generation to construct a test case for the client program to invoke the library such that it reaches the same program state as the library’s test case. Our framework is implemented in a tool, Transfer, which uses search-based test generation. Based on the library’s test case, we produce search goals that represent the program state triggering the vulnerability. Our empirical evaluation on 22 real library vulnerabilities and 64 client programs shows that Transferoutperforms an existing approach, Siege; Transfer generates 4x more test cases that demonstrate the exploitability of vulnerabilities from client projects than Siege.

Keywords

Library vulnerabilities, Search-based test generation

Discipline

Artificial Intelligence and Robotics | Databases and Information Systems | Information Security | Software Engineering

Research Areas

Data Science and Engineering; Cybersecurity; Intelligent Systems and Optimization

Publication

ISSTA '22: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, July 18-22

First Page

276

Last Page

288

ISBN

9781450393799

Identifier

10.1145/3533767.3534398

Publisher

Association for Computing Machinery

City or Country

Pittsburgh, PA

Citation

KANG, Hong Jin; NGUYEN, Truong Giang; LE, Bach; PASAREANU, Corina S.; and LO, David. Test mimicry to assess the exploitability of library vulnerabilities. (2022). ISSTA '22: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, July 18-22. 276-288.
Available at: https://ink.library.smu.edu.sg/sis_research/7626

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3533767.3534398