Automated source code instrumentation for verifying potential vulnerabilities

Hongzhe Li, Jaesang Oh, Hakjoo Oh, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Citations (Scopus)


With a rapid yearly growth rate, software vulnerabilities are making great threats to the system safety. In theory, detecting and removing vulnerabilities before the code gets ever deployed can greatly ensure the quality of software released. However, due to the enormous amount of code being developed as well as the lack of human resource and expertise, severe vulnerabilities still remain concealed or cannot be revealed effectively. Current source code auditing tools for vulnerability discovery either generate too many false positives or require overwhelming manual efforts to report actual software flaws. In this paper, we propose an automatic verification mechanism to discover and verify vulnerabilities by using program source instrumentation and concolic testing. In the beginning, we leverage CIL to statically analyze the source code including extracting the program CFG, locating the security sinks and backward tracing the sensitive variables. Subsequently, we perform automated program instrumentation to insert security probes ready for the vulnerability verification. Finally, the instrumented program source is passed to the concolic testing engine to verify and report the existence of an actual vulnerability. We demonstrate the efficacy and efficiency of our mechanism by implementing a prototype system and perform experiments with nearly 4000 test cases from Juliet Test Suite. The results show that our system can verify over 90% of test cases and it reports buffer overflow flaws with Precision = 100% (0 FP) and Recall = 94.91 %. In order to prove the practicability of our system working in real world programs, we also apply our system on 2 popular Linux utilities, Bash and Cpio. As a result, our system finds and verifies vulnerabilities in a fully automatic way with no false positives.

Original languageEnglish
Title of host publicationICT Systems Security and Privacy Protection - 31st IFIP TC 11 International Conference, SEC 2016, Proceedings
EditorsStefan Katzenbeisser, Jaap-Henk Hoepman
PublisherSpringer New York LLC
Number of pages16
ISBN (Print)9783319336299
Publication statusPublished - 2016
Event31st IFIP TC 11 International Conference on Systems Security and Privacy Protection, SEC 2016 - Ghent, Belgium
Duration: 2016 May 302016 Jun 1

Publication series

NameIFIP Advances in Information and Communication Technology
ISSN (Print)1868-4238


Other31st IFIP TC 11 International Conference on Systems Security and Privacy Protection, SEC 2016

Bibliographical note

Funding Information:
This research was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIP)(R0190-15-2011, Development of Vulnerability Discovery Technologies for IoT Software Security).

Publisher Copyright:
© IFIP International Federation for Information Processing 2016.


  • Automatic instrumentation
  • Security constraints
  • Security sinks
  • Vulnerability verification

ASJC Scopus subject areas

  • Information Systems and Management
  • Information Systems
  • Computer Networks and Communications


Dive into the research topics of 'Automated source code instrumentation for verifying potential vulnerabilities'. Together they form a unique fingerprint.

Cite this