ASE 2024
Sun 27 October - Fri 1 November 2024 Sacramento, California, United States
Thu 31 Oct 2024 13:30 - 13:45 at Magnoila - Code and issue report Chair(s): Baishakhi Ray

Security patches are essential for enhancing the stability and robustness of projects in the open-source software community. While vulnerabilities are officially expected to be patched before being disclosed, patching vulnerabilities is complicated and remains a struggle for many organizations. To patch vulnerabilities, security practitioners typically track vulnerable issue reports (IRs), and analyze their relevant insecure code to generate potential patches. However, the relevant insecure code may not be explicitly specified and practitioners cannot track the insecure code in the repositories, thus limiting their ability to generate patches. In such cases, providing examples of insecure code and the corresponding patches would benefit the security developers to better locate and resolve the actual insecure code. In this paper, we propose PatUntrack, an automated approach to generating patch examples from IRs without tracked insecure code. PatUntrack utilizes auto-prompting to optimize the Large Language Model (LLM) to make it applicable for analyzing the vulnerabilities described in IRs and generating appropriate patch examples. Specifically, it first generates the completed description of the Vulnerability-Triggering Path (VTP) from vulnerable IRs. Then, it corrects potential hallucinations in the VTP description with external golden knowledge. Finally, it generates Top-$K$ pairs of Insecure Code and Patch Example based on the corrected VTP description. To evaluate the performance of PatUntrack, we conducted experiments on 5,465 vulnerable IRs. The experimental results show that PatUntrack can obtain the highest performance and improve the traditional LLM baselines by +17.7% (MatchFix) and +14.6% (Fix@10) on average in patch example generation. Furthermore, PatUntrack was applied to generate patch examples for 76 newly disclosed vulnerable IRs. 27 out of 37 replies from the authors of these IRs confirmed the usefulness of the patch examples generated by PatUntrack, indicating that they can benefit from these examples for patching the vulnerabilities.

Thu 31 Oct

Displayed time zone: Pacific Time (US & Canada) change

13:30 - 15:00
Code and issue reportResearch Papers at Magnoila
Chair(s): Baishakhi Ray Columbia University, New York; AWS AI Lab
13:30
15m
Talk
PatUntrack: Automated Generating Patch Examples for Issue Reports without Tracked Insecure Code
Research Papers
Ziyou Jiang Institute of Software at Chinese Academy of Sciences, Lin Shi Beihang University, Guowei Yang University of Queensland, Qing Wang Institute of Software at Chinese Academy of Sciences
DOI Pre-print
13:45
15m
Talk
Understanding Code Changes Practically with Small-Scale Language Models
Research Papers
Cong Li Zhejiang University; Ant Group, Zhaogui Xu Ant Group, Peng Di Ant Group, Dongxia Wang Zhejiang University, Zheng Li Ant Group, Qian Zheng Ant Group
14:00
15m
Talk
DRMiner: Extracting Latent Design Rationale from Jira Issue LogsACM SigSoft Distinguished Paper Award
Research Papers
Jiuang Zhao Beihang University, Zitian Yang Beihang University, Li Zhang Beihang University, Xiaoli Lian Beihang University, China, Donghao Yang Beihang University, Xin Tan Beihang University
14:15
15m
Talk
An Empirical Study on Learning-based Techniques for Explicit and Implicit Commit Messages Generation
Research Papers
Zhiquan Huang Sun Yat-sen University, Yuan Huang Sun Yat-sen University, Xiangping Chen Sun Yat-sen University, Xiaocong Zhou School of Computer Science and Engineering, Sun Yat-sen University, Guangzhou 510006, China, Changlin Yang Sun Yat-sen University, Zibin Zheng Sun Yat-sen University
14:30
15m
Talk
RCFG2Vec: Considering Long-Distance Dependency for Binary Code Similarity Detection
Research Papers
Weilong Li School of Computer Science and Engineering,Sun Yat-sen University, Jintian Lu College of Computer Science and Engineering, Jishou University, Ruizhi Xiao School of Computer Science and Engineering,Sun Yat-sen University, Pengfei Shao China Southern Power Grid Digital Grid Group Information and Telecommunication Technology Co., Ltd., Shuyuan Jin School of Computer Science and Engineering,Sun Yat-sen University
14:45
15m
Talk
ChatBR: Automated assessment and improvement of bug report quality using ChatGPT
Research Papers
Lili Bo Yangzhou University, wangjie ji Yangzhou University, Xiaobing Sun Yangzhou University, Ting Zhang Singapore Management University, Xiaoxue Wu Yangzhou University, Ying Wei Yangzhou University