ASE 2024
Sun 27 October - Fri 1 November 2024 Sacramento, California, United States

This program is tentative and subject to change.

Tue 29 Oct 2024 11:00 - 11:15 at Gardenia - Vulnerability and security1 Chair(s): Curtis Atkisson

The number of disclosed vulnerabilities in open-source projects has been increasing steadily over the years, and thus it is important to deploy patches to repair security vulnerabilities in a timely manner. However, due to the widespread reuse and customization of opensource software, there are often multiple versions or branches of the same project co-exist in the ecosystem. Therefore, it is often challenging and tricky to guarantee that an exposed vulnerability can be repaired thoroughly. Driven by this, plenty of 1-day vulnerability analysis tools have been proposed recently, such as function-level vulnerability detection and patch presence test tools. Despite the fact that code evolution is common for open-source projects, existing analysis tools often neglect the important fact that the patched code is also constantly evolving. In this study, we take the first look to systematically investigate the phenomenon of security patch evolution in open-source projects. In particular, we performed extensive experiments on a large-scale dataset containing 1,046 distinct CVEs with 2,633 patches collected from popular open-source projects (e.g., linux, openssl). This study reveals interesting yet important findings with respect to the aspects of patch evolution frequency, patch evolution patterns, and the evolution impact on downstream 1-day vulnerability analysis tools. We believe that this study can shed important light on future researches on patch analysis.

This program is tentative and subject to change.

Tue 29 Oct

Displayed time zone: Pacific Time (US & Canada) change

10:30 - 12:00
Vulnerability and security1Research Papers / Tool Demonstrations at Gardenia
Chair(s): Curtis Atkisson UW
10:30
15m
Talk
REACT: IR-Level Patch Presence Test for Binary
Research Papers
Qi Zhan Zhejiang University, Xing Hu Zhejiang University, Xin Xia Huawei, Shanping Li Zhejiang University
10:45
15m
Talk
Snopy: Bridging Sample Denoising with Causal Graph Learning for Effective Vulnerability Detection
Research Papers
Sicong Cao Yangzhou University, Xiaobing Sun Yangzhou University, Xiaoxue Wu Yangzhou University, David Lo Singapore Management University, Lili Bo Yangzhou University, Bin Li Yangzhou University, Xiaolei Liu China Academy of Engineering Physics, Xingwei Lin Zhejiang University, Wei Liu Nanjing University
Media Attached
11:00
15m
Talk
Unveiling the Characteristics and Impact of Security Patch Evolution
Research Papers
Zifan Xie Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Zichao Wei Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
Media Attached
11:15
15m
Talk
Compositional Security Analysis of Dynamic Component-based Systems
Research Papers
Narges Khakpour Newcastle University, UK, Charilaos Skandylas Linnaeus University
11:30
15m
Talk
Vision: Identifying Affected Library Versions for Open Source Software Vulnerabilities
Research Papers
Susheng Wu Fudan University, Ruisi Wang Fudan University, Kaifeng Huang Tongji University, Yiheng Cao Fudan University, Wenyan Song Fudan University, Zhuotong Zhou Fudan University, China, Yiheng Huang Fudan University, Bihuan Chen Fudan University, Xin Peng Fudan University
Media Attached
11:45
10m
Talk
VulZoo: A Comprehensive Vulnerability Intelligence Dataset
Tool Demonstrations
Bonan Ruan National University of Singapore, Jiahao Liu National University of Singapore, Weibo Zhao National University of Singapore, Zhenkai Liang National University of Singapore
Hide past events