Evaluating the maintainability of Forward-Porting vulnerabilities in fuzzer benchmarks (ICSME 2025 - Research Papers Track) - ICSME 2025 - International Conference on Software Maintenance and Evolution

Who

Timothée Riom, Sabine Houy, Bruno Kreyssig, Alexandre Bartel

Track

ICSME 2025 Research Papers Track

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+12:00) Auckland, Wellington.

Use conference time zone: (GMT+12:00) Auckland, WellingtonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 11 Sep 2025 16:00 - 16:15 at Case Room 2 260-057 - Session 12 - Security 1 Chair(s): Dhanushka Jayasuriya

Abstract

Abstract. Fuzzing is a well-established technique for detecting bugs and vulnerabilities. With the surge of fuzzers and fuzzer platforms be- ing developed (e.g., AFL and OSSFuzz) rises the necessity to benchmark these tools’ performance. A common problem is that vulnerability bench- marks are based on bugs in old software releases. For this very reason, Magma introduced the notion of forward-porting - reintroducing vulner- able code in current software releases. While their results are promising, the state-of-the-art lacks an update on the maintainability of this ap- proach over time. Indeed, adding the vulnerable code to a recent soft- ware version might either break its functionality or make the vulnerable code no longer reachable. We characterise the challenges with forward- porting by reassessing the portability of Magma’s CVEs four years later and manually reintroducing the vulnerabilities in the current software versions. We find the straightforward process efficient for 17 of the 32 CVEs in our study. We further investigate why a trivial forward-porting process fails in the 15 other CVEs. This involves identifying the commits breaking the forward-porting process and reverting them in addition to the bug fix. While we manage to complete the process for nine of these CVEs, we provide an update on all 15 and explain the challenges we have been confronted with in this process. Thereby, we give the basis for future work towards a sustainable forward-ported fuzzing benchmark.

Timothée Riom

Umeå Universitet

Sweden

Sabine Houy

Umeå Universitet

Sweden

Bruno Kreyssig

Umeå University

Sweden

Alexandre Bartel

Umeå University

Sweden

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+12:00) Auckland, Wellington.

Use conference time zone: (GMT+12:00) Auckland, WellingtonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 11 Sep
Displayed time zone: Auckland, Wellington change

15:30 - 17:00	Session 12 - Security 1NIER Track / Research Papers Track / Tool Demonstration Track / Journal First Track at Case Room 2 260-057 Chair(s): Dhanushka Jayasuriya University of Auckland

15:30 15m		Retrieve, Refine, or Both? Using Task-Specific Guidelines for Secure Python Code Generation Research Papers Track Catherine Tony Hamburg University of Technology, Emanuele Iannone Hamburg University of Technology, Riccardo Scandariato Hamburg University of Technology Pre-print
15:45 15m		SAEL: Leveraging Large Language Models with Adaptive Mixture-of-Experts for Smart Contract Vulnerability Detection Research Papers Track Lei Yu Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Shiqi Cheng Institute of Software, Chinese Academy of Sciences, China, Zhirong Huang Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Jingyuan Zhang Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Chenjie Shen Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Junyi Lu Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Li Yang Institute of Software, Chinese Academy of Sciences, Fengjun Zhang Institute of Software, Chinese Academy of Sciences, China, Jiajia Ma Institute of Software, Chinese Academy of Sciences, China
16:00 15m		Evaluating the maintainability of Forward-Porting vulnerabilities in fuzzer benchmarks Research Papers Track Timothée Riom Umeå Universitet, Sabine Houy Umeå Universitet, Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
16:15 10m		VulGuard: An Unified Tool for Evaluating Just-In-Time Vulnerability Prediction Models Tool Demonstration Track Duong Nguyen Hanoi University of Science and Technology, Manh Tran-Duc Hanoi University of Science and Technology, Le-Cong Thanh The University of Melbourne, Triet Le The University of Adelaide, Muhammad Ali Babar School of Computer Science, The University of Adelaide, Quyet Thang Huynh Hanoi University of Science and Technology
16:25 10m		Explicit Vulnerability Generation with LLMs: An Investigation Beyond Adversarial Attacks NIER Track Emir Bosnak Bilkent University, Sahand Moslemi Yengejeh Bilkent University, Mayasah Lami Bilkent University, Anil Koyuncu Bilkent University Pre-print
16:35 15m		Vulnerabilities in Infrastructure as Code: What, How Many, and Who? Journal First Track Aïcha War University of Luxembourg, Alioune Diallo University of Luxembourg, Andrew Habib ABB Corporate Research, Germany, Jacques Klein University of Luxembourg, Tegawendé F. Bissyandé University of Luxembourg

Hide past events