Propagation-Based Vulnerability Impact Assessment for Software Supply Chains
This program is tentative and subject to change.
Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity—producing many false positives—or fail to accomplish whole-ecosystem vulnerability propagation analysis. Second, although vulnerability assessment indicators like CVSS characterize individual vulnerabilities, no metric exists to specifically quantify the dynamic impact of vulnerability propagation across software supply chains. To address these limitations and enable accurate and comprehensive vulnerability impact assessment, we propose a novel approach: (i) a hierarchical worklist-based algorithm for whole-ecosystem and call-graph-level vulnerability propagation analysis and (ii) the Vulnerability Propagation Scoring System (VPSS), a dynamic metric to quantify the scope and evolution of vulnerability impacts in software supply chains. We implement a prototype of our approach in the Java Maven ecosystem and evaluate it on 100 real-world vulnerabilities. Experimental results demonstrate that our approach enables effective ecosystem-wide vulnerability propagation analysis, and provides a practical, quantitative measure of vulnerability impact through VPSS.
This program is tentative and subject to change.
Tue 18 NovDisplayed time zone: Seoul change
11:00 - 12:30 | |||
11:00 10mTalk | Vulnerability-Affected Versions Identification: How Far Are We? Research Papers Xingchu Chen Institute of Information Engineering, CAS; School of Cyber Security, UCAS, Chengwei Liu Nanyang Technological University, Jialun Cao Hong Kong University of Science and Technology, Yang Xiao Chinese Academy of Sciences, Xinyue Cai Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yeting Li Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Jingyi Shi Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences, tianqi sun Institute of Information Engineering, Chinese Academy of Sciences, Haiming Chen Institute of Software, Chinese Academy of Sciences, Wei Huo Institute of Information Engineering at Chinese Academy of Sciences | ||
11:10 10mTalk | LOSVER: Line-Level Modifiability Signal-Guided Vulnerability Detection and Classification Research Papers Doha Nam Korea Advanced Institute of Science and Technology, Jongmoon Baik Korea Advanced Institute of Science and Technology | ||
11:20 10mTalk | VERCATION: Precise Vulnerable Open-source Software Version Identification based on Static Analysis and LLM Journal-First Track Yiran Cheng Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, Ting Zhang Monash University, Lwin Khin Shar Singapore Management University, Shouguo Yang Zhongguancun Laboratory, Beijing, China, Chaopeng Dong Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, David Lo Singapore Management University, Shichao Lv Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Zhiqiang Shi Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
11:30 10mTalk | Not Every Patch is an Island: LLM-Enhanced Identification of Multiple Vulnerability Patches Research Papers Yi Song School of Computer Science, Wuhan University, Dongchen Xie School of Cyber Science and Engineering, Wuhan University, Lin Xu School of Cyber Science and Engineering, Wuhan University, He Zhang School of Computer Science, Wuhan University, Chunying Zhou School of Computer Science, Wuhan University, Xiaoyuan Xie Wuhan University | ||
11:40 10mTalk | Vul-R2: A Reasoning LLM for Automated Vulnerability Repair Research Papers Xin-Cheng Wen Harbin Institute of Technology, Zirui Lin Harbin Institute of Technology, Shenzhen, Yijun Yang Tencent AI Lab, Cuiyun Gao Harbin Institute of Technology, Shenzhen, Deheng Ye Tencent AI Lab | ||
11:50 10mTalk | DeepExploitor: LLM-Enhanced Automated Exploitation of DeepLink Attack in Hybrid Apps Research Papers Zhangyue Zhang Fudan University, Lei Zhang Fudan University, Zhibo Zhang Huazhong University of Science and Technology, Yongheng Liu Fudan University, Zhemin Yang Fudan University, Yuan Zhang Fudan University, Min Yang Fudan University | ||
12:00 10mTalk | Demystifying Cookie Sharing Risks in WebView-based Mobile App-in-app Ecosystems Research Papers Miao Zhang Beijing University of Posts and Telecommunications, Shenao Wang Huazhong University of Science and Technology, Guilin Zheng Beijing University of Posts and Telecommunications, Yanjie Zhao Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
12:10 10mTalk | Hit The Bullseye On The First Shot: Improving LLMs Using Multi-Sample Self-Reward Feedback for Vulnerability Repair Research Papers Rui Jiao Xidian University, Yue Zhang Drexel University, Jinku Li Xidian University, Jianfeng Ma Xidian University | ||
12:20 10mTalk | Propagation-Based Vulnerability Impact Assessment for Software Supply Chains Research Papers Bonan Ruan National University of Singapore, Zhiwei Lin National University of Singapore, Jiahao Liu National University of Singapore, Chuqi Zhang National University of Singapore, Kaihang Ji National University of Singapore, Zhenkai Liang National University of Singapore Pre-print | ||