Mining for vulnerabilities in embedded TCP/IP stacks with a set of static analysis queries

In this thesis, we focus on helping the process of finding vulnerabilities in software. Even though it is a widely addressed topic, insecure code is still one of the main causes of security issues in in software because a single bug can potentially mine the security of an entire codebase. The goal of this thesis is to provide a solution that supports and ease the manual code auditing performed by a researcher. Our implementation will do so by providing a set of codebase-independent static analysis queries that can be quickly run on a target source code to identify code regions, across a whole codebase or across several projects, that may suffer from a particular vulnerability or weakness, therefore allowing to fix them all at once. We started by going through the available literature in the field as well as the available tools usually employed for this purpose. We then designed and implemented our solution and we finally evaluated it on the source code of seven popular embedded TCP/IP stacks, being able to identify a total of 14 zero-days out of the 46 we found during this research. Keywords — Vulnerabilities, Static Analysis, Variant Analysis, Joern, CWE, Embedded TCP/IP Stacks