EASE 2024
Tue 18 - Fri 21 June 2024 Salerno, Italy
Thu 20 Jun 2024 16:00 - 16:15 at Room Vietri - Security (2) Chair(s): Muhammad Ali Babar

With the dramatic increase in the number and size of software in the industry, tremendous research has been studied to automatically detect vulnerabilities. However, existing detection methods have limitations in code semantic modeling and detection granularity, which makes them unable to meet the requirements of high accuracy and fine granularity at the same time. In this paper, we propose a general framework, namely VulDL, which can effectively identify whether a given code snippet has a vulnerability and lo-cate the specific code line where the vulnerability resides. VulDL first represents the source code as a novel semantic data structure, namely the adapted code property graph. After that, tree-based and graph-based neural networks are designed, which learn features according to the hierarchies and neighborhoods, and further realize vulnerability identification and localization. Our evaluation shows that VulDL achieves F1-scores of 98.68% and 94.85% in the identification of buffer error and resource management error vulnerabilities and 97.73% on their combined vulnerabilities. On the FFmpeg+QEMU dataset, VulDL achieves an F1-score of 59.62%, which is more effective than existing methods. Besides, VulDL can locate vulnerabilities at the statement granularity with F1-scores of 97.88%, 98.31%, and 99.16% on the evaluated datasets.

Thu 20 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:00 - 17:15
Security (2)Research Papers / Industry at Room Vietri
Chair(s): Muhammad Ali Babar School of Computer Science, The University of Adelaide
16:00
15m
Talk
VulDL: Tree-based and Graph-based Neural Networks for Vulnerability Detection and Localization
Research Papers
Jingzheng Wu Institute of Software, The Chinese Academy of Sciences, Xiang Ling Institute of Software, Chinese Academy of Sciences, Xu Duan Institute of Software, Chinese Academy of Sciences, Tianyue Luo Institute of Software, Chinese Academy of Sciences, Mutian Yang Institute of Software, Chinese Academy of Sciences
16:15
15m
Talk
How the Training Procedure Impacts the Performance of Deep Learning-based Vulnerability Patching
Research Papers
Antonio Mastropaolo William and Mary, USA, Vittoria Nardone University of Molise, Gabriele Bavota Software Institute @ Università della Svizzera Italiana, Massimiliano Di Penta University of Sannio, Italy
16:30
15m
Talk
Reality Check: Assessing GPT-4 in Fixing Real-World Software Vulnerabilities
Research Papers
Zoltán Ságodi University of Szeged, Gabor Antal University of Szeged, Bence Bogenfürst University of Szeged, Martin Isztin University of Szeged, Peter Hegedus University of Szeged, Rudolf Ferenc University of Szeged
16:45
15m
Talk
Does trainer gender make a difference when delivering phishing training? A new experimental design to capture bias
Research Papers
André Palheiros Da Silva Vrije Universiteit, Winnie Bahati Mbaka Vrije Universiteit, Johann Mayer University of Twente, Jan-Willem Bullee University of Twente, Katja Tuma Vrije Universiteit Amsterdam
17:00
15m
Talk
Leveraging Large Language Models for Preliminary Security Risk Analysis: A Mission-Critical Case Study
Industry
Matteo Esposito University of Rome Tor Vergata, Francesco Palagiano Multitel di Lerede Alessandro & C. s.a.s.
DOI Pre-print