LAVA: Large-Scale Automated Vulnerability Addition

Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, Ryan Whelan

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    Work on automating vulnerability discovery has long been hampered by a shortage of ground-truth corpora with which to evaluate tools and techniques. This lack of ground truth prevents authors and users of tools alike from being able to measure such fundamental quantities as miss and false alarm rates. In this paper, we present LAVA, a novel dynamic taint analysis-based technique for producing ground-truth corpora by quickly and automatically injecting large numbers of realistic bugs into program source code. Every LAVA bug is accompanied by an input that triggers it whereas normal inputs are extremely unlikely to do so. These vulnerabilities are synthetic but, we argue, still realistic, in the sense that they are embedded deep within programs and are triggered by real inputs. Using LAVA, we have injected thousands of bugs into eight real-world programs, including bash, tshark, and the GNU coreutils. In a preliminary evaluation, we found that a prominent fuzzer and a symbolic execution-based bug finder were able to locate some but not all LAVA-injected bugs, and that interesting patterns and pathologies were already apparent in their performance. Our work forms the basis of an approach for generating large ground-truth vulnerability corpora on demand, enabling rigorous tool evaluation and providing a high-quality target for tool developers.

    Original languageEnglish (US)
    Title of host publicationProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Number of pages12
    ISBN (Electronic)9781509008247
    StatePublished - Aug 16 2016
    Event2016 IEEE Symposium on Security and Privacy, SP 2016 - San Jose, United States
    Duration: May 23 2016May 25 2016

    Publication series

    NameProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016


    Other2016 IEEE Symposium on Security and Privacy, SP 2016
    Country/TerritoryUnited States
    CitySan Jose

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications
    • Software


    Dive into the research topics of 'LAVA: Large-Scale Automated Vulnerability Addition'. Together they form a unique fingerprint.

    Cite this