PPT4J: Patch presence test for Java binaries

Author

Zhiyuan PAN
Xing HU
Xin XIA
Xian ZHAN
David LO, Singapore Management UniversityFollow
Xiaohu YANG

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

4-2024

Abstract

The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into software, especially if we only have binary files. Therefore, the ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners. However, it is challenging to obtain accurate semantic information from patches, which could lead to incorrect results.In this paper, we propose a new patch presence test framework named Ppt4J (Patch Presence Test for Java Binaries). Ppt4J is designed for open-source Java libraries. It takes Java binaries (i.e. bytecode files) as input, extracts semantic information from patches, and uses feature-based techniques to identify patch lines in the binaries. To evaluate the effectiveness of our proposed approach Ppt4J, we construct a dataset with binaries that include 110 vulnerabilities. The results show that Ppt4J achieves an F1 score of 98.5% with reasonable efficiency, improving the baseline by 14.2%. Furthermore, we conduct an in-the-wild evaluation of Ppt4J on JetBrains IntelliJ IDEA. The results suggest that a third-party library included in the software is not patched for two CVEs, and we have reported this potential security problem to the vendor.

Keywords

Patch Presence Test, Binary Analysis, Software Security

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20

First Page

1

Last Page

12

ISBN

9798400702174

Identifier

10.1145/3597503.3639231

Publisher

ACM

City or Country

New York

Citation

PAN, Zhiyuan; HU, Xing; XIA, Xin; ZHAN, Xian; LO, David; and YANG, Xiaohu. PPT4J: Patch presence test for Java binaries. (2024). ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20. 1-12.
Available at: https://ink.library.smu.edu.sg/sis_research/9252

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3597503.3639231