Research Article
BibTex RIS Cite

C PROGRAMLAMA DİLİNDE KAYNAK KOD GÜVENLİĞİ: SECUREC

Year 2022, Volume: 10 Issue: 2, 561 - 573, 30.06.2022
https://doi.org/10.21923/jesd.1031774

Abstract

Yazılım güvenliğinin temel amacı, yazılımı kötü niyetli siber saldırılara karşı dayanıklı olacak şekilde tasarlamaktır. Yazılım güvenliği, yazılım yaşam döngüsünün her aşamasında ele alınmazsa, birçok işletme, kuruluş ve hatta hükümetler, yazılım sistemlerindeki güvenlik açıkları nedeniyle sömürülür. Güvenli yazılım sistemleri geliştirmede kaynak kodun analiz edilmesi önemli bir adımdır. Güvenli olmayan kaynak kodu bölümlerinin belirlenmesi, yazılımdaki güvenlik açıklarının azaltılmasına veya kaldırılmasına yardımcı olur. C programlama dili, en yaygın kullanılan programlama dillerinden biridir, ancak güvenli değildir ve kod yerleştirme saldırılarına karşı savunmasızdır. C programlama dilinin en yaygın güvenlik açıkları arabellek taşmaları, giriş doğrulamaları ve kaynak yönetimi hatalarıdır. Bu çalışmada, C programlama dilindeki güvensiz kaynak kodlarını tespit edebilen SecureC adlı bir yazılım aracı geliştirilmiştir. İlk olarak düzenli ifadeler kullanılarak yeni kod şablonları çıkarılmış, ardından bu yeni şablonlar kullanılarak veri setindeki kaynak kodlar işaretlenmiştir. Daha sonra yüzbinlerce satıra sahip kaynak koddan güvensiz kısımları tespit ederken işaretli veri kümesi ile işaretsiz veri kümesi arasında performans farkı olup olmadığına odaklanılmıştır. Sonuç olarak, işaretli bir veri kümesinin kullanılması hem ikili hem de çoklu sınıflandırmada performans artışı sağlamıştır.

Supporting Institution

TÜBİTAK 2209-A Üniversite Öğrencileri Araştırma Projeleri Destekleme Programı

Project Number

1919B012004582 Başvuru Numaralı Proje

References

  • Cao, S., Sun, X., Bo, L., Wei, Y., Li, B. 2021. BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection, Information and Software Technology, 136, Doi: 10.1016/j.infsof.2021.106576.
  • Draper VDISC Dataset, https://osf.io/d45bw/, 2021.
  • Edgescan, 2020. Vulnerability Statistics Report. https://cdn2.hubspot.net/hubfs/4118561/BCC030%20Vulnerability%20Stats%20Report%20(2020)_WEB.pdf (Erişim tarihi: Kasım 2021).
  • Juliet Test Suite for C/C++ , https://samate.nist.gov/SARD/around.php#juliet_documents, 2021.
  • Kaur, A. Nayyar, R. 2020. A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code, Procedia, 171, 2023-2029.
  • Kim, J. Hubczenko, D., Montague, P. 2019. Towards Attention Based Vulnerability Discovery Using Source Code Representation, Artificial Neural Networks and Machine Learning – ICANN 2019: Text and Time Series, 731-746.
  • Larrucea. X., Santamaria, I., Colomo-Palacios, R. 2019. Assessing source code vulnerabilities in a cloud-based system for health systems:OpenNCP, IET Journals, 13, 195-202.
  • Li, X., Wang, Lu., Xin, Y., Yang, Y., Chen, Y. 2020. Automated Vulnerability Detection in Source Code Using Minimum Intermediate Representation Learning, 10, Doi: 10.3390/app10051692.
  • Li, R., Feng, C., Zhang, X., Tang, C. 2019. A Lightweight Assisted Vulnerability Discovery Method Using Deep Neural Networks, IEEE, 7, 80079 – 80092.
  • Samate NIST, Juliet Documents NIST, 2006. Resources from the Software Assurance Reference Dataset, Kasım 2017-2021. https://samate.nist.gov/SRD/around.php#juliet_documents (erişim tarihi: Kasım 2021).
  • SARD, https://samate.nist.gov/SARD/, 2021.
  • Suneja, S., Zheng, Y., Zhuang, Y., Laredo, J., Morari A. 2019. Learning to map source code to software vulnerability using code-as-a-graph, ArXiv abs/2006.08614.
  • Tian, J., Xing, W., Li, Z. 2020. BVDetector: A program slice-based binary code vulnerability intelligent detection system, Information and Software Technology, 123, Doi: 10.1016/j.infsof.2020.106289.
  • Verma, P., Goyal, A., Gigras, Y. 2020. Email phishing: Text classification using natural language processing, Computer Science and Information Technologies, 1, 1-12.
  • Xiaomeng, W., Tao, Z., Runpu, W., Wei, X., Changyu, H. 2018. 10th International Conference on Advanced Infocomm Technology (ICAIT), IEEE, Doi: 10.1109/ICAIT.2018.8686548.
  • Xu, A., Dai, T., Chen, H., Ming, Z., Li, W. 2018. Vulnerability Detection for Source Code Using Contextual LSTM, ICSAI, Doi: 10.1109/ICSAI.2018.8599360.

SOURCE CODE SECURITY IN C PROGRAMMING LANGUAGE: SECUREC

Year 2022, Volume: 10 Issue: 2, 561 - 573, 30.06.2022
https://doi.org/10.21923/jesd.1031774

Abstract

The principal goal of software security is to design software to be resistant to malicious cyber-attacks. If software security is not handled at every stage of the life cycle of software, many businesses, organizations, and even governments are exploited due to security vulnerabilities in their software systems. Analyzing the source code in developing secure software systems is an important step. Identifying the insecure source code parts helps to reduce or remove vulnerabilities in software.
The C programming language is one of the most-commonly used programming languages, but it is insecure and vulnerable to code injection attacks. C programming language's most common security vulnerabilities are buffer overflows, input validations, and resource management errors. In this paper, a software tool called SecureC has been developed, which can detect insecure source codes in the C programming language. Firstly, the new source code templates using the Regular expressions (Regex) were extracted, then the source codes in the dataset by using these new templates were marked. Then, it has been focused on finding whether there is any performance difference between the marked dataset and the unmarked dataset while detecting insecure parts from the source code that has hundreds of thousands of lines. As a result, the usage of a marked dataset ensured the performance improvement in both binary and multiple classification.

Project Number

1919B012004582 Başvuru Numaralı Proje

References

  • Cao, S., Sun, X., Bo, L., Wei, Y., Li, B. 2021. BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection, Information and Software Technology, 136, Doi: 10.1016/j.infsof.2021.106576.
  • Draper VDISC Dataset, https://osf.io/d45bw/, 2021.
  • Edgescan, 2020. Vulnerability Statistics Report. https://cdn2.hubspot.net/hubfs/4118561/BCC030%20Vulnerability%20Stats%20Report%20(2020)_WEB.pdf (Erişim tarihi: Kasım 2021).
  • Juliet Test Suite for C/C++ , https://samate.nist.gov/SARD/around.php#juliet_documents, 2021.
  • Kaur, A. Nayyar, R. 2020. A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code, Procedia, 171, 2023-2029.
  • Kim, J. Hubczenko, D., Montague, P. 2019. Towards Attention Based Vulnerability Discovery Using Source Code Representation, Artificial Neural Networks and Machine Learning – ICANN 2019: Text and Time Series, 731-746.
  • Larrucea. X., Santamaria, I., Colomo-Palacios, R. 2019. Assessing source code vulnerabilities in a cloud-based system for health systems:OpenNCP, IET Journals, 13, 195-202.
  • Li, X., Wang, Lu., Xin, Y., Yang, Y., Chen, Y. 2020. Automated Vulnerability Detection in Source Code Using Minimum Intermediate Representation Learning, 10, Doi: 10.3390/app10051692.
  • Li, R., Feng, C., Zhang, X., Tang, C. 2019. A Lightweight Assisted Vulnerability Discovery Method Using Deep Neural Networks, IEEE, 7, 80079 – 80092.
  • Samate NIST, Juliet Documents NIST, 2006. Resources from the Software Assurance Reference Dataset, Kasım 2017-2021. https://samate.nist.gov/SRD/around.php#juliet_documents (erişim tarihi: Kasım 2021).
  • SARD, https://samate.nist.gov/SARD/, 2021.
  • Suneja, S., Zheng, Y., Zhuang, Y., Laredo, J., Morari A. 2019. Learning to map source code to software vulnerability using code-as-a-graph, ArXiv abs/2006.08614.
  • Tian, J., Xing, W., Li, Z. 2020. BVDetector: A program slice-based binary code vulnerability intelligent detection system, Information and Software Technology, 123, Doi: 10.1016/j.infsof.2020.106289.
  • Verma, P., Goyal, A., Gigras, Y. 2020. Email phishing: Text classification using natural language processing, Computer Science and Information Technologies, 1, 1-12.
  • Xiaomeng, W., Tao, Z., Runpu, W., Wei, X., Changyu, H. 2018. 10th International Conference on Advanced Infocomm Technology (ICAIT), IEEE, Doi: 10.1109/ICAIT.2018.8686548.
  • Xu, A., Dai, T., Chen, H., Ming, Z., Li, W. 2018. Vulnerability Detection for Source Code Using Contextual LSTM, ICSAI, Doi: 10.1109/ICSAI.2018.8599360.
There are 16 citations in total.

Details

Primary Language Turkish
Subjects Computer Software
Journal Section Research Articles
Authors

Meltem Kurt Pehlivanoğlu 0000-0002-7581-9390

Sinan Çalışır This is me 0000-0001-7600-3708

Ceren Genç This is me 0000-0003-4110-7018

Duygu Evrim Odabaş This is me 0000-0002-4093-1366

Berkehan Öztürk This is me 0000-0001-6602-1347

Project Number 1919B012004582 Başvuru Numaralı Proje
Publication Date June 30, 2022
Submission Date December 2, 2021
Acceptance Date March 17, 2022
Published in Issue Year 2022 Volume: 10 Issue: 2

Cite

APA Kurt Pehlivanoğlu, M., Çalışır, S., Genç, C., Odabaş, D. E., et al. (2022). C PROGRAMLAMA DİLİNDE KAYNAK KOD GÜVENLİĞİ: SECUREC. Mühendislik Bilimleri Ve Tasarım Dergisi, 10(2), 561-573. https://doi.org/10.21923/jesd.1031774