Towards semi-automated detection of trigger-based behavior for software security assurance

Dorottya Papp, L. Buttyán, Zhendong Ma

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

A program exhibits trigger-based behavior if it performs undocumented, often malicious, functions when the environmental conditions and/or specific input values match some pre-specified criteria. Checking whether such hidden functions exist in the program is important for increasing trustworthiness of software. In this paper, we propose a framework to effectively detect trigger-based behavior at the source code level. Our approach is semi-automated: We use automated source code instrumentation and mixed concrete and symbolic execution to generate potentially suspicious test cases that may trigger hidden, potentially malicious functions. The test cases must be investigated by a human analyst manually to decide which of them are real triggers. While our approach is not fully automated, it greatly reduces manual work by allowing analysts to focus on a few test cases found by our automated tools.

Original languageEnglish
Title of host publicationARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security
PublisherAssociation for Computing Machinery
VolumePart F130521
ISBN (Electronic)9781450352574
DOIs
Publication statusPublished - Aug 29 2017
Event12th International Conference on Availability, Reliability and Security, ARES 2017 - Reggio Calabria, Italy
Duration: Aug 29 2017Sep 1 2017

Other

Other12th International Conference on Availability, Reliability and Security, ARES 2017
CountryItaly
CityReggio Calabria
Period8/29/179/1/17

Fingerprint

Concretes

Keywords

  • Mixed concrete and symbolic execution
  • Software security
  • Source code analysis
  • Static analysis
  • Trigger-based behavior

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Cite this

Papp, D., Buttyán, L., & Ma, Z. (2017). Towards semi-automated detection of trigger-based behavior for software security assurance. In ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security (Vol. Part F130521). [a64] Association for Computing Machinery. https://doi.org/10.1145/3098954.3105821

Towards semi-automated detection of trigger-based behavior for software security assurance. / Papp, Dorottya; Buttyán, L.; Ma, Zhendong.

ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security. Vol. Part F130521 Association for Computing Machinery, 2017. a64.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Papp, D, Buttyán, L & Ma, Z 2017, Towards semi-automated detection of trigger-based behavior for software security assurance. in ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security. vol. Part F130521, a64, Association for Computing Machinery, 12th International Conference on Availability, Reliability and Security, ARES 2017, Reggio Calabria, Italy, 8/29/17. https://doi.org/10.1145/3098954.3105821
Papp D, Buttyán L, Ma Z. Towards semi-automated detection of trigger-based behavior for software security assurance. In ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security. Vol. Part F130521. Association for Computing Machinery. 2017. a64 https://doi.org/10.1145/3098954.3105821
Papp, Dorottya ; Buttyán, L. ; Ma, Zhendong. / Towards semi-automated detection of trigger-based behavior for software security assurance. ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security. Vol. Part F130521 Association for Computing Machinery, 2017.
@inproceedings{b5b9af9bdbd946929d1ca5e938064378,
title = "Towards semi-automated detection of trigger-based behavior for software security assurance",
abstract = "A program exhibits trigger-based behavior if it performs undocumented, often malicious, functions when the environmental conditions and/or specific input values match some pre-specified criteria. Checking whether such hidden functions exist in the program is important for increasing trustworthiness of software. In this paper, we propose a framework to effectively detect trigger-based behavior at the source code level. Our approach is semi-automated: We use automated source code instrumentation and mixed concrete and symbolic execution to generate potentially suspicious test cases that may trigger hidden, potentially malicious functions. The test cases must be investigated by a human analyst manually to decide which of them are real triggers. While our approach is not fully automated, it greatly reduces manual work by allowing analysts to focus on a few test cases found by our automated tools.",
keywords = "Mixed concrete and symbolic execution, Software security, Source code analysis, Static analysis, Trigger-based behavior",
author = "Dorottya Papp and L. Butty{\'a}n and Zhendong Ma",
year = "2017",
month = "8",
day = "29",
doi = "10.1145/3098954.3105821",
language = "English",
volume = "Part F130521",
booktitle = "ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Towards semi-automated detection of trigger-based behavior for software security assurance

AU - Papp, Dorottya

AU - Buttyán, L.

AU - Ma, Zhendong

PY - 2017/8/29

Y1 - 2017/8/29

N2 - A program exhibits trigger-based behavior if it performs undocumented, often malicious, functions when the environmental conditions and/or specific input values match some pre-specified criteria. Checking whether such hidden functions exist in the program is important for increasing trustworthiness of software. In this paper, we propose a framework to effectively detect trigger-based behavior at the source code level. Our approach is semi-automated: We use automated source code instrumentation and mixed concrete and symbolic execution to generate potentially suspicious test cases that may trigger hidden, potentially malicious functions. The test cases must be investigated by a human analyst manually to decide which of them are real triggers. While our approach is not fully automated, it greatly reduces manual work by allowing analysts to focus on a few test cases found by our automated tools.

AB - A program exhibits trigger-based behavior if it performs undocumented, often malicious, functions when the environmental conditions and/or specific input values match some pre-specified criteria. Checking whether such hidden functions exist in the program is important for increasing trustworthiness of software. In this paper, we propose a framework to effectively detect trigger-based behavior at the source code level. Our approach is semi-automated: We use automated source code instrumentation and mixed concrete and symbolic execution to generate potentially suspicious test cases that may trigger hidden, potentially malicious functions. The test cases must be investigated by a human analyst manually to decide which of them are real triggers. While our approach is not fully automated, it greatly reduces manual work by allowing analysts to focus on a few test cases found by our automated tools.

KW - Mixed concrete and symbolic execution

KW - Software security

KW - Source code analysis

KW - Static analysis

KW - Trigger-based behavior

UR - http://www.scopus.com/inward/record.url?scp=85030308920&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030308920&partnerID=8YFLogxK

U2 - 10.1145/3098954.3105821

DO - 10.1145/3098954.3105821

M3 - Conference contribution

VL - Part F130521

BT - ARES 2017 - Proceedings of the 12th International Conference on Availability, Reliability and Security

PB - Association for Computing Machinery

ER -