APISan: Sanitizing API usages through semantic cross-checking
API misuse is a well-known source of bugs. Some of them (e.g., incorrect use of SSL API, and integer overflow of memory allocation size) can cause serious security vulnerabilities (e.g., man-in-the-middle (MITM) attack, and privilege escalation). Moreover, modern APIs, which are large, complex, and fast evolving, are error-prone. However, existing techniques to help finding bugs require manual effort by developers (e.g., providing specification or model) or are not scalable to large real-world software comprising millions of lines of code. In this paper, we present APISAN, a tool that automatically infers correct API usages from source code without manual effort. The key idea in APISAN is to extract likely correct usage patterns in four different aspects (e.g., causal relation, and semantic relation on arguments) by considering semantic constraints. APISAN is tailored to check various properties with security implications. We applied APISAN to 92 million lines of code, including Linux Kernel, and OpenSSL, found 76 previously unknown bugs, and provided patches for all the bugs.
- Publisher
- USENIX Association
- Issue Date
- 2016-08-11
- Language
- English
- Citation
25th USENIX Security Symposium (Security '16), pp.363 - 377
- Appears in Collection
- EE-Conference Papers(학술회의논문)
- Files in This Item
- There are no files associated with this item.
This item is cited by other documents in WoS
| ⊙ Detail Information in WoSⓡ | Click to see |  |
| ⊙ Cited 55 items in WoS | Click to see citing articles in |  |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.