With the rapid development of open-source software, code reuse has become a common practice to accelerate development. However, it leads to inheritance from the original vulnerability, which recurs at the reusing projects, known as recurring vulnerabilities (RVs). Traditional general-purpose vulnerability detection approaches struggle with scalability and adaptability, while learning-based approaches are often constrained by limited training datasets and are less effective against unseen vulnerabilities. Though specific recurring vulnerability detection (RVD) approaches have been proposed, their effectiveness across various RV characteristics remains unclear.
In this paper, we conduct a large-scale empirical study using a newly constructed RV dataset containing 4,569 RVs, achieving a 953% expansion over prior RV datasets. Our study analyzes the characteristics of RVs, evaluates the effectiveness of the state-of-the-art RVD approaches, and investigates the root causes of false positives and false negatives, yielding key insights. Inspired by these insights, we design AntMan, a novel RVD approach that identifies both explicit and implicit call relations with modified functions, then employs inter-procedural taint analysis and intra-procedural dependency slicing within those functions to generate comprehensive signatures, and finally incorporates a flexible matching to detect RVs. Our comprehensive evaluation has demonstrated the effectiveness, generality and practical usefulness in RVD. Notably, AntMan has successfully detected 4,593 recurring vulnerabilities, with 307 confirmed by developers, and identified 73 new 0-day vulnerabilities across 15 projects, receiving 5 CVE identifiers.
Thu 26 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
11:00 - 12:15 | |||
11:00 25mTalk | Top Score on the Wrong Exam: On Benchmarking in Machine Learning for Vulnerability Detection Research Papers Niklas Risse Max-Planck-Institute for Security and Privacy, Jing Liu Max Planck Institute for Security and Privacy, Marcel Böhme MPI for Security and Privacy DOI Pre-print | ||
11:25 25mTalk | SoK: A Taxonomic Analysis of DeFi Rug Pulls - Types, Dataset, and Tool Assessment Research Papers Dianxiang Sun Nanyang Technological University, Wei Ma , Liming Nie , Yang Liu Nanyang Technological University DOI | ||
11:50 25mTalk | Recurring Vulnerability Detection: How Far Are We? Research Papers Yiheng Cao Fudan University, Susheng Wu Fudan University, Ruisi Wang Fudan University, Bihuan Chen Fudan University, Yiheng Huang Fudan University, Chenhao Lu Fudan University, Zhuotong Zhou Fudan University, Xin Peng Fudan University DOI |
Cosmos 3A is the first room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.