Research on software security vulnerability detection technology

Such visibility also enables organizations to detect, manage, respond to, and remediate vulnerabilities and cross-platform threats faster.

In this blog post, we will share some information about TCC, discuss previously reported vulnerabilities, and present our own unique findings. TCC maintains databases that contain consent history for app requests. Generally, when an app requests access to protected user data, one of two things can happen:. Under the hood, there are two kinds of TCC databases.

Each kind maintains only a subset of the request types:. Indeed, there are at least two instances of tccd: one run by the user and the other by root. Each type of request starts with a kTCCService prefix. While not an exhaustive list, below are some examples:.

It should also be noted that the TCC. The database columns are self-explanatory, save for the csreq column. The csreq values contain a hexadecimal blob that encodes the code signing requirements for the app. These values can be calculated easily with the codesign and csreq utilities, as seen in Figure 4 below:. Given these, should a malicious actor gain full disk access to the TCC databases, they could edit it to grant arbitrary permissions to any app they choose, including their own malicious app.

The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to. Previously, apps could access the TCC databases directly to view and even modify their contents. Given the risk of bypass mentioned earlier, Apple made two changes. First, Apple protected the system-wide TCC. Note, though, that this policy was also subsequently abused as some apps required such access to function properly for example, the SSH daemon, sshd.

In addition, there have been several previously reported vulnerabilities related to TCC bypass. These include the following:. Apple has since patched these vulnerabilities. However, based on our research, the potential bypass to TCC.

The following section discusses the vulnerability we discovered and some details about the POC exploits we developed to prove the said vulnerability. In assessing the previous TCC vulnerabilities, we evaluated how Apple fixed each issue. Then, tccd extracts the pwdir member from it. While the solution indeed prevents an attack by environment variable poisoning, it does not protect against the core issue.

Use of this web site signifies your agreement to the terms and conditions. Software Vulnerability Detection Using Deep Neural Networks: A Survey Abstract: The constantly increasing number of disclosed security vulnerabilities have become an important concern in the software industry and in the field of cybersecurity, suggesting that the current approaches for vulnerability detection demand further improvement.

The booming of the open-source software community has made vast amounts of software code available, which allows machine learning and data mining techniques to exploit abundant patterns within software code. Particularly, the recent breakthrough application of deep learning to speech recognition and machine translation has demonstrated the great potential of neural models' capability of understanding natural languages.

Literature [ 47 ] proposes a new defect prediction model CAP-CNN, which can automatically embed code annotations to generate semantic features of the source code of software defect prediction. At the same time, the model uses network coding and absorption of comment information to automatically generate semantic features during the training process, effectively overcoming the problem of missing comments in the program. Experimental results from several widely used software datasets show that comment features can improve defect prediction performance.

Existing software prediction models are mostly limited to source code, but the files obtained in the prediction work are usually binary executables. Due to software copyright and source code protection restrictions, it is difficult for the defect prediction research community and third-party security companies to obtain source code.

Literature [ 55 ] proposed the smali2vec method to capture the features of smali in apks and use deep neural networks for training. The model focus on fine tuning three parameters including the number of hidden layers, the number of neurons in each hidden layer, and the number of iterations, which train an effective DNN for predicting defects in apks. Compared with the within-project defect prediction technology research, the research on crossproject defect prediction based on deep learning technology is still too little, and the research process of crossproject should be further promoted in future research.

In actual scenarios, it is difficult for us to apply the error-proneness recommendations given by the software system to overcome these problems, of which developers introduce just-in-time defect prediction technology to solve. In just-in-time defect prediction, modules that are prone to failure can be identified at an early stage and fed back to developers for changes and repairs.

At present, just-in-time defect prediction technology is carried out at the code change level, whose fine-grained analysis enables developers to more efficiently solve the problems encountered in the software development process. Literature [ 56 ] first combines deep learning methods to improve the performance of instant defect prediction, which uses the Deep Belief Network that is consisting of three restricted Boltzmann machines and a logistic regression classifier to build a deeper model for detecting more expressive features.

At the meanwhile, the performance of the model is evaluated through ten-fold crossvalidation, whose cost effectiveness and F 1-score are far better than the previous method. Different from the literature [ 56 ], the literature [ 57 ] uses three fully connected backpropagation BP neural networks to construct a regression model rather than a classifier model.

In addition, the Model Neural Network Regression NNR method utilizes ten numerical metrics of code changes and then feeds them to a neural network whose output indicates how likely the code change under test contains bugs. The article does not give too much explanation on the selection of model feature parameter values, which mainly introduces how to select the best model based on the crossvalidation training method.

Given the inspection resources, the number of defects can be identified more efficiently based on the effort-aware instant defect prediction. Literature [ 58 ] proposes a novel method, TLEL, which uses decision trees and integrated learning to improve the performance of immediate defect prediction. In the inner layer, the decision tree and the bag are combined to construct a random forest model.

In the outer layer, random undersampling is used to train many different random forest models and they are assembled again using the stack. The article presents the effect of varying the values of the two parameters, NTree and NLearner, on the performance of TLEL on six datasets and uses ten-fold crossvalidation to evaluate the performance of TLEL based on two evaluation metrics of cost effectiveness and F 1-score. Just-in-time defect prediction technology can identify modules that are prone to failure at an early stage and feed them back to developers for changes and repairs, whose fine-grained analysis enables developers to more effectively solve problems encountered in the software development process.

The problem of defect prediction is to determine whether the current software program contains defective code, which can be regarded as a two-class problem to a certain extent.

In the field of nlp and images, various CNN network models perform well in classification tasks, which should be promoted in the application of the just-in-time defect prediction in future research. It is essential to ensure the reliability of the software, during the entire life cycle of software development to deployment, where application of deep learning technology accelerates the software development cycle and saves manpower and time costs.

However, it is difficult for the existing technology to analyse and process the increasing number of security issues in a unified manner with the continuous development of software technology, which further makes the application of deep learning technology in the field of software security face some challenges. As shown in Table 7 , there are still some challenges in applying deep learning techniques to the field of software security. The selected features play an important role in the neural network training process, whose quality is higher, the better the model training effect.

In vulnerability detection, a method based on tokens, trees, and graphs is usually used to abstract the program source code, and then feature mapping and vector transformation techniques are used to generate word vectors, which are used as the input of the deep learning model.

The current mainstream methods analyse the source code, and the program behavior cannot be effectively tracked in feature selection, which limits the performance of the model to a certain extent. Analyzing the binary code can better understand the behavior of the program, which makes the constructed model better locate the location of the vulnerability. Therefore, it is necessary to explore binary-oriented deep learning vulnerability detection technology.

Various deep learning models were initially mainly used in the field of computer vision and image processing, which is still in its infancy in the application of software security research, and how to use the powerful learning capabilities of deep learning models to deal with software security issues needs to be resolved urgently. Various models of deep learning have different learning capabilities for the same data, and how to select a suitable model to learn feature data requires further exploration.

Model training requires a lot of data, which is obtained from open source projects, in the current research. There are differences in data between open source projects and closed source projects, which makes model trained in open source projects may not be applicable in closed source projects. In addition, the data used for model training often suffers from the problem of unbalanced data types, which further limits the performance of many models.

Traditional vulnerability detection requires human experts to manually define features, which is tedious and time consuming, and often faces the risk of high false positive rates and high false negative rates.

Deep learning technology can handle natural language tasks well, and program code can be regarded as text data to a certain extent, and we can learn from the processing methods and evaluation indicators of text data to improve the performance of existing methods in natural language specific tasks.

Many feature parameter values of the current techniques are selected based on experience, whose rationality has not been verified. For different tasks, setting the same value for the feature parameters corresponding to the same network model may have different effects.

In the process of software system development, it is the common goal of software developers to improve software quality and safety. Traditional detection methods require domain experts to spend a lot of time and energy to create feature engineering, and it is vital to combine deep learning technology with program analysis technology to assist software security research to further promote the development of automated detection technology.

This article introduces in detail the latest research progress of deep learning technology in software vulnerability detection, software program repair, and software defect prediction, of which expounds and discusses the existing shortcomings. Looking at the development trend of automation technology in the software security field in recent years, deep learning technology will play an increasingly important role in the research of software security automation technology in the future.

For the majority of researchers, deep learning technology is a historical opportunity that will promote an innovation in software engineering technology research. This is an open access article distributed under the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Article of the Year Award: Outstanding research contributions of , as selected by our Chief Editors. Read the winning articles. Journal overview. Special Issues. Academic Editor: Luigi Coppolino. Received 19 Jun Revised 13 Aug Accepted 11 Sep Published 30 Sep Abstract Open source software has been widely used in various industries due to its openness and flexibility, but it also brings potential software security problems.

Introduction With the rapid development of information technology, software is playing an important role in various aspects all over the world, such as the economy, military, and society. Figure 1. Table 1. Summary of deep learning technologies on automatic vulnerability detection, automatic program patching, and automatic defect prediction.

Table 2. Various feature parameters selected of deep learning technology on software vulnerability detection, program repair, and defect prediction.

Table 3. Technical characteristics of grammar-based clone detection. Table 4. Technical characteristics of semantic-based clone detection. Figure 2. Principle of code static analysis and neural network training.

Table 5. Technical characteristics of deep learning in static code vulnerability detection. Table 6. Technical characteristics of within-defect prediction methods. Challenges Opportunity Tool review Deep learning model automatic feedback Feature extraction Tree and graph model combined Semantic feature learning Fine-grained program feature representation High false negatives and false positives DL combined with static, dynamic program analysis technology Dataset Establish an open source unified dataset standard library Crossproject vulnerability detection Transfer learning Code metric New code attribute.

Table 7. Opportunities and challenges for deep learning applied to software security research. Bellon, R. Koschke, G. Antoniol et al. View at: Google Scholar L. Li, H. Feng, W. Zhuang, N.

Meng, and B. Wei and M. View at: Google Scholar M. White, M. Tufano, C. Vendome et al. View at: Google Scholar N. Marastoni, R. Giacobazzi, and M. Mikolov, S. Kombrink, A. Deoras, L. Burget, and J. View at: Google Scholar D. Jurafsky and J. Watson, G. Bavota et al.

View at: Google Scholar A. Sheneamer, H. Hazazi, S. Roy, and J. Shalev and N. View at: Google Scholar G. Zhao and J. Sheneamer, S. Kalchbrenner, E. Grefenstette, and P. View at: Google Scholar T. Mikolov, M. Burget et al. View at: Google Scholar H. Sak, A. Senior, and F. View at: Google Scholar Z.

Li, D. Zou, S. Xu et al. View at: Google Scholar W. Xiaomeng, Z. Tao, W. Runpu, X. Wei, and H. Lee, S. Choi, C. Kim et al. Ban, S. Liu, C. Chen, and C. Wu, J. Wang, J. Liu, and W. Grieco, G. Grinblat, L. Uzal et al. View at: Google Scholar Y. Wang, Z. Wu, Q. Wei et al. Zhang, W. Li, and M. View at: Google Scholar J. Devlin, J. Uesato, R. Singh et al. Vasic, A. Kanade, P. Maniatis et al. Koyuncu, K.

Liu, T. View at: Google Scholar K. Wang, R. Singh, and Z. View at: Google Scholar S. Bhatia and R. View at: Google Scholar E. Santos, J.