Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
4-2024
Abstract
In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities.Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called Vesta (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. Vesta extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project.We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, Transfer. The success rate of Vesta is 71.7% which is a 53.4% improvement over Transfer in the effectiveness of verifying exploitable vulnerabilities.
Keywords
Library Vulnerabilities, Search-based Test Generation
Discipline
Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20
First Page
1
Last Page
12
Identifier
10.1145/3597503.3639583
Publisher
ACM
City or Country
New York
Citation
CHEN, Zirui; HU, Xing; XIA, Xin; GAO, Yi; XU, Tongtong; LO, David; and YANG, Xiaohu.
Exploiting library vulnerability via migration-based automated test generation. (2024). ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20. 1-12.
Available at: https://ink.library.smu.edu.sg/sis_research/9253
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1145/3597503.3639583