Vulnerability Analysis through Interface-based Checker Design

Checkers design is a main step for static analysis of different vulnerabilities. This paper focuses on static analysis on code property graph, which combines abstract syntax tree, control flow graph, and program dependence graph. Developing checkers on code property graph directly is usually complex and difficult. In this paper, we have analyzed a large number of checkers of different vulnerabilities, and extracted those most commonly used operations as a set of interfaces. We have implemented these interfaces and developed a set of vulnerability checkers based on them. The practical efficacy of these checkers are evaluated on the Linux kernel source code. Experimental results show that our proposed interfaces are strong enough to express most vulnerabilities and our implementation is effective for vulnerabilities detection.