EASE 2024
Tue 18 - Fri 21 June 2024 Salerno, Italy
Thu 20 Jun 2024 16:15 - 16:30 at Room A - Security (2) Chair(s): Muhammad Ali Babar

Generative deep learning (DL) models have been successfully adopted for vulnerability patching. However, such models require the availability of a large dataset of patches to learn from. To overcome this issue, researchers have proposed to start from models pre-trained with general knowledge, either on the programming language, or on similar tasks such as bug fixing. Other alternatives, not investigated in this context yet, foresee the use of prompt tuning, i.e., transforming the fine-tuning instances to better exploit the knowledge acquired during pre-training. Despite the efforts in the area of automated vulnerability patching, there is a lack of systematic studies on how these different training procedures impact the performance of DL models for such a task. This paper provides a manyfold contribution to bridge this gap, by (i) comparing existing solutions of self-supervised and supervised pre-training for vulnerability patching; and (ii) for the first time, experimenting with different kinds of prompt-tuning for this task. The study required to train/test 23 DL models. We found that a supervised pre-training focused on bug-fixing, while expensive in terms of data collection, substantially improves DL-based vulnerability patching. When applying prompt tuning on top of this supervised pre-trained model, there is no significant gain in performance. Instead, prompt-tuning is an effective and cheap solution to substantially boost the performance of self-supervised pre-trained models, i.e., those not relying on the bug-fixing pre-training.

Thu 20 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:00 - 17:15
Security (2)Research Papers / Industry at Room A
Chair(s): Muhammad Ali Babar School of Computer Science, The University of Adelaide
16:00
15m
Talk
VulDL: Tree-based and Graph-based Neural Networks for Vulnerability Detection and Localization
Research Papers
Jingzheng Wu Institute of Software, The Chinese Academy of Sciences, Xiang Ling Institute of Software, Chinese Academy of Sciences, Xu Duan Institute of Software, Chinese Academy of Sciences, Tianyue Luo Institute of Software, Chinese Academy of Sciences, Mutian Yang Institute of Software, Chinese Academy of Sciences
16:15
15m
Talk
How the Training Procedure Impacts the Performance of Deep Learning-based Vulnerability Patching
Research Papers
Antonio Mastropaolo Università della Svizzera italiana, Vittoria Nardone University of Molise, Gabriele Bavota Software Institute @ Università della Svizzera Italiana, Massimiliano Di Penta University of Sannio, Italy
16:30
15m
Talk
Reality Check: Assessing GPT-4 in Fixing Real-World Software Vulnerabilities
Research Papers
Zoltán Ságodi University of Szeged, Gabor Antal University of Szeged, Bence Bogenfürst University of Szeged, Martin Isztin University of Szeged, Peter Hegedus University of Szeged, Rudolf Ferenc University of Szeged
16:45
15m
Talk
Does trainer gender make a difference when delivering phishing training? A new experimental design to capture bias
Research Papers
André Palheiros Da Silva Vrije Universiteit, Winnie Bahati Mbaka Vrije Universiteit, Johann Mayer University of Twente, Jan-Willem Bullee University of Twente, Katja Tuma Vrije Universiteit Amsterdam
17:00
15m
Talk
Leveraging Large Language Models for Preliminary Security Risk Analysis: A Mission-Critical Case Study
Industry
Matteo Esposito University of Rome Tor Vergata, Francesco Palagiano Multitel di Lerede Alessandro & C. s.a.s.
DOI Pre-print