VulAdvisor: Natural Language Suggestion Generation for Software Vulnerability Repair
Software vulnerabilities pose serious threats to the security of modern software systems. Automated vulnerability repair (AVR) has gained attention as a potential solution to accelerate the remediation of vulnerabilities. However, existing AVR approaches often only generate patches under specific preconditions, which may not align with developers’ current repair practices.
In this paper, we introduce VulAdvisor, an automated approach that generates natural language suggestions to guide developers or AVR tools in repairing vulnerabilities. VulAdvisor comprises two main components: oracle extraction and suggestion learning. To address the challenge of limited historical data, we propose an oracle extraction method facilitating ChatGPT to construct a comprehensive and high-quality dataset. For suggestion learning, we take the supervised fine-tuning CodeT5 model as the basis, integrating local context into Multi-Head Attention and introducing a repair action loss, to improve the relevance and meaningfulness of the generated suggestions.
Extensive experiments on a large-scale dataset from real-world C/C++ projects demonstrate the effectiveness of VulAdvisor, surpassing several baselines in terms of lexical and semantic metrics. Additionally, we show that the generated suggestions enhance the patch generation capabilities of existing AVR tools. Human evaluations further validate the quality and utility of VulAdvisor’s suggestions, confirming their potential to improve software vulnerability repair practices.
Tue 29 OctDisplayed time zone: Pacific Time (US & Canada) change
16:30 - 17:30 | Program repair 1Research Papers / Tool Demonstrations / NIER Track at Magnoila Chair(s): Vikram Nitin Columbia University | ||
16:30 15mTalk | Enhancing the Efficiency of Automated Program Repair via Greybox Analysis Research Papers YoungJae Kim Ulsan National Institute of Science and Technology, Yechan Park UNIST, Seungheon Han UNIST, Jooyong Yi UNIST | ||
16:45 15mTalk | VulAdvisor: Natural Language Suggestion Generation for Software Vulnerability Repair Research Papers Jian Zhang Nanyang Technological University, Chong Wang Nanyang Technological University, Anran Li Nanyang Technological University, Wenhan Wang University of Alberta, Li Tianlin Nanyang Technological University, Yang Liu Nanyang Technological University | ||
17:00 10mTalk | Automated Repair of Multi-fault Programs: Obstacles, Approaches, and ProspectsRecorded Talk NIER Track Omar I. Al Bataineh Gran Sasso Science Institute (GSSI) | ||
17:10 10mTalk | FixKit: A Program Repair Collection for Python Tool Demonstrations Marius Smytzek CISPA Helmholtz Center for Information Security, Martin Eberlein Humboldt University of Berlin, Kai Werk Humboldt-Universität zu Berlin, Lars Grunske Humboldt-Universität zu Berlin, Andreas Zeller CISPA Helmholtz Center for Information Security Link to publication DOI Pre-print Media Attached |