DeepAI AI Chat
Log In Sign Up

Verifying Security Vulnerabilities in Large Software Systems using Multi-Core k-Induction

by   Thales Silva, et al.

Computer-based systems have been used to solve several domain problems, such as industrial, military, education, and wearable. Those systems need high-quality software to guarantee security and safety. We advocate that Bounded Model Checking (BMC) techniques can detect security vulnerabilities in the early stages of development processes. However, this technique struggles to scale up and verify large software commonly found on computer-based systems. Here, we develop and evaluate a pragmatic approach to verify large software systems using a state-of-the-art bounded model checker. In particular, we pre-process the input source-code files and then guide the model checker to explore the code systematically. We also present a multi-core implementation of the k-induction proof algorithm to verify and falsify large software systems iteratively. Our experimental results using the Efficient SMT-based Model Checker (ESBMC) show that our approach can guide ESBMC to efficiently verify large software systems. We evaluate our approach using the PuTTY application to verify 136 files and 2803 functions in less than 86 minutes, and the SlimGuard allocator, where we have found real security vulnerabilities confirmed by the developers. We conclude that our approach can successfully guide a bounded model checker to verify large software systems systematically.


Model Checking C++ Programs

In the last three decades, memory safety issues in system programming la...

Verifying Software Vulnerabilities in IoT Cryptographic Protocols

Internet of Things (IoT) is a system that consists of a large number of ...

Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey

The Department of Homeland Security in the United States estimates that ...

Cost-aware Vulnerability Prediction: the HARMLESS Approach

Society needs more secure software. But predicting vulnerabilities is di...

ESBMC-Jimple: Verifying Kotlin Programs via Jimple Intermediate Representation

In this work, we describe and evaluate the first model checker for verif...

EBF: A Hybrid Verification Tool for Finding Software Vulnerabilities in IoT Cryptographic Protocols

Internet of Things (IoT) consists of a large number of smart devices con...

FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs

We describe and evaluate a novel white-box fuzzer for C programs named F...