The automated weak code detection tool for the symbolic execution-based vulnerability analysis

Abstract

Software usage is increasing with the recent advancement of information technology which leads to an increased use of open-source software in various fields. However, as the use of open-source software that can be accessed by everyone increases, there might be potential problems regarding the vulnerabilities inherent in the open-source applications. In this study, we examined whether or not there are vulnerabilities in open-source software. To analyze the results, we suggested a technique of extracting the targets and their relevant areas of potentially weak source codes in terms of analyzing the vulnerabilities by means of symbolic execution. The suggested technique is as follows: a tree structure of the classes and methods within the source code of open-source software that is subject to security vulnerability analysis is created, then the DB of the target condition is established by identifying the data types and configuration patterns of the methods and it is examined through the system. If the condition is met, the corresponding method that is subject to vulnerability analysis is automatically extracted. The suggested technique involves the extraction and inspection of the weak source code which may pose high risk, instead of conducting a total inspection of source files. The suggested technique has an advantage in reducing the time of analysis and system load by means of the symbolic execution.