Predicting Vulnerability In Large Codebases With Deep Code Representation

by   Anshul Tanwar, et al.

Currently, while software engineers write code for various modules, quite often, various types of errors - coding, logic, semantic, and others (most of which are not caught by compilation and other tools) get introduced. Some of these bugs might be found in the later stage of testing, and many times it is reported by customers on production code. Companies have to spend many resources, both money and time in finding and fixing the bugs which would have been avoided if coding was done right. Also, concealed flaws in software can lead to security vulnerabilities that potentially allow attackers to compromise systems and applications. Interestingly, same or similar issues/bugs, which were fixed in the past (although in different modules), tend to get introduced in production code again. We developed a novel AI-based system which uses the deep representation of Abstract Syntax Tree (AST) created from the source code and also the active feedback loop to identify and alert the potential bugs that could be caused at the time of development itself i.e. as the developer is writing new code (logic and/or function). This tool integrated with IDE as a plugin would work in the background, point out existing similar functions/code-segments and any associated bugs in those functions. The tool would enable the developer to incorporate suggestions right at the time of development, rather than waiting for UT/QA/customer to raise a defect. We assessed our tool on both open-source code and also on Cisco codebase for C and C++ programing language. Our results confirm that deep representation of source code and the active feedback loop is an assuring approach for predicting security and other vulnerabilities present in the code.


page 1

page 2

page 3


Automated software vulnerability detection with machine learning

Thousands of security vulnerabilities are discovered in production softw...

From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware

Finding bugs in microcontroller (MCU) firmware is challenging, even for ...

AnICA: Analyzing Inconsistencies in Microarchitectural Code Analyzers

Microarchitectural code analyzers, i.e., tools that estimate the through...

SiliFuzz: Fuzzing CPUs by proxy

CPUs are becoming more complex with every generation, at both the logica...

Is the OWASP Top 10 list comprehensive enough for writing secure code?

The OWASP Top 10 is a list that is published by the Open Web Application...

How to integrate with real cars – minimizing lead time at Volkswagen

The most successful tech companies of the world release new software ver...

Loop Transformations using Clang's Abstract Syntax Tree

OpenMP 5.1 introduced the first loop nest transformation directives unro...

Please sign up or login with your details

Forgot password? Click here to reset