Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Fri 19 May 2023 16:52 - 17:07 at Meeting Room 105 - Vulnerability testing and patching Chair(s): Cristian Cadar

It is a common practice for OSS users to leverage security advisories to monitor the newly disclosed OSS vulnerabilities and the patch for vulnerability remediation. However, it is common that the vulnerability fixes are publicly available one week earlier and such a time gap may provide an advantage for attackers to develop exploits. Hence, it is important for OSS users to sense the fix as early as possible so that the vulnerability can be remediated before it is exploited. Due to the vulnerability disclosure policy, vulnerabilities are normally silently fixed, which means the fix should not indicate any vulnerability information. In this case, even if the fix is identified, it is hard for OSS users to understand the vulnerability and further evaluate the impact. Therefore, for better vulnerability early sensing, the identification of silent fixes and the corresponding explanations, e.g., the corresponding common weakness enumeration (CWE) and exploitability rating, are equally important.

However, it is challenging to identify silent fixes and provide explanations due to the limited and diverse data. To tackle the challenge, we propose \textit{CoLeFunDa}, which is a framework consisting of a \textbf{Co}ntrastive \textbf{Le}arner and FunDa, which is a novel approach for \textbf{Fun}ction change \textbf{Da}ta augmentation. FunDa first increases the fix data (i.e., code changes) at the function level with unsupervised and supervised strategies. Then the contrastive learner leverages contrastive learning to effectively train a function change encoder, FCBERT, from diverse fix data. Finally, we leverage FCBERT to further fine-tune three downstream tasks, i.e., automated silent fix identification, CWE category classification, and exploitability rating classification, respectively. Our result shows that \textit{CoLeFunDa} outperforms all the state-of-art baselines in all downstream tasks. We also conduct a survey to verify the effectiveness of \textit{CoLeFunDa} in practical usage. The result shows that \textit{CoLeFunDa} can categorize 62.5% (25 out of 40) CVEs with correct CWE categories within the top 2 recommendations.

Fri 19 May

Displayed time zone: Hobart change

15:45 - 17:15
Vulnerability testing and patchingTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105
Chair(s): Cristian Cadar Imperial College London, UK
15:45
15m
Talk
Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation
Technical Track
Jiamou Sun CSIRO's Data61, Zhenchang Xing , Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61, Thong Hoang Data61, CSIRO, Dehai Zhao Australian National University, Australia
16:00
15m
Talk
Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java ProjectsDistinguished Paper Award
Technical Track
Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Zhengzi Xu Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Wu Jiahui Nanyang Technological University, Yang Liu Nanyang Technological University
16:15
15m
Talk
Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs
Technical Track
Davide Corradini University of Verona, Michele Pasqua University of Verona, Mariano Ceccato University of Verona
Pre-print
16:30
7m
Talk
Patchmatch: A Tool for Locating Patches of Open Source Project Vulnerabilities
DEMO - Demonstrations
Kedi Shen Zhejiang university city college, Yun Zhang Zhejiang University City College, Lingfeng Bao Zhejiang University, Zhiyuan Wan Zhejiang University, Zhuorong Li Zhejiang university city college, Minghui Wu Zhejiang University City College}
16:37
8m
Talk
Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats
Journal-First Papers
Giorgio Di Tizio University of Trento, Michele Armellini University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam
16:45
7m
Talk
SSPCatcher: Learning to Catch Security Patches
Journal-First Papers
Arthur D. Sawadogo Université du Québec à Montréal, Tegawendé F. Bissyandé SnT, University of Luxembourg, Naouel Moha École de Technologie Supérieure (ETS), Kevin Allix CentraleSupelec Rennes, Jacques Klein University of Luxembourg, Li Li Beihang University, Yves Le Traon University of Luxembourg, Luxembourg
16:52
15m
Talk
CoLeFunDa: Explainable Silent Vulnerability Fix Identification
Technical Track
Jiayuan Zhou Huawei, Michael Pacheco Centre for Software Excellence, Huawei, Jinfu Chen Centre for Software Excellence, Huawei, Canada, Xing Hu Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Ahmed E. Hassan Queen’s University