A research team at Northeastern University finds vulnerabilities and code defects. It does it by detecting when a programmer uses various code snippets to carry out the same tasks. Consistent and repeatable programming is said to be one of the best ways in software development, it has also become more crucial as the development team grows in size every day. Today, Northeastern University’s research team reveals that finding irregular programming, code snippets that carry out the same tasks but in unique ways, can also help in finding bugs and potential vulnerabilities.
The team presented a paper at USENIX Security Conference last year, researchers used machine learning to detect bugs. It first identified code snippets that carried out the same functions, later compared the codes to find irregularities. Known as “Functionally Similar yet Inconsistent Code Snippets” aka FICS, the program detected 22 new bugs after investigating QEMU and OpenSSL open-source projects.” From basic bugs such as absent bounds checking to complex bugs such as use-after-free, as long as the codebase contains non-buggy code snippets that are functionally similar to a buggy code snippet, the buggy one can be detected as an inconsistent implementation of the functionality or logic,” said the experts.
Expert Mansour Ahmadi, research associate at Northeastern University says that they don’t intend to change other methods of static analysis with this research, however, they want to give developers an idea about addition tool in their infantry which can be used to analyze code and find bugs. Mr. Ahmadi currently works at Amazon as a security engineer. An earlier different approach uses static analysis, when faced with an issue or had to be encountered with a rule to find the pattern.
For instance, if a system has previously found a variant of a bug, these approaches are likely to fail in finding the bug. However, with accurate implementations of code snippets with similar functions, the FICS method can easily find the bug. According to Mr. Ahmadi, ” While we were acknowledged by the developers for our findings, the developers did not proceed to assign CVEs to them as they believe the bugs are not exploitable.”
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.