| 論文名稱 | LAVA: Large-Scale Automated Vulnerability Addition |
| 簡報日期 | 2017/9/? |
| 報告者 | 原定江聖譯 |
| 論文網址 | http://ieeexplore.ieee.org/document/7546500/ |
| 簡報檔案 | |
| 引用 | @inproceedings{dolan2016lava, title={Lava: Large-scale automated vulnerability addition}, author={Dolan-Gavitt, Brendan and Hulin, Patrick and Kirda, Engin and Leek, Tim and Mambretti, Andrea and Robertson, Wil and Ulrich, Frederick and Whelan, Ryan}, booktitle={Security and Privacy (SP), 2016 IEEE Symposium on}, pages={110–121}, year={2016}, organization={IEEE} } |
| 摘要 | Work on automating vulnerability discovery has long been hampered by a shortage of ground-truth corpora with which to evaluate tools and techniques. This lack of ground truth prevents authors and users of tools alike from being able to measure such fundamental quantities as miss and false alarm rates. In this paper, we present LAVA, a novel dynamic taint analysis-based technique for producing ground-truth corpora by quickly and automatically injecting large numbers of realistic bugs into program source code. Every LAVA bug is accompanied by an input that triggers it whereas normal inputs are extremely unlikely to do so. These vulnerabilities are synthetic but, we argue, still realistic, in the sense that they are embedded deep within programs and are triggered by real inputs. Using LAVA, we have injected thousands of bugs into eight real-world programs, including bash, tshark, and the GNU coreutils. In a preliminary evaluation, we found that a prominent fuzzer and a symbolic execution-based bug finder were able to locate some but not all LAVA-injected bugs, and that interesting patterns and pathologies were already apparent in their performance. Our work forms the basis of an approach for generating large ground-truth vulnerability corpora on demand, enabling rigorous tool evaluation and providing a high-quality target for tool developers. |
