Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Wed 17 May 2023 16:15 - 16:30 at Meeting Room 103 - SE for security 1 Chair(s): Abhik Roychoudhury

Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TreeVul with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TreeVul significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0% and 7.7% in terms of weighted F1-score, macro F1-score and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TreeVul in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Wed 17 May

Displayed time zone: Hobart change

15:45 - 17:15
15:45
15m
Talk
TAINTMINI: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Analysis
Technical Track
Chao Wang , Ronny Ko The Ohio State University, Yue Zhang The Ohio State University, Yuqing Yang The Ohio State University, Zhiqiang Lin The Ohio State University
16:00
15m
Talk
AChecker: Statically Detecting Smart Contract Access Control Vulnerabilities
Technical Track
Asem Ghaleb University of British Columbia, Julia Rubin University of British Columbia, Canada, Karthik Pattabiraman University of British Columbia
16:15
15m
Talk
Fine-grained Commit-level Vulnerability Type Prediction By CWE Tree Structure
Technical Track
Shengyi Pan Zhejiang University, Lingfeng Bao Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Shanping Li Zhejiang University
Pre-print
16:30
15m
Paper
Security Thinking in Online Freelance Software Development
SEIS - Software Engineering in Society
Irum Rauf The Open University, UK, Marian Petre School of Computing and Communications, The Open University, UK, Thein Tun School of Computing and Communications,The Open University, UK; Simply Business, UK, Tamara Lopez The Open University, Bashar Nuseibeh The Open University, UK; Lero, University of Limerick, Ireland
16:45
7m
Talk
Open Science in Software Engineering: A Study on Deep Learning-Based Vulnerability Detection
Journal-First Papers
Yu Nong Washington State University, Rainy Sharma Washington State University, Wahab Hamou-Lhadj Concordia University, Montreal, Canada, Xiapu Luo The Hong Kong Polytechnic University, Haipeng Cai Washington State University
Link to publication DOI Authorizer link Pre-print
16:52
8m
Talk
Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps
SEET - Software Engineering Education and Training
Sabato Nocera University of Salerno, Simone Romano University of Salerno, Rita Francese University of Salerno, Giuseppe Scanniello University of Salerno
17:00
15m
Talk
VulGen: Realistic Vulnerability Generation Via Pattern Mining and Deep Learning
Technical Track
Yu Nong Washington State University, Yuzhe Ou University of Texas at Dallas, Michael Pradel University of Stuttgart, Feng Chen University of Texas at Dallas, Haipeng Cai Washington State University
Pre-print