The exponential increase in software vulnerabilities has created an urgent need for automatic vulnerability repair (AVR) solutions. Recent research has formulated AVR as a sequence generation problem and has leveraged large language models (LLMs) to address this problem. Typically, these approaches prompt or fine-tune LLMs to generate repairs for vulnerabilities directly. Although these methods show state-of-the-art performance, they face the following challenges: (1) Lack of high-quality, vulnerability-related reasoning data. Current approaches primarily rely on foundation models that mainly encode general programming knowledge. Without vulnerability-related reasoning data, they tend to fail to capture the diverse vulnerability repair patterns. (2) Hard to verify the intermediate vulnerability repair process during LLM training. Existing reinforcement learning methods often leverage intermediate execution feedback from the environment (e.g., sandbox-based execution results) to guide reinforcement learning training. In contrast, the vulnerability repair process generally lacks such intermediate, verifiable feedback, which poses additional challenges for model training.
To address these challenges, we propose to model the vulnerability repair task from a reasoning perspective and train a reasoning LLM termed \textit{Vulnerability Reasoner and Repair} (Vul-R2) which consists of two key modules: (1) a domain-aware reasoning learning module, which comprises a reasoning answer construction component, a reasoning data filtering process, and a supervised fine-tuning process for learning vulnerability-related reasoning knowledge; and (2) a curriculum-based verifiable rewarded training module, which comprises dynamically reinforcement learning with verifiable rewards paradigms based on multiple-choice question answering in an easy stage and character-level matching in a hard stage. We evaluate Vul-R2 on the real-world C/C++ dataset PrimeVul to demonstrate its effectiveness in vulnerability repair. Specifically, Vul-R2 outperforms the best baseline by 11.27% for exact match (EM) and successfully repairs 49 additional vulnerabilities. Furthermore, we demonstrate the effectiveness of the proposed paradigm, fine-tuning \tool Vul-R2on PrimeVul leads to improved EM performance of 8.78% on a human curated dataset SVEN, even without additional training.
Tue 18 NovDisplayed time zone: Seoul change
11:00 - 12:30 | |||
11:00 10mTalk | Vulnerability-Affected Versions Identification: How Far Are We? Research Papers Xingchu Chen Institute of Information Engineering, CAS; School of Cyber Security, UCAS, Chengwei Liu Nanyang Technological University, Jialun Cao Hong Kong University of Science and Technology, Yang Xiao Chinese Academy of Sciences, Xinyue Cai Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yeting Li Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Jingyi Shi Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences, tianqi sun Institute of Information Engineering, Chinese Academy of Sciences, Haiming Chen Institute of Software, Chinese Academy of Sciences, Wei Huo Institute of Information Engineering at Chinese Academy of Sciences | ||
11:10 10mTalk | LOSVER: Line-Level Modifiability Signal-Guided Vulnerability Detection and Classification Research Papers Doha Nam Korea Advanced Institute of Science and Technology, Jongmoon Baik Korea Advanced Institute of Science and Technology | ||
11:20 10mTalk | VERCATION: Precise Vulnerable Open-source Software Version Identification based on Static Analysis and LLM Journal-First Yiran Cheng Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, Chinaï¼›, Ting Zhang Monash University, Lwin Khin Shar Singapore Management University, Shouguo Yang Zhongguancun Laboratory, Beijing, China, Chaopeng Dong Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, David Lo Singapore Management University, Shichao Lv Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Zhiqiang Shi Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
11:30 10mTalk | Not Every Patch is an Island: LLM-Enhanced Identification of Multiple Vulnerability Patches Research Papers Yi Song School of Computer Science, Wuhan University, Dongchen Xie School of Cyber Science and Engineering, Wuhan University, Lin Xu School of Cyber Science and Engineering, Wuhan University, He Zhang School of Computer Science, Wuhan University, Chunying Zhou School of Computer Science, Wuhan University, Xiaoyuan Xie Wuhan University | ||
11:40 10mTalk | Vul-R2: A Reasoning LLM for Automated Vulnerability Repair Research Papers Xin-Cheng Wen Harbin Institute of Technology, Zirui Lin Harbin Institute of Technology, Shenzhen, Yijun Yang Tencent AI Lab, Cuiyun Gao Harbin Institute of Technology, Shenzhen, Deheng Ye Tencent AI Lab | ||
11:50 10mTalk | DeepExploitor: LLM-Enhanced Automated Exploitation of DeepLink Attack in Hybrid Apps Research Papers Zhangyue Zhang Fudan University, Lei Zhang Fudan University, Zhibo Zhang Huazhong University of Science and Technology, Yongheng Liu Fudan University, Zhemin Yang Fudan University, Yuan Zhang Fudan University, Min Yang Fudan University | ||
12:00 10mTalk | Demystifying Cookie Sharing Risks in WebView-based Mobile App-in-app Ecosystems Research Papers Miao Zhang Beijing University of Posts and Telecommunications, Shenao Wang Huazhong University of Science and Technology, Guilin Zheng Beijing University of Posts and Telecommunications, Yanjie Zhao Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
12:10 10mTalk | Hit The Bullseye On The First Shot: Improving LLMs Using Multi-Sample Self-Reward Feedback for Vulnerability Repair Research Papers Rui Jiao Xidian University, Yue Zhang Drexel University, Jinku Li Xidian University, Jianfeng Ma Xidian University | ||
12:20 10mTalk | Propagation-Based Vulnerability Impact Assessment for Software Supply Chains Research Papers Bonan Ruan National University of Singapore, Zhiwei Lin National University of Singapore, Jiahao Liu National University of Singapore, Chuqi Zhang National University of Singapore, Kaihang Ji National University of Singapore, Zhenkai Liang National University of Singapore Pre-print | ||