Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Exploiting Library Vulnerability via Migration Based Automating Test Generation (2312.09564v1)

Published 15 Dec 2023 in cs.SE

Abstract: In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities. Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called VESTA (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. VESTA extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project. We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, TRANSFER. The success rate of VESTA is 71.7\% which is a 53.4\% improvement over TRANSFER in the effectiveness of verifying exploitable vulnerabilities.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (49)
  1. [n. d.]. NATIONAL VULNERABILITY DATABASE. https://nvd.nist.gov/vuln
  2. Empirical Analysis of Security Vulnerabilities in Python Packages. In 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 446–457. https://doi.org/10.1109/SANER50967.2021.00048
  3. Armor Within: Defending Against Vulnerabilities in Third-Party Libraries. In 2020 IEEE Security and Privacy Workshops (SPW). 291–299. https://doi.org/10.1109/SPW50608.2020.00063
  4. An Industrial Evaluation of Unit Test Generation: Finding Real Faults in a Financial Application. In 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP). 263–272. https://doi.org/10.1109/ICSE-SEIP.2017.27
  5. I. Arce. 2004. The shellcode generation. IEEE Security & Privacy 2, 5 (2004), 72–76. https://doi.org/10.1109/MSP.2004.87
  6. Automatic Exploit Generation. Commun. ACM 57, 2 (feb 2014), 74–84. https://doi.org/10.1145/2560217.2560219
  7. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. In 2017 IEEE Symposium on Security and Privacy (SP). 824–839. https://doi.org/10.1109/SP.2017.67
  8. How the apache community upgrades dependencies: an evolutionary study. Empirical Software Engineering 20 (2015), 1275–1317.
  9. How to break an API: cost negotiation and community values in three software ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 109–120.
  10. Tracking known security vulnerabilities in proprietary software systems. In 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER). 516–519. https://doi.org/10.1109/SANER.2015.7081868
  11. GUI-Squatting Attack: Automated Generation of Android Phishing Apps. IEEE Transactions on Dependable and Secure Computing 18, 6 (2021), 2551–2568. https://doi.org/10.1109/TDSC.2019.2956035
  12. Automated Identification of Libraries from Vulnerability Data. In 2020 IEEE/ACM 42nd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 90–99.
  13. Identifying, Prioritizing and Evaluating Vulnerabilities in Third Party Code. In 2018 IEEE 22nd International Enterprise Distributed Object Computing Workshop (EDOCW). 208–211. https://doi.org/10.1109/EDOCW.2018.00038
  14. Mining Object Behavior with ADABU. In Proceedings of the 2006 International Workshop on Dynamic Systems Analysis (Shanghai, China) (WODA ’06). Association for Computing Machinery, New York, NY, USA, 17–24. https://doi.org/10.1145/1138912.1138918
  15. On the Impact of Security Vulnerabilities in the Npm Package Dependency Network. In Proceedings of the 15th International Conference on Mining Software Repositories (Gothenburg, Sweden) (MSR ’18). Association for Computing Machinery, New York, NY, USA, 181–191. https://doi.org/10.1145/3196398.3196401
  16. Java Unit Testing Tool Competition: Eighth Round. In Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops (Seoul, Republic of Korea) (ICSEW’20). Association for Computing Machinery, New York, NY, USA, 545–548. https://doi.org/10.1145/3387940.3392265
  17. AngErza: Automated Exploit Generation. In 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT). 1–6. https://doi.org/10.1109/ICCCNT51525.2021.9579959
  18. Johannes Düsing and Ben Hermann. 2022. Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories. Digital Threats 3, 4, Article 38 (feb 2022), 25 pages. https://doi.org/10.1145/3472811
  19. Towards Smoother Library Migrations: A Look at Vulnerable Dependency Migrations at Function Level for npm JavaScript Packages. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). 559–563. https://doi.org/10.1109/ICSME.2018.00067
  20. FasterXML. [n. d.]. FasterXML/jackson-databind. https://github.com/FasterXML/jackson-databind
  21. The Dynamics of Software Composition Analysis. CoRR abs/1909.00973 (2019). arXiv:1909.00973 http://arxiv.org/abs/1909.00973
  22. Gordon Fraser and Andrea Arcuri. 2011. EvoSuite: Automatic Test Suite Generation for Object-Oriented Software. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (Szeged, Hungary) (ESEC/FSE ’11). Association for Computing Machinery, New York, NY, USA, 416–419. https://doi.org/10.1145/2025113.2025179
  23. Toward Large-Scale Vulnerability Discovery Using Machine Learning. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (New Orleans, Louisiana, USA) (CODASPY ’16). Association for Computing Machinery, New York, NY, USA, 85–96. https://doi.org/10.1145/2857705.2857720
  24. Automated Identification of Libraries from Vulnerability Data: Can We Do Better?. In 2022 IEEE/ACM 30th International Conference on Program Comprehension (ICPC). 178–189. https://doi.org/10.1145/3524610.3527893
  25. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 177–192. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu
  26. Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries. In 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC). 396–400. https://doi.org/10.1109/ICPC52881.2021.00046
  27. Test Mimicry to Assess the Exploitability of Library Vulnerabilities. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual, South Korea) (ISSTA 2022). Association for Computing Machinery, New York, NY, USA, 276–288. https://doi.org/10.1145/3533767.3534398
  28. An empirical investigation into the role of API-level refactorings during software evolution. In Proceedings of the 33rd international conference on software engineering. 151–160.
  29. Adoption of Software Testing in Open Source Projects–A Preliminary Study on 50,000 Projects. In 2013 17th European Conference on Software Maintenance and Reengineering. 353–356. https://doi.org/10.1109/CSMR.2013.48
  30. Code coverage and test suite effectiveness: Empirical study with real bugs in large systems. In 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER). 560–564. https://doi.org/10.1109/SANER.2015.7081877
  31. Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration. Empirical Software Engineering 23 (2018), 384–417.
  32. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018).
  33. Mend. [n. d.]. The State of Open Source Security Vulnerabilities Annual Report 2021. https://www.mend.io/wp-content/media/2021/03/The-state-of-open-source-vulnerabilities-2021-annual-report.pdf
  34. On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem. In 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 201–211. https://doi.org/10.1109/SANER56733.2023.00028
  35. Samim Mirhosseini and Chris Parnin. 2017. Can automated pull requests encourage software developers to upgrade out-of-date dependencies?. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). 84–94. https://doi.org/10.1109/ASE.2017.8115621
  36. Modular Call Graph Construction for Security Scanning of Node.Js Applications. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual, Denmark) (ISSTA 2021). Association for Computing Machinery, New York, NY, USA, 29–41. https://doi.org/10.1145/3460319.3464836
  37. Constituency Parsing. 2009. Speech and language processing. Power Point Slides (2009).
  38. Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). 449–460. https://doi.org/10.1109/ICSME.2018.00054
  39. Detection, Assessment and Mitigation of Vulnerabilities in Open Source Dependencies. Empirical Softw. Engg. 25, 5 (sep 2020), 3175–3215. https://doi.org/10.1007/s10664-020-09830-x
  40. Snyk. [n. d.]. Snyk. https://snyk.io/
  41. W. Software. [n. d.]. Whitesource. https://www.whitesourcesoftware.com/open-source-security/
  42. Synopsys. [n. d.]. OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT 2023. https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html#
  43. A Large-Scale Empirical Study on Industrial Fake Apps. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 183–192. https://doi.org/10.1109/ICSE-SEIP.2019.00028
  44. A survey on multi-objective evolutionary algorithms for many-objective problems. Computational optimization and applications 58 (2014), 707–756.
  45. An Empirical Study of Usages, Updates and Risks of Third-Party Libraries in Java Projects. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). 35–45. https://doi.org/10.1109/ICSME46990.2020.00014
  46. James Wetter. [n. d.]. Understanding the Impact of Apache Log4j Vulnerability. https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
  47. Automatic Exploit Generation for Buffer Overflow Vulnerabilities. In 2018 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). 463–468. https://doi.org/10.1109/QRS-C.2018.00085
  48. Exploitability Analysis of Public Component Library Vulnerabilities Based on Taint Analysis. In 2022 7th International Conference on Intelligent Computing and Signal Processing (ICSP). 1066–1072. https://doi.org/10.1109/ICSP54964.2022.9778489
  49. ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android Applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 1695–1707. https://doi.org/10.1109/ICSE43902.2021.00150
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets