VUDDY is an approach for scalable and accurate vulnerable code clone detection. This approach is specifically designed to accurately find vulnerabilities in massive code bases (e.g., Linux kernel, 25 MLoC). Its principles and results are discussed in our paper, which was published in 38th IEEE Symposium on Security and Privacy (S&P'17).
hmark is the implementation of VUDDY. It is the client-side preprocessing
tool for "Vulnerable Code Clone Detection" testing provided by
IoTcube, an automated vulnerability testing platform.
Detailed instructions are available here.
This project is a part of the "international collaborative research", which was conducted by CSSA (Center for Software Security and Assurrance).
- Linux or OS X - hmark is designed to work on any of the operating
systems. Tested OS distributions include Ubuntu 14.04, 16.04, and 18.04,
Fedora 25, and OS X. Let me know if your OS is not supported.
- Confirmed in May 2024: VUDDY works seamlessly on Ubuntu 22.04, but you need to install Python 2
- Python 2, version 2.7.10 or newer - earlier versions may work, but not tested.
- python-tk package - (only required if you want GUI) install from your package manager
- Java Runtime Environment (JRE) - We recommend openjdk-8-jre.
cd hmarkpython hmark.py [-h] [-c path ON/OFF] [-n] [-V]
You can see the help message below by passing an -h (or --help) argument.
usage: python hmark.py [-h] [-c path ON/OFF] [-n] [-V]
- optional arguments:
-h, --help show this help message and exit
-c path ON/OFF, --cli-mode path ON/OFF
run hmark without GUI by specifying the path to the
target directory, and the abstraction mode
-n, --no-updatecheck bypass update checking (not recommended)
-V, --version print hmark version and exit
- Upload the resulting
hidxfile on IoTcube's Vulnerable Code Clone Detection testing.
Follow steps 1 and 2 above to generate the hidx of the target program.
Skip step 3.
- To build your own vulnerability database, checkout
vulnDBGen, which is a subrepo of this repository and follow the guidelines to build a vulnerability database locally.
$ git submodule update --init
$ cd vulnDBGen
$ cat docs/examples.md
- After building your own vulnerability database, you can locally run the vulnerable clone checker:
$ cd ..
$ python3 checker/check_clones.py --help
$ python3 checker/check_clones.py --target path_to_target_hidx --database path_to_vulndb
Instead of running hmark from source code, you can also download and execute
prebuilt binaries. Binaries for Windows, Linux, and OS X are available
here.
For reporting bugs, you can submit an issue to the VUDDY GitHub, or send me an email. Feel free to send pull requests if you have suggestions or bugfixes!
This program is authored and maintained by Seulbae Kim
GitHub @seulbae-security / seulbae@postech.ac.kr
Please feel free to submit pull requests for the following items:
- Rewrite everything in Python3
- Use a better parser
- Replace all code that rely on stdin/stdout for IPC (e.g., git executions) with API calls