Abstract
This paper introduces the GLICE (Graph Neural Network with program slice) model for static code analysis to detect vulnerabilities in source code. GLICE combines inter-procedural program slicing with a Graph Neural Network. It builds upon and extends prior work that applies program slicing (as in the SySeVR model) and Graph Neural Networks (as in the FUNDED model) for vulnerability detection. We apply GLICE on a data set of C/C++ code samples with out-of-bounds write (CWE-787) and out-of-bounds read (CWE-125) butter overflow vulnerabilities. We perform experiments with GLICE to evaluate trade-offs in the depth of the inter-procedural analysis, and to compare GLICE with prior models by evaluating the effectiveness for vulnerability detection and the usage of resources. Our experimental results show that detection accuracy of GLICE improves up to 13% when compared to FUNDED, while the time required to train the GLICE model is about 9 times smaller. GLICE allows configuring the depth of the interprocedural analysis. Our experimental results show that increasing the depth will improve detection, which however requires more computing resources. This allows a user of GLICE to steer the trade-off between detection accuracy and computational efficiency.
Original language | English |
---|---|
Title of host publication | 8th IEEE European Symposium on Security and Privacy Workshops |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 34-41 |
Number of pages | 8 |
ISBN (Electronic) | 9798350327205 |
ISBN (Print) | 9798350327212 |
DOIs | |
Publication status | Published - 2023 |
Event | 8th IEEE European Symposium on Security and Privacy Workshops - Delft, Netherlands Duration: 3 Jul 2023 → 7 Jul 2023 Conference number: 8 |
Conference
Conference | 8th IEEE European Symposium on Security and Privacy Workshops |
---|---|
Abbreviated title | Euro S and PW 2023 |
Country/Territory | Netherlands |
City | Delft |
Period | 3/07/23 → 7/07/23 |
Keywords
- Graph neural network
- Program slicing
- Static source code analysis
- Vulnerability detection