使用深度學習技術進行自動化的程式碼弱點偵測

Abstract

為了確保應用程式中不存在能夠被有心人士利用的漏洞，程式碼安全檢測在 軟體開發中一直扮演一個重要角色。傳統的程式碼安全測試通常依賴手動檢查或 基於規則的方法，這樣的方法可能相當耗時且容易出現人為錯誤。近年來隨著自 然語言處理的發展，深度學習儼然成為程式碼安全測試的一種手段，我們將在這 篇論文研究將深度學習技術應用於程式碼安全測試的可能性，目標是能夠提高軟 體開發流程中安全分析的效率和效力。在本篇研究中，我們以長短期記憶模型作 為模型架構對資料集進行訓練，並測試了兩種嵌入方法在生成程式碼向量表示上 的效能以提高訓練效率。此外，我們還將在 GitHub 上蒐集的多個專案應用於論 文中所提出的模型上，再把掃描結果與現有的靜態測試工具做比較並對其性能進 行評估，結果顯示我們的研究成果比起市售的靜態安全測試軟體能達到更好的表 現，最後透過分析實驗的數據，提出可能改進的方法。

To avoid the existence of exploitable vulnerabilities within applications, security test- ing has always played a crucial role in software development. Traditional code security testing methods often rely on manual inspection or rule-based approaches, which can be time-consuming and prone to human error. With the recent advancements in natural lan- guage processing, deep learning has emerged as a viable approach for code security testing. In this thesis, we investigate the application of deep learning techniques to code security testing with the aim of enhancing the efficiency and effectiveness of security analysis in the software development process. In our study, we train our dataset using a Long Short-Term Memory (LSTM) model as the architecture and evaluate the performance of two embedding methods in generating code vector representations to increase training efficiency. Additionally, we apply our proposed models to multiple projects collected from GitHub, compare the scan results with existing static testing tools, and evaluate their performance. The results demonstrate that our research outcomes are perform better than commercially available static application security testing (SAST) tools. Through the analysis of experimental data, we propose potential improvements and future work for research.