Efficient and Robust Security-Patch Localization for Disclosed OSS Vulnerabilities with Fine-Tuned LLMs in an Industrial Setting
Security patch localization, which links disclosed Open-Source software (OSS) vulnerabilities to corresponding patches, has be- come a practical technique to mitigate the risk of OSS vulnerabilities in a timely manner. While existing patch localization approaches extensively focus on estimating the correlation between individual patches and Common Vulnerabilities and Exposures (CVEs), they often fail to address two major industrial requirements that make a tool of security patch localization desirable in industrial settings: (1) efficiency when inspecting an enormous number of commits per vulnerability and (2) robustness to handle confusing patches (related but non-fixing commits). Toward addressing the preceding industrial requirements, in this paper, we report our experiences of developing and deploying Taper, a two-stage ap- proach for efficiently and robustly locating security patches via mining the temporal relations among commits and CVEs. In the first stage, Taper extracts the fixed version and affected-version information from CVE descriptions to narrow down the inspection scope of commits, thus significantly improving the efficiency. In the second stage, Taper collects temporally co-located patches around the genuine security-patch commit as hard negative examples for security-patch localization. By fine-tuning a model with these hard negative samples, Taper avoids recognizing confusing patches as security patches, thus improving patch-localization precision and robustness. We evaluate Taper against 2,128 CVEs from 978 OSS projects, which have a balanced distribution of programming languages and are consistent with industrial settings. Evaluation results show that Taper substantially outperforms a state-of-the-art approach named PatchFinder, improving the absolute MRR and Recall@1 by 0.422 and 0.541, respectively. Taper has been deployed at Huawei Cloud since October 2024. During 800 hours of operation, Taper helps locate over 52,140 security patches, providing daily service of security-patch localization for the Huawei company and Huawei Cloud users. We summarize three major lessons learned from developing and deploying Taper.
Tue 24 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
10:30 - 12:30 | SecurityJournal First / Research Papers / Industry Papers at Aurora B Chair(s): Zhenchang Xing CSIRO’s Data61; Australian National University | ||
10:30 20mTalk | Come for Syntax, Stay for Speed, Write Secure Code: An Empirical Study of Security Weaknesses in Julia Programs Journal First Yue Zhang Auburn University, Justin Murphy Tennessee Tech University, Akond Rahman Auburn University | ||
10:50 20mTalk | AIM: Automated Input Set Minimization for Metamorphic Security Testing Journal First Nazanin Bayati Chaleshtari University of Ottawa, Yoann Marquer University of Luxembourg, Fabrizio Pastore University of Luxembourg, Lionel Briand University of Ottawa, Canada; Lero centre, University of Limerick, Ireland | ||
11:10 20mTalk | Understanding Industry Perspectives of Static Application Security Testing (SAST) Evaluation Research Papers Yuan Li Zhejiang University, Peisen Yao Zhejiang University, Kan Yu Ant Group, Chengpeng Wang Hong Kong University of Science and Technology, Yaoyang Ye Zhejiang University, Song Li The State Key Laboratory of Blockchain and Data Security, Zhejiang University, Meng Luo The State Key Laboratory of Blockchain and Data Security, Zhejiang University, Yepang Liu Southern University of Science and Technology, Kui Ren Zhejiang University DOI | ||
11:30 20mTalk | Efficient and Robust Security-Patch Localization for Disclosed OSS Vulnerabilities with Fine-Tuned LLMs in an Industrial Setting Industry Papers Dezhi Ran Peking University, Lin Li Huawei Cloud Computing Technologies Co., Ltd., Liuchuan Zhu Huawei Cloud Computing Technologies Co., Ltd., Yuan Cao Peking University, Landelong Zhao Peking University, Xin Tan Beihang University, Guangtai Liang Huawei Cloud Computing Technologies, Qianxiang Wang Huawei Technologies Co., Ltd, Tao Xie Peking University | ||
11:50 20mTalk | It’s Acting Odd! Exploring Equivocal Behaviors of Goodware Research Papers Gregorio Dalia University of Sannio, Andrea Di Sorbo University of Sannio, Corrado A. Visaggio University of Sannio, Italy, Gerardo Canfora University of Sannio DOI | ||
12:10 20mTalk | On the Unnecessary Complexity of Names in X.509 and Their Impact on Implementations Research Papers Yuteng Sun The Chinese University of Hong Kong, Joyanta Debnath Stony Brook University, Wenzheng Hong Independent, Omar Chowdhury Stony Brook University, Sze Yiu Chau The Chinese University of Hong Kong DOI | ||
Aurora B is the second room in the Aurora wing.
When facing the main Cosmos Hall, access to the Aurora wing is on the right, close to the side entrance of the hotel.