The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into software, especially if we only have binary files. Therefore, the ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners. However, it is challenging to obtain accurate semantic information from patches, which could lead to incorrect results.
In this paper, we propose a new patch presence test framework named PPT4J (Patch Presence Test for Java Binaries). PPT4J is designed for open-source Java libraries. It takes Java binaries as input, extracts semantic information from patches, and uses feature-based techniques to identify patch lines in the binaries. To evaluate the effectiveness of our proposed approach PPT4J, we construct a dataset with binaries that include 110 vulnerabilities. The results show that PPT4J achieves an F1 score of 98.5% with reasonable efficiency, improving the baseline by 15.6%. Furthermore, we conduct an in-the-wild evaluation of PPT4J on JetBrains IntelliJ IDEA. The results suggest that a third-party library included in the software is not patched for two CVEs, and we have reported this potential security problem to the vendor.
Wed 17 AprDisplayed time zone: Lisbon change
16:00 - 17:30 | Program binaries - evolvabilityResearch Track / Software Engineering in Practice / Demonstrations at Amália Rodrigues Chair(s): Auri Vincenzi Federal University of São Carlos | ||
16:00 15mTalk | Cross-Inlining Binary Function Similarity Detection Research Track Ang Jia Xi'an Jiaotong University, Ming Fan Xi'an Jiaotong University, Xi Xu Xi'an Jiaotong University, Wuxia Jin Xi'an Jiaotong University, Haijun Wang Xi'an Jiaotong University, Ting Liu Xi'an Jiaotong University DOI Pre-print | ||
16:15 15mTalk | BinaryAI: Binary Software Composition Analysis via Intelligent Binary Source Code Matching Research Track Ling Jiang Southern University of Science and Technology, Junwen An Southern University of Science and Technology, Huihui Huang Southern University of Science and Technology, Qiyi Tang Tencent Security Keen Lab, Sen Nie Tencent Security Keen Lab, Shi Wu Tencent Security Keen Lab, Yuqun Zhang Southern University of Science and Technology | ||
16:30 15mTalk | PPT4J: Patch Presence Test for Java Binaries Research Track Zhiyuan Pan Zhejiang University, Xing Hu Zhejiang University, Xin Xia Huawei Technologies, Xian Zhan Southern University of Science and Technology, David Lo Singapore Management University, Xiaohu Yang Zhejiang University | ||
16:45 15mTalk | Code Impact Beyond Disciplinary Boundaries: Constructing A Multidisciplinary Dependency Graph and Analyzing Cross-Boundary Impact Software Engineering in Practice Gengyi Sun University of Waterloo, Mehran Meidani University of Waterloo, Sarra Habchi Ubisoft Montréal, Mathieu Nayrolles Ubisoft Montreal, Shane McIntosh University of Waterloo Pre-print | ||
17:00 7mTalk | The Devil Is in the Command Line: Associating the Compiler Flags With the Binary and Build Metadata Software Engineering in Practice Gunnar Kudrjavets Amazon Web Services, USA, Aditya Kumar Google, Jeff Thomas Meta Platforms, Inc., Ayushi Rastogi University of Groningen, The Netherlands DOI Pre-print | ||
17:07 7mTalk | Verifying and Displaying Move Smart Contract Source Code for the Sui Blockchain Demonstrations Rijnard van Tonder Mysten Labs, Inc. | ||