HiddenCPG
HiddenCPG is a vulnerable clone detection system using code property graph (CPG) for uncovering various web vulnerabilities. HiddenCPG is capable of detecting unknown web vulnerabilities that stem from the absence of input sanitization and incorrect sanitization. The details of the testing strategy is in our paper, "HiddenCPG: Large-Scale Vulnerable Clone Detection Using Subgraph Isomorphism of Code Property Graphs", which appeared in WWW 2022. To see how to configure and execute HiddenCPG, see the followings.
- Install dependencies
$ pip install pickle
$ pip install json
$ pip install networkx
$ pip install operator
$ pip install copy
$ pip install signal
$ pip install github
- Clone HiddenCPG
$ git clone https://github.com/WSP-LAB/HiddenCPG.git
- Install joern and phpjoern
- Build joern and make sure that
php2ast
is working correctly. - Build phpjoern and make sure that
phpast2cpg
is working correctly.
- To convert the target applications to CPG, use the following command:
$ python2 mkcpg.py [Root directory of target PHP code] [Output directory]
- First, convert the vulnerable application into a CPG.
$ pytho2 mkcpg.py [Root directory of vulnerable PHP code] [Output directory]
- Then, extract the CPG query by specifying the location of the sink and source in the command (Here, the sink and source locations refer to the node number of the top level statement visited by the control flow edge among the AST nodes).
$ python2 Extractor.py [CPG directory] [Source node] [Sink node] [Path number] [Output directory]
Note that an extracted query is stored using python pickle.
HiddenCPG
- You need two directories: the directory where the system CPGs are collected and the directory where the CPG queries are collected.
SystemCPG
│
└───application1
│ │ cpg_edges.csv
│ │ nodes.csv
│ │ rels.csv
│
└───application2
│ cpg_edges.csv
│ nodes.csv
│ rels.csv
CPGQuery
│
└───query1
│
└───query2
- Execute HiddenCPG
$ cd hiddencpg
$ python2 hiddencpg.py [SystemCPG] [CPGQuery] [Log name]
Logs are written to each systemCPG directory. When HiddenCPG finds a bug, it records which node is mapped to which node in the log.
- Crwaler
$ cd dataset
$ python2 crawler.py [Github token]
- Cloning dataset
$ python2 clone [Output directory]
This research project has been conducted by WSP Lab at KAIST.
- Seongil Wi
- Sijae Woo
- Joyce Jiyoung Whang
- Sooel Son
Citing HiddenCPG
To cite our paper:
@INPROCEEDINGS{wi:www:2022,
author = {Wi, Seongil and Woo, Sijae and Whang, Joyce Jiyoung and Son, Sooel},
title = {{HiddenCPG}: Large-Scale Vulnerable Clone Detection Using Subgraph Isomorphism of Code Property Graphs},
booktitle = {Proceedings of the {ACM} Web Conference},
year = 2022,
pages = {755--766}
}