Differential slicing: Identifying causal execution differences for security applications

Noah M. Johnson, Caballero Juan, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, Dawn Song

Research output: Chapter in Book/Report/Conference proceedingConference contribution

41 Scopus citations

Abstract

A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.

Original languageEnglish (US)
Title of host publicationProceedings - 2011 IEEE Symposium on Security and Privacy, SP 2011
Pages347-362
Number of pages16
DOIs
StatePublished - Aug 29 2011
Event2011 IEEE Symposium on Security and Privacy, SP 2011 - Berkeley, CA, United States
Duration: May 22 2011May 25 2011

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011

Other

Other2011 IEEE Symposium on Security and Privacy, SP 2011
CountryUnited States
CityBerkeley, CA
Period5/22/115/25/11

Cite this

Johnson, N. M., Juan, C., Chen, K. Z., McCamant, S., Poosankam, P., Reynaud, D., & Song, D. (2011). Differential slicing: Identifying causal execution differences for security applications. In Proceedings - 2011 IEEE Symposium on Security and Privacy, SP 2011 (pp. 347-362). [5958039] (Proceedings - IEEE Symposium on Security and Privacy). https://doi.org/10.1109/SP.2011.41