Write a Blog >>
ASE 2021
Sun 14 - Sat 20 November 2021 Australia
Thu 18 Nov 2021 11:00 - 11:20 at Kangaroo - Vulnerability Chair(s): Xusheng Xiao

Following the coordinated vulnerability disclosure model, a vulnerability in open source software (OSS) is suggested to be fixed ``silently'', without disclosing the fix until the vulnerability is disclosed. Yet, it is crucial for OSS users to be aware of vulnerability fixes as early as possible, as once a vulnerability fix is pushed to the source code repository, a malicious party could probe for the corresponding vulnerability to exploit it. In practice, OSS users often rely on the vulnerability disclosure information from security advisories (e.g., National Vulnerability Database) to sense vulnerability fixes. However, the time between the availability of a vulnerability fix and its disclosure can vary from days to months, and in some cases, even years. Due to manpower constraints and the lack of expert knowledge, it is infeasible for OSS users to manually analyze all code changes for vulnerability fix detection. Therefore, it is essential to identify vulnerability fixes automatically and promptly. In a first-of-its-kind study, we propose VulFixMiner, a Transformer-based approach, capable of automatically extracting semantic meaning from commit-level code changes to identify silent vulnerability fixes. We construct our model using sampled commits from 204 projects, and evaluate using the full set of commits from 52 additional projects. The evaluation results show that VulFixMiner outperforms various state-of-the-art baselines in terms of AUC (i.e., 0.81 and 0.73 on Java and Python dataset, respectively) and two effort-aware performance metrics (i.e., EffortCost, P$_{opt}$). Especially, with an effort of inspecting 5% of total LOC, VulFixMiner can identify 49% of total vulnerability fixes. Additionally, with manual verification of sampled commits that were identified as vulnerability fixes, but not marked as such in our dataset, we observe that 35% (29 out of 82) of the commits are for fixing vulnerabilities, indicating VulFixMiner is also capable of identifying unreported vulnerability fixes.

Thu 18 Nov

Displayed time zone: Hobart change

11:00 - 12:00
VulnerabilityResearch Papers at Kangaroo
Chair(s): Xusheng Xiao Case Western Reserve University
Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes
Research Papers
Jiayuan Zhou Centre for Software Excellence, Huawei, Canada, Michael Pacheco Centre for Software Excellence, Huawei, Zhiyuan Wan Zhejiang University, Xin Xia Huawei Software Engineering Application Technology Lab, David Lo Singapore Management University, Yuan Wang Huawei Sweden Research Center, Ahmed E. Hassan Queen's University
DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning
Research Papers
Triet Le Huynh Minh The University of Adelaide, David Hin The University of Adelaide, Roland Croft The University of Adelaide, Muhammad Ali Babar University of Adelaide