Shouhuai Xu scite author profile

Abstract-The automatic detection of software vulnerabilities is an important research problem. However, existing solutions to this problem rely on human experts to define features and often miss many vulnerabilities (i.e., incurring high false negative rate). In this paper, we initiate the study of using deep learning-based vulnerability detection to relieve human experts from the tedious and subjective task of manually defining features. Since deep learning is motivated to deal with problems that are very different from the problem of vulnerability detection, we need some guiding principles for applying deep learning to vulnerability detection. In particular, we need to find representations of software programs that are suitable for deep learning. For this purpose, we propose using code gadgets to represent programs and then transform them into vectors, where a code gadget is a number of (not necessarily consecutive) lines of code that are semantically related to each other. This leads to the design and implementation of a deep learning-based vulnerability detection system, called Vulnerability Deep Pecker (VulDeePecker). In order to evaluate VulDeePecker, we present the first vulnerability dataset for deep learning approaches. Experimental results show that VulDeePecker can achieve much fewer false negatives (with reasonable false positives) than other approaches. We further apply VulDeePecker to 3 software products (namely Xen, Seamonkey, and Libav) and detect 4 vulnerabilities, which are not reported in the National Vulnerability Database but were "silently" patched by the vendors when releasing later versions of these products; in contrast, these vulnerabilities are almost entirely missed by the other vulnerability detection systems we experimented with.

show abstract

VABKS: Verifiable attribute-based keyword search over outsourced encrypted data

Zheng

Ateniese

2014

396

297

View full text Add to dashboard Cite

Abstract-It is common nowadays for data owners to outsource their data to the cloud. Since the cloud cannot be fully trusted, the outsourced data should be encrypted. This however brings a range of problems, such as: How should a data owner grant search capabilities to the data users? How can the authorized data users search over a data owner's outsourced encrypted data? How can the data users be assured that the cloud faithfully executed the search operations on their behalf? Motivated by these questions, we propose a novel cryptographic solution, called verifiable attribute-based keyword search (VABKS). The solution allows a data user, whose credentials satisfy a data owner's access control policy, to (i) search over the data owner's outsourced encrypted data, (ii) outsource the tedious search operations to the cloud, and (iii) verify whether the cloud has faithfully executed the search operations. We formally define the security requirements of VABKS and describe a construction that satisfies them. Performance evaluation shows that the proposed schemes are practical and deployable.

show abstract

SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities

Zou

et al. 2022

IEEE Trans. Dependable and Secure Comput.

350

222

View full text Add to dashboard Cite

Key-Insulated Public Key Cryptosystems

et al. 2002

View full text Add to dashboard Cite

Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure -but computationally-limiteddevice which stores a "master key". All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N )-keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device.We focus primarily on key-insulated public-key encryption. We construct a (t, N )-key-insulated encryption scheme based on any (standard) public-key encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security.

show abstract

Strong Key-Insulated Signature Schemes

et al. 2002

View full text Add to dashboard Cite

Abstract. Signature computation is frequently performed on insecure devices -e.g., mobile phones -operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t, N )-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N −t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period. We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N − 1, N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t, N )-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N − 1, N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Shouhuai Xu

VulDeePecker: A Deep Learning-Based System for Vulnerability Detection

VABKS: Verifiable attribute-based keyword search over outsourced encrypted data

SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities

Key-Insulated Public Key Cryptosystems

Strong Key-Insulated Signature Schemes

Contact Info

Product

Resources

About