Timely patching (i.e., the act of applying code changes to a program source code) is paramount to safeguard users and maintainers against dire consequences of malicious attacks. In practice, patching is prioritized following the nature of the code change that is committed in the code repository. When such a change is labeled as being security-relevant, i.e., as fixing a vulnerability, maintainers rapidly spread the change, and users are notified about the need to update to a new version of the library or of the application. Unfortunately, oftentimes, some security-relevant changes go unnoticed as they represent silent fixes of vulnerabilities. In this paper, we propose SSPCATCHER, a Co-Training-based approach to catch security patches (i.e., patches that address vulnerable code) as part of an automatic monitoring service of code repositories. Leveraging different classes of features, we empirically show that such automation is feasible and can yield a precision of over 80% in identifying security patches, with an unprecedented recall of over 80%. Beyond such a benchmarking with ground truth data which demonstrates an improvement over the state-of-the-art, we confirmed that SSPCATCHER can help catch security patches that were not reported as such.
Fri 19 MayDisplayed time zone: Hobart change
15:45 - 17:15 | Vulnerability testing and patchingTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Cristian Cadar Imperial College London, UK | ||
15:45 15mTalk | Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation Technical Track Jiamou Sun CSIRO's Data61, Zhenchang Xing , Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61, Thong Hoang Data61, CSIRO, Dehai Zhao Australian National University, Australia | ||
16:00 15mTalk | Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects Technical Track Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Zhengzi Xu Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Wu Jiahui Nanyang Technological University, Yang Liu Nanyang Technological University | ||
16:15 15mTalk | Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs Technical Track Davide Corradini University of Verona, Michele Pasqua University of Verona, Mariano Ceccato University of Verona Pre-print | ||
16:30 7mTalk | Patchmatch: A Tool for Locating Patches of Open Source Project Vulnerabilities DEMO - Demonstrations Kedi Shen Zhejiang university city college, Yun Zhang Zhejiang University City College, Lingfeng Bao Zhejiang University, Zhiyuan Wan Zhejiang University, Zhuorong Li Zhejiang university city college, Minghui Wu Zhejiang University City College} | ||
16:37 8mTalk | Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats Journal-First Papers Giorgio Di Tizio University of Trento, Michele Armellini University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam | ||
16:45 7mTalk | SSPCatcher: Learning to Catch Security Patches Journal-First Papers Arthur D. Sawadogo Université du Québec à Montréal, Tegawendé F. Bissyandé SnT, University of Luxembourg, Naouel Moha École de Technologie Supérieure (ETS), Kevin Allix CentraleSupelec Rennes, Jacques Klein University of Luxembourg, Li Li Beihang University, Yves Le Traon University of Luxembourg, Luxembourg | ||
16:52 15mTalk | CoLeFunDa: Explainable Silent Vulnerability Fix Identification Technical Track Jiayuan Zhou Huawei, Michael Pacheco Centre for Software Excellence, Huawei, Jinfu Chen Centre for Software Excellence, Huawei, Canada, Xing Hu Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Ahmed E. Hassan Queen’s University | ||