PG-VulNet: Detect Supply Chain Vulnerabilities in IoT Devices using Pseudo-code and Graphs
Background: With the boosting development of IoT technology, the supply chains of IoT devices become more powerful and sophisticated, and the security issues introduced by code reuse are becoming more prominent. Therefore, the detection and management of vulnerabilities through code similarity detection technology is of great significance for protecting the security of IoT devices.
Aim: We aim to propose a more accurate, parallel-friendly, and realistic software supply chain vulnerability detection solution for IoT devices.
Method: This paper presents PG-VulNet, standing for Vulnerability-detection Network based on Pseudo-code Graphs. It is a “multi-model” cross-architecture vulnerability detection solution based on pseudo-code and Graph Matching Network (GMN). PG-VulNet extracts both behavioral and structural features of pseudo-code to build customized feature graphs and then uses GMN to detect supply chain vulnerabilities based on these graphs.
Results: The experiments show that PG-VulNet achieves an average detection accuracy of 99.14%, significantly higher than existing approaches like Gemini, VulSeeker, FIT, and Asteria. In addition to this, PG-VulNet also excels in detection overhead and false alarms. In the real-world evaluation, PG-VulNet detected 690 known vulnerabilities in 1,611 firmwares.
Conclusions: PG-VulNet can effectively detect the vulnerabilities introduced by software supply chain in IoT firmwares and is well suited for large-scale detection. Compared with existing approaches, PG-VulNet has significant advantages.
Fri 23 SepDisplayed time zone: Athens change
13:30 - 15:00 | Session 5B - Development & Testing & Behavioral 2ESEM Technical Papers at Sonck Chair(s): Sheila Reinehr Pontifícia Universidade Católica do Paraná (PUCPR) | ||
13:30 15mFull-paper | Potential Technical Debt and Its Resolution in Code Reviews: An Exploratory Study of the OpenStack and Qt Communities ESEM Technical Papers Liming Fu Wuhan University, Peng Liang Wuhan University, China, Zeeshan Rasheed Wuhan University, Zengyang Li Central China Normal University, Amjed Tahir Massey University, Xiaofeng Han Wuhan University, China Link to publication DOI Pre-print | ||
13:45 15mFull-paper | MMF3: Neural Code Summarization Based on Multi-Modal Fine-Grained Feature Fusion ESEM Technical Papers Zheng Ma Shandong Normal University, Yuexiu Gao Shandong Normal University, Lei Lyu Shandong Normal University, Chen Lyu Shandong Normal University | ||
14:00 15mFull-paper | PG-VulNet: Detect Supply Chain Vulnerabilities in IoT Devices using Pseudo-code and Graphs ESEM Technical Papers Xin Liu Lanzhou University, Yixiong Wu Institute for Network Science and Cyberspace of Tsinghua University, Qingchen Yu Zhejiang University, Shangru Song Beijing Institute of Technology, Yue Liu Southeast University; Qi An Xin Group Corp., Qingguo Zhou Lanzhou University, Jianwei Zhuge Tsinghua University | ||
14:15 15mFull-paper | Heterogeneous Graph Neural Networks for Software Effort Estimation ESEM Technical Papers Pre-print | ||
14:30 15mFull-paper | Meetings and Mood - Related or Not? Insights from Student Software Projects ESEM Technical Papers Jil Klünder Leibniz Universität Hannover, Oliver Karras TIB - Leibniz Information Centre for Science and Technology Pre-print | ||
14:45 15mFull-paper | A Tale of Two Tasks: Automated Issue Priority Prediction with Deep Multi-task Learning ESEM Technical Papers Yingling Li , Xing Che , Yuekai Huang Institute of Software, Chinese Academy of Sciences, Junjie Wang Institute of Software at Chinese Academy of Sciences, Song Wang York University, Yawen Wang Institute of Software, Chinese Academy of Sciences, Qing Wang Institute of Software at Chinese Academy of Sciences | ||