FloCon 2019

In this study, we investigate the limits of the current state of the art AI system for detecting buffer overflows and compare it with current static analysis engines. To do so, we developed a code generator, s-bAbI, capable of producing an arbitrarily large number of samples of controlled complexity. We found that the static analysis engines we examined have good precision, but poor recall. We found that the state of the art AI system, a memory network modeled after another present in the literature, can achieve similar performance to the static analysis engines, but requires an exhaustive amount of training data in order to do so.

Our work implies that there are three threads of future work: First, further developing static analysis engines to improve their recall against this minimally complex class of synthetic code as a lower bar than NIST’s more realistic code datasets (e.g. Juliet). Second, improving AI systems to the point were they can at least solve s-bAbI. And, third, increasing the complexity of s-bAbI to find the additional failure modes of improved static analysis engines and AI systems.

Attendees will Learn:
• the current state of the art in neural networks applied to code analysis
• some secure coding best practices
• how secure coding can improve using AI techniques