VDiscover

VDiscover is a tool designed to train a vulnerability detection predictor. Given a vulnerability discovery procedure and a large enough number of training testcases, it extracts lightweight features to predict which testcases are potentially vulnerable. This repository contains an improved version of a proof-of-concept used to show experimental results in our technical report (available here).

Use cases

VDiscover aims to be used when there is a large amount of testcases to analyze using a costly vulnerability detection procedure. It can be trained to provide a quick prioritization of testcases. The extraction of features to perform a prediction is designed to be scalable. Nevertheless, this implementation is not particularly optimized so it should easy to improve the performance of it.

Requirements

• Python 2.7
• binutils
• python-ptrace
• scikit-learn for training/testing
• matplotlib for visualization (very experimental, optional)
• keras for convolutional clustering (very experimental, optional)

Trace extraction is working only in x86 (x86_64 support should be simple to extend and it is planned)

Quickstart

Before starting, it is recommended to manually install binutils, scikit-learn and setuptools (to perform a local installation). For instance, in Ubuntu/Debian:

# apt-get install python-numpy python-matplotlib python-setup python-scipy

Then we can execute:

git clone https://github.com/CIFASIS/VDiscover.git
cd VDiscover
python setup.py install --user

By default, the local installation of the command line utilities of VDiscover is performed inside ~/.local/bin, so it is recommended to add this directory into the PATH variable. Our tool is composed by two main components:

• fextractor: to extract dynamic and static features from test cases.
• vpredictor: to train a new vulnerability prediction model or predict using a previously trained one. It can be used to cluster and visualize a set of test cases.

Some examples of testcases of very popular programs (grep, gzip, bc, ..) can be found in examples/testcases. For example, to extract raw dynamic features from an execution of bc:

fextractor --dynamic bc 

And the resulted extracted features are:

/usr/bin/bc	isatty:0=Num32B0 isatty:0=Num32B8 setvbuf:0=Ptr32 setvbuf:1=NPtr32 setvbuf:2=Num32B8 setvbuf:3=Num32B0 ...

This raw data can be used to train a new vulnerability prediction model or predict using a previously trained one. Additionally, more detailed (but outdated) documentation is available here.

License

GPL3