Exploiting Library Vulnerability via Migration Based Automating Test Generation (ICSE 2024 - Research Track)

Who

Zirui Chen, Xing Hu, Xin Xia, Yi Gao, Tongtong Xu, David Lo, Xiaohu Yang

Track

ICSE 2024 Research Track

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 17 Apr 2024 14:30 - 14:45 at Amália Rodrigues - Evolution 1 Chair(s): Jonathan Sillito

Abstract

In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities.

Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called VESTA (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. VESTA extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project.

We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, TRANSFER. The success rate of VESTA is 71.7% which is a 53.4% improvement over TRANSFER in the effectiveness of verifying exploitable vulnerabilities.

Zirui Chen

Xing Hu

Zhejiang University

China

Xin Xia

Huawei Technologies

China

Yi Gao

Zhejiang University

Tongtong Xu

Huawei

David Lo

Singapore Management University

Singapore

Xiaohu Yang

Zhejiang University

China

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Wed 17 Apr
Displayed time zone: Lisbon change

14:00 - 15:30	Evolution 1Research Track / Journal-first Papers / Demonstrations / Industry Challenge Track at Amália Rodrigues Chair(s): Jonathan Sillito

14:00 15m Talk		Large Language Models are Few-Shot Summarizers: Multi-Intent Comment Generation via In-Context Learning Research Track Mingyang Geng National University of Defense Technology, Shangwen Wang National University of Defense Technology, Dezun Dong NUDT, Haotian Wang National University of Defense Technolog, Ge Li Peking University, Zhi Jin Peking University, Xiaoguang Mao National University of Defense Technology, Liao Xiangke National University of Defense Technology DOI Pre-print
14:15 15m Talk		Block-based Programming for Two-Armed Robots: A Comparative Study Research Track Felipe Fronchetti Virginia Commonwealth University, Nico Ritschel University of British Columbia, Logan Schorr Virginia Commonwealth University, Chandler Barfield Virginia Commonwealth University, Gabriella Chang Virginia Commonwealth University, Rodrigo Spinola Virginia Commonwealth University, Reid Holmes University of British Columbia, David C. Shepherd Louisiana State University DOI Pre-print Media Attached
14:30 15m Talk		Exploiting Library Vulnerability via Migration Based Automating Test Generation Research Track Zirui Chen , Xing Hu Zhejiang University, Xin Xia Huawei Technologies, Yi Gao Zhejiang University, Tongtong Xu Huawei, David Lo Singapore Management University, Xiaohu Yang Zhejiang University
14:45 15m Talk		ReposVul: A Repository-Level High-Quality Vulnerability Dataset Industry Challenge Track Xinchen Wang Harbin Institute of Technology, Ruida Hu Harbin Institute of Technology, Shenzhen, Cuiyun Gao Harbin Institute of Technology, Xin-Cheng Wen Harbin Institute of Technology, Yujia Chen Harbin Institute of Technology, Shenzhen, Qing Liao Harbin Institute of Technology
15:00 7m Talk		JOG: Java JIT Peephole Optimizations and Tests from Patterns Demonstrations Zhiqiang Zang The University of Texas at Austin, Aditya Thimmaiah The University of Texas at Austin, Milos Gligoric The University of Texas at Austin DOI Pre-print
15:07 7m Talk		Predicting the Change Impact of Resolving Defects by Leveraging the Topics of Issue Reports in Open Source Software Systems Journal-first Papers Maram Assi Queen's University, Safwat Hassan University of Toronto, Canada, Stefanos Georgiou Queen's University, Ying Zou Queen's University, Kingston, Ontario
15:14 7m Talk		Assessing the Exposure of Software Changes Journal-first Papers Mehran Meidani University of Waterloo, Maxime Lamothe Polytechnique Montreal, Shane McIntosh University of Waterloo Link to publication Pre-print
15:21 7m Talk		Responding to change over time: A longitudinal case study on changes in coordination mechanisms in large‑scale agile Journal-first Papers Marthe Berntzen University of Oslo, Viktoria Stray University of Oslo, Nils Brede Moe , Rashina Hoda Monash University