TRACER: Signature-based Static Analysis for Detecting Recurring Vulnerabilities

Similar software vulnerabilities recur because developers reuse existing vulnerable code, or make similar mistakes when implementing the same logic. Recently, various analysis techniques have been proposed to find syntactically recurring vulnerabilities via code reuse. However, limited attention has been devoted to semantically recurring ones that share the same vulnerable behavior in different code structures. In this paper, we present a general analysis framework, called Tracer, for detecting such recurring vulnerabilities. The main idea is to represent vulnerability signatures as traces over interprocedural data dependencies. Tracer is based on a taint analysis that can detect various types of vulnerabilities. For a given set of known vulnerabilities, the taint analysis extracts vulnerable traces and establishes a signature database of them. When a new unseen program is analyzed, Tracer compares all potentially vulnerable traces reported by the analysis with the known vulnerability signatures. Then, Tracer reports a list of potential vulnerabilities ranked by the similarity score. We evaluate Tracer on 273 Debian packages in C/C++. Our experiment results demonstrate that Tracer is able to find 112 previously unknown vulnerabilities with 6 CVE identifiers assigned. CCS CONCEPTS • Security and privacy → Software security engineering; Software security engineering.