ISSTA 2025
Wed 25 - Sat 28 June 2025 Trondheim, Norway
co-located with FSE 2025
Thu 26 Jun 2025 11:50 - 12:15 at Cosmos 3A - Security 2 Chair(s): Jacques Klein

With the rapid development of open-source software, code reuse has become a common practice to accelerate development. However, it leads to inheritance from the original vulnerability, which recurs at the reusing projects, known as recurring vulnerabilities (RVs). Traditional general-purpose vulnerability detection approaches struggle with scalability and adaptability, while learning-based approaches are often constrained by limited training datasets and are less effective against unseen vulnerabilities. Though specific recurring vulnerability detection (RVD) approaches have been proposed, their effectiveness across various RV characteristics remains unclear.

In this paper, we conduct a large-scale empirical study using a newly constructed RV dataset containing 4,569 RVs, achieving a 953% expansion over prior RV datasets. Our study analyzes the characteristics of RVs, evaluates the effectiveness of the state-of-the-art RVD approaches, and investigates the root causes of false positives and false negatives, yielding key insights. Inspired by these insights, we design AntMan, a novel RVD approach that identifies both explicit and implicit call relations with modified functions, then employs inter-procedural taint analysis and intra-procedural dependency slicing within those functions to generate comprehensive signatures, and finally incorporates a flexible matching to detect RVs. Our comprehensive evaluation has demonstrated the effectiveness, generality and practical usefulness in RVD. Notably, AntMan has successfully detected 4,593 recurring vulnerabilities, with 307 confirmed by developers, and identified 73 new 0-day vulnerabilities across 15 projects, receiving 5 CVE identifiers.

Thu 26 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:00 - 12:15
Security 2Research Papers at Cosmos 3A
Chair(s): Jacques Klein University of Luxembourg
11:00
25m
Talk
Top Score on the Wrong Exam: On Benchmarking in Machine Learning for Vulnerability Detection
Research Papers
Niklas Risse Max-Planck-Institute for Security and Privacy, Jing Liu Max Planck Institute for Security and Privacy, Marcel Böhme MPI for Security and Privacy
DOI Pre-print
11:25
25m
Talk
SoK: A Taxonomic Analysis of DeFi Rug Pulls - Types, Dataset, and Tool Assessment
Research Papers
Dianxiang Sun Nanyang Technological University, Wei Ma , Liming Nie , Yang Liu Nanyang Technological University
DOI
11:50
25m
Talk
Recurring Vulnerability Detection: How Far Are We?
Research Papers
Yiheng Cao Fudan University, Susheng Wu Fudan University, Ruisi Wang Fudan University, Bihuan Chen Fudan University, Yiheng Huang Fudan University, Chenhao Lu Fudan University, Zhuotong Zhou Fudan University, Xin Peng Fudan University
DOI

Information for Participants
Thu 26 Jun 2025 11:00 - 12:15 at Cosmos 3A - Security 2 Chair(s): Jacques Klein
Info for room Cosmos 3A:

Cosmos 3A is the first room in the Cosmos 3 wing.

When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.

:
:
:
: