Exploiting library vulnerability via migration-based automated test generation

Author

Zirui CHEN
Xing HU
Xin XIA
Yi GAO
Tongtong XU
David LO, Singapore Management UniversityFollow
Xiaohu YANG

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

4-2024

Abstract

In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities.Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called Vesta (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. Vesta extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project.We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, Transfer. The success rate of Vesta is 71.7% which is a 53.4% improvement over Transfer in the effectiveness of verifying exploitable vulnerabilities.

Keywords

Library Vulnerabilities, Search-based Test Generation

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20

First Page

1

Last Page

12

Identifier

10.1145/3597503.3639583

Publisher

ACM

City or Country

New York

Citation

CHEN, Zirui; HU, Xing; XIA, Xin; GAO, Yi; XU, Tongtong; LO, David; and YANG, Xiaohu. Exploiting library vulnerability via migration-based automated test generation. (2024). ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20. 1-12.
Available at: https://ink.library.smu.edu.sg/sis_research/9253

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3597503.3639583