DeepAI AI Chat
Log In Sign Up

Verifying Security Vulnerabilities in Large Software Systems using Multi-Core k-Induction

02/04/2021
by   Thales Silva, et al.
0

Computer-based systems have been used to solve several domain problems, such as industrial, military, education, and wearable. Those systems need high-quality software to guarantee security and safety. We advocate that Bounded Model Checking (BMC) techniques can detect security vulnerabilities in the early stages of development processes. However, this technique struggles to scale up and verify large software commonly found on computer-based systems. Here, we develop and evaluate a pragmatic approach to verify large software systems using a state-of-the-art bounded model checker. In particular, we pre-process the input source-code files and then guide the model checker to explore the code systematically. We also present a multi-core implementation of the k-induction proof algorithm to verify and falsify large software systems iteratively. Our experimental results using the Efficient SMT-based Model Checker (ESBMC) show that our approach can guide ESBMC to efficiently verify large software systems. We evaluate our approach using the PuTTY application to verify 136 files and 2803 functions in less than 86 minutes, and the SlimGuard allocator, where we have found real security vulnerabilities confirmed by the developers. We conclude that our approach can successfully guide a bounded model checker to verify large software systems systematically.

READ FULL TEXT
07/02/2021

Model Checking C++ Programs

In the last three decades, memory safety issues in system programming la...
01/27/2020

Verifying Software Vulnerabilities in IoT Cryptographic Protocols

Internet of Things (IoT) is a system that consists of a large number of ...
02/10/2021

Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey

The Department of Homeland Security in the United States estimates that ...
03/17/2018

Cost-aware Vulnerability Prediction: the HARMLESS Approach

Society needs more secure software. But predicting vulnerabilities is di...
06/09/2022

ESBMC-Jimple: Verifying Kotlin Programs via Jimple Intermediate Representation

In this work, we describe and evaluate the first model checker for verif...
03/21/2021

EBF: A Hybrid Verification Tool for Finding Software Vulnerabilities in IoT Cryptographic Protocols

Internet of Things (IoT) consists of a large number of smart devices con...
12/21/2020

FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs

We describe and evaluate a novel white-box fuzzer for C programs named F...