Comparative Code Graphs Analysis

Questions and Answers

How much more relevant CVEs were gathered for the applications Libtiff and Freetype compared to prior works?

50%

81%

75%

102% (correct)

What percentage increase in overall CVEs does the new data set represent?

20%

29% (correct)

50%

40%

What were the main sources of application and vulnerability data used?

Github and NVD (correct)

Social media and online forums

Corporate networks and log files

Academic journals and internal databases

What is one of the main challenges in gathering CVE data?

Not all patches are well maintained and require cross-referencing.

How were success and effectiveness against challenges assessed?

Using reference patches from challenge creators

What notable filtering process was performed on the patch commits?

Manually filtering irrelevant changes from the commits

What method was used to evaluate popular ML techniques?

Resampling

What is noted as a characteristic of the real-world applications used in the DARPA CHESS challenge?

They were exclusively developed in-house.

What does the reference titled 'WYSINWYX: What you see is not what you EXecute' primarily address?

The discrepancies between program visualization and execution.

Which reference focuses on the automatic generation of high-coverage tests?

KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs.

The 2014 paper by Avgerinos et al. discusses what aspect of cybersecurity?

Automatic exploit generation capabilities.

Which of the following references deals with vulnerability detection in binary code?

VYPER: Vulnerability detection in binary code.

What is the main contribution of 'Demand-driven compositional symbolic execution'?

A method for symbolic execution that is demand-driven.

What do CDCPGs represent in terms of code entities?

The same code entity across different semantic domains.

What is a consequence of exhaustively linking CPGs from two semantic domains?

Path explosion problem exacerbation.

What does the Binary Analysis Platform (BAP) primarily provide?

A platform for the static analysis of binary executables.

How does RANSAQ approach the building of cross-domain portions of the CDCPG?

Lazily generating subgraphs based on VS estimates.

What major vulnerability did Google address by rebuilding a core part of Android?

Stagefright vulnerability.

What approach does the paper 'Learning to rank: From pairwise approach to listwise approach' discuss?

A new methodology in ranking algorithms for machine learning.

What triggers the binary symbolic analysis in RANSAQ?

Discovery of a high-risk point of interest.

What strategy does RANSAQ borrow from past research?

Bottom-up analysis in call graphs.

Which vulnerability class is used to narrow the function subset in analysis?

Dynamic allocations that could lead to buffer overflows.

What is meant by 'path exploration' in the context of RANSAQ?

Leveraging intra-procedural and inter-procedural graph analysis.

What is the problem identified with the statement 'if (sz > SIZE_MAX)' in Listing 1.4?

It represents an incorrect bounds check.

What is the purpose of the unique ID associated with each POI in the RANSAQ user interface?

To help track delegated POIs for review team members.

Which vulnerability is associated with the highest CVSS score in the RANSAQ analysis?

Stack-based buffer overflow in TinTin++.

How does RANSAQ determine the code complexity score?

Using the VS metrics along with various weights and additional features.

What specific type of vulnerability was identified in Sudo 1.9.5?

Heap-based buffer overflow.

Why are the vulnerabilities mentioned in RANSAQ challenging to identify?

They exist within massive code bases that include multiple function interactions.

Which component is referenced in relation to the CVE of the Sudo vulnerability?

sudoers subcomponent.

What does clicking on a POI in the RANSAQ user interface reveal?

The function name, line number, and code snippet.

What is the significance of the CVSS score in relation to reported vulnerabilities?

It indicates the potential risk level of the vulnerability.

What is the focus of the study by Shin and Williams in 2013?

Exploring the potential of traditional fault prediction models for vulnerability prediction

Which paper introduces a new approach to computer security through binary analysis?

The research conducted by Song et al. on BitBlaze

What does the Stackshield tool aim to protect against?

Stack smashing vulnerabilities

What is a major theme discussed by Walden et al. in their 2014 paper?

The comparison between software metrics and text mining in predicting vulnerabilities

Which research work presents an effort-aware perspective on predicting vulnerable components?

Tang et al.'s study

What is the primary purpose of the Angr tool described by Wang and Shoshitaishvili in 2017?

To provide static and dynamic binary analysis

According to the research by Shin and Williams on execution complexity metrics, what do these metrics indicate?

Potential software vulnerabilities

What does the research by Trockman et al. emphasize about code understandability?

Combined metrics provide a better understanding

Study Notes

CDCPG and Path Explosion

• CDCPGs introduce relational edges linking distinct nodes or edges across different semantic domains, indicating they represent the same code entity.
• Some entities lack a source or binary counterpart, complicating the relational edge sets.
• Path explosion can occur when linking CPGs exhaustively from two domains, potentially hindering performance.
• RANSAQ employs a lazy approach to build cross-domain portions of the CDCPG, using Vulnerability Score (VS) estimates to guide subgraph generation.
• Binary symbolic analysis targets high-risk Points of Interest (POIs) identified during source analysis.

Path Exploration Strategy

• Evaluation combines intra-procedural and inter-procedural graph analysis methodologies.
• An updated dataset yielded 102% more relevant CVEs and 81% more related functions when comparing Libtiff and Freetype apps with previous studies.
• Overall, the dataset contains 80% more CVEs per application and 29% more CVEs in total.
• Gathering CVE-related data from diverse open sources, including GitHub and NVD, proves resource-intensive and time-consuming.
• Manual filtering of irrelevant changes from patch commits enhances precision in vulnerability databases.

Real-World Applications and Challenges

• The DARPA CHESS challenge used real-world apps with intentional vulnerabilities for assessment via reference patches.
• Each application assessed includes known CVEs without using CVE data in query templates or ranking model training.
• Evaluation relies on marked ground truth data linking known CVEs to patched source lines.

RANSAQ User Interface

• RANSAQ presents findings through an interactive web interface, ranking POIs based on their VS.
• Each POI includes CWE classification, vulnerability description, source file name, and a unique identification number.
• Detailed views for each POI display function names, line numbers, code snippets, and complexity scores influenced by various metrics.
• Example vulnerabilities identified include a stack-based buffer overflow (CVE-2008-0671) in TinTin++ with a CVSS score of 10.0 and a heap-based buffer overflow (CVE-2021-3156) in Sudo with a score of 7.8.
• Both vulnerabilities exist within large codebases, showcasing the effectiveness of RANSAQ in highlighting POIs for code reviews.

Description

This quiz explores the concept of Code Property Graphs (CPGs) and their relational edges, highlighting how they represent code entities across different semantic domains. Understand the implications of path explosion in linking CPGs and the challenges associated with binary entities. Test your knowledge on the intricacies of CPGs and their applications in code analysis.