Learning Program Semantics for Vulnerability Detection via Vulnerability-Specific Inter-procedural Slicing
Authors: 
Bozhi Wu, Shangqing Liu, Yang Xiao, Zhiming Li, Jun Sun, and Shang-Wei LinAuthors Info & Claims
Bozhi Wu, Shangqing Liu, Yang Xiao, Zhiming Li, Jun Sun, and Shang-Wei LinAuthors Info & ClaimsNovember 2023
Pages 1371 - 1383
Abstract
Learning-based approaches that learn code representations for software vulnerability detection have been proven to produce inspiring results. However, they still fail to capture complete and precise vulnerability semantics for code representations. To address the limitations, in this work, we propose a learning-based approach namely SnapVuln, which first utilizes multiple vulnerability-specific inter-procedural slicing algorithms to capture vulnerability semantics of various types and then employs a Gated Graph Neural Network (GGNN) with an attention mechanism to learn vulnerability semantics. We compare SnapVuln with state-of-the-art learning-based approaches on two public datasets, and confirm that SnapVuln outperforms them. We further perform an ablation study and demonstrate that the completeness and precision of vulnerability semantics captured by SnapVuln contribute to the performance improvement.
Supplementary Material
"Recently, the learning-based approaches that learn code representations for software vulnerability detection have been proven to produce inspiring results. However, they still suffer from some limitations. On one hand, some learning-based works learn code representation on a single function for vulnerability detection, which ignore the fact that some vulnerabilities span multiple functions. On the other hand, other works attempt to leverage slicing techniques to extract the program semantics of vulnerable parts to generate code representations for vulnerability detection but fail to slice out precise vulnerable parts due to the wide variety of vulnerabilities that cannot be accurately captured by one general slicing algorithm. To address the limitations, in this paper, we propose a learning-based approach namely SnapVuln, which utilizes multiple type-specific inter-procedural slicing algorithms that operate on inter-procedural graphs to capture precise program semantics of various vulnerability types and leverages a Gated Graph Neural Network (GGNN) with an attention mechanism to learn graph structure information and assign different weights to different program semantics for code representation generation. We conduct extensive experiments on two public datasets, and compare SnapVuln with five state-of-the-art learning-based vulnerability detection approaches and two pre-trained approaches. Experimental results show that SnapVuln outperforms these baselines. We further perform an ablation study to demonstrate that the completeness and precision of vulnerability semantics captured by SnapVuln contribute to the improvement of vulnerability detection."
- Download
- 92.78 MB
References
[1]
2022. joern. https://joern.io/
[2]
2022. Juliet. https://samate.nist.gov/SARD
[3]
Miltiadis Allamanis, Earl T Barr, Soline Ducousso, and Zheng Gao. 2020. Typilus: Neural type hints. In Proceedings of the 41st acm sigplan conference on programming language design and implementation. 91–105.
[4]
Miltiadis Allamanis, Henry Jackson-Flux, and Marc Brockschmidt. 2021. Self-supervised bug detection and repair. Advances in Neural Information Processing Systems, 34 (2021), 27865–27876.
[5]
Frances E. Allen and John Cocke. 1976. A program data flow analysis procedure. Commun. ACM, 19, 3 (1976), 137.
[6]
Authors. 2023. Learning Precise Program Semantics for Vulnerability Detection via Type-specific Inter-procedural Slicing. https://sites.google.com/view/snapvuln
[7]
Domagoj Babić, Lorenzo Martignoni, Stephen McCamant, and Dawn Song. 2011. Statically-directed dynamic automated test generation. In Proceedings of the 2011 International Symposium on Software Testing and Analysis. 12–22.
[8]
David Bieber, Charles Sutton, Hugo Larochelle, and Daniel Tarlow. 2020. Learning to execute programs with instruction pointer attention graph neural networks. Advances in Neural Information Processing Systems, 33 (2020), 8626–8637.
[9]
James M Bieman and Byung-Kyoo Kang. 1998. Measuring design-level cohesion. IEEE Transactions on software engineering, 24, 2 (1998), 111–124.
[10]
James M Bieman and Linda M Ott. 1994. Measuring functional cohesion. IEEE transactions on Software Engineering, 20, 8 (1994), 644–657.
[11]
David Binkley. 1993. Precise executable interprocedural slices. ACM Letters on Programming Languages and Systems (LOPLAS), 2, 1-4 (1993), 31–45.
[12]
David Binkley. 1993. Slicing in the presence of parameter aliasing. In Software Engineering Research Forum. 261–268.
[13]
Robert S Boyer, Bernard Elspas, and Karl N Levitt. 1975. SELECT—a formal system for testing and debugging programs by symbolic execution. ACM SigPlan Notices, 10, 6 (1975), 234–245.
[14]
Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-adaptive mutational fuzzing. In 2015 IEEE Symposium on Security and Privacy. 725–741.
[15]
Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. 2021. Deep learning based vulnerability detection: Are we there yet. IEEE Transactions on Software Engineering.
[16]
Walter Chang, Brandon Streiff, and Calvin Lin. 2008. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM conference on Computer and communications security. 39–50.
[17]
Xiao Cheng, Haoyu Wang, Jiayi Hua, Guoai Xu, and Yulei Sui. 2021. Deepwukong: Statically detecting software vulnerabilities using deep graph neural network. ACM Transactions on Software Engineering and Methodology (TOSEM), 30, 3 (2021), 1–33.
[18]
Xiao Cheng, Guanqin Zhang, Haoyu Wang, and Yulei Sui. 2022. Path-sensitive code embedding via contrastive learning for software vulnerability detection. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 519–531.
[19]
Kyunghyun Cho, Bart Van Merriënboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. 2014. Learning phrase representations using RNN encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078.
[20]
Jiahao Fan, Yi Li, Shaohua Wang, and Tien N Nguyen. 2020. AC/C++ code vulnerability dataset with code changes and CVE summaries. In Proceedings of the 17th International Conference on Mining Software Repositories. 508–512.
[21]
Zhangyin Feng, Daya Guo, Duyu Tang, Nan Duan, Xiaocheng Feng, Ming Gong, Linjun Shou, Bing Qin, Ting Liu, and Daxin Jiang. 2020. Codebert: A pre-trained model for programming and natural languages. arXiv preprint arXiv:2002.08155.
[22]
Patrick Fernandes, Miltiadis Allamanis, and Marc Brockschmidt. 2018. Structured neural summarization. arXiv preprint arXiv:1811.01824.
[23]
Lloyd D Fosdick and Leon J Osterweil. 1976. Data flow analysis in software reliability. ACM Computing Surveys (CSUR), 8, 3 (1976), 305–330.
[24]
Peter Fritzson, Nahid Shahmehri, Mariam Kamkar, and Tibor Gyimothy. 1992. Generalized algorithmic debugging and testing. ACM Letters on Programming Languages and Systems (LOPLAS), 1, 4 (1992), 303–322.
[25]
Daya Guo, Shuo Ren, Shuai Lu, Zhangyin Feng, Duyu Tang, Shujie Liu, Long Zhou, Nan Duan, Alexey Svyatkovskiy, and Shengyu Fu. 2020. Graphcodebert: Pre-training code representations with data flow. arXiv preprint arXiv:2009.08366.
[26]
Dixie Hisley, Matt Bridges, and Lori Pollock. 2002. Static interprocedural slicing of shared memory parallel programs.
[27]
Susan Horwitz, Thomas Reps, and David Binkley. 1990. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12, 1 (1990), 26–60.
[28]
Daniel Jackson and Eugene J Rollins. 1994. Chopping: A generalization of slicing. CARNEGIE-MELLON UNIV PITTSBURGH PA DEPT OF COMPUTER SCIENCE.
[29]
Dae R Jeong, Kyungtae Kim, Basavesh Shivakumar, Byoungyoung Lee, and Insik Shin. 2019. Razzer: Finding kernel race bugs through fuzzing. In 2019 IEEE Symposium on Security and Privacy (SP). 754–768.
[30]
Byung-Kyoo Kang and James M Bieman. 1996. Design-level cohesion measures: Derivation, comparison, and applications. In Proceedings of 20th International Computer Software and Applications Conference: COMPSAC’96. 92–97.
[31]
Taeho Kim, Yeong-Tae Song, Lawrence Chung, and Dung T Huynh. 1999. Software architecture analysis using dynamic slicing. In AoM/IAoM 17th International Conference on Computer Science. 242–247.
[32]
Taeho Kim, Yeong-Tae Song, Lawrence Chung, and Dung T Huynh. 2000. Software architecture analysis: a dynamic slicing approach. International Journal of Computer & Information Science, 1, 2 (2000), 91–103.
[33]
Taeho Kim, Yeong-Tae Song, Lawrence Chung, and DT Hyunh. 1999. Dynamic software architecture slicing. In Proceedings. Twenty-Third Annual International Computer Software and Applications Conference (Cat. No. 99CB37032). 61–66.
[34]
Akos Kiss, Judit Jász, Gábor Lehotai, and Tibor Gyimóthy. 2003. Interprocedural static slicing of binary executables. In Proceedings Third IEEE International Workshop on Source Code Analysis and Manipulation. 118–127.
[35]
Arun Lakhotia. 1992. Improved interprocedural slicing algorithm. Report CACS TR-92-5-8, University of Southwestern Louisiana.
[36]
Alexander LeClair, Sakib Haque, Lingfei Wu, and Collin McMillan. 2020. Improved code summarization via a graph neural network. In Proceedings of the 28th international conference on program comprehension. 184–195.
[37]
Yi Li, Shaohua Wang, Tien N Nguyen, and Son Van Nguyen. 2019. Improving bug detection via context-based code representation learning and attention-based neural networks. Proceedings of the ACM on Programming Languages, 3, OOPSLA (2019), 1–30.
[38]
Zhen Li, Deqing Zou, Shouhuai Xu, Zhaoxuan Chen, Yawei Zhu, and Hai Jin. 2021. Vuldeelocator: a deep learning-based fine-grained vulnerability detector. IEEE Transactions on Dependable and Secure Computing.
[39]
Zhen Li, Deqing Zou, Shouhuai Xu, Hai Jin, Yawei Zhu, and Zhaoxuan Chen. 2021. Sysevr: A framework for using deep learning to detect software vulnerabilities. IEEE Transactions on Dependable and Secure Computing.
[40]
Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681.
[41]
Shangqing Liu, Yu Chen, Xiaofei Xie, Jing Kai Siow, and Yang Liu. 2020. Retrieval-Augmented Generation for Code Summarization via Hybrid GNN. In International Conference on Learning Representations.
[42]
Shuwen Liu, Bernardo Grau, Ian Horrocks, and Egor Kostylev. 2021. Indigo: Gnn-based inductive knowledge graph completion using pair-wise encoding. Advances in Neural Information Processing Systems, 34 (2021), 2034–2045.
[43]
Shangqing Liu, Xiaofei Xie, Lei Ma, Jingkai Siow, and Yang Liu. 2021. Graphsearchnet: Enhancing gnns via capturing global dependency for semantic code search. arXiv preprint arXiv:2111.02671.
[44]
Panos E Livadas and Stephen Croll. 1993. System dependence graph construction for recursive programs. In Proceedings of 1993 IEEE 17th International Computer Software and Applications Conference COMPSAC’93. 414–420.
[45]
Panos E Livadas and Stephen Croll. 1995. A new algorithm for the calculation of transitive dependences. Journal of Software Maintenance: Research and Practice, 7, 3 (1995), 151–176.
[46]
Wai Weng Lo, Siamak Layeghy, Mohanad Sarhan, Marcus Gallagher, and Marius Portmann. 2022. GNN-based Android Malware Detection with Jumping Knowledge. arXiv preprint arXiv:2201.07537.
[47]
R Lyle. 1987. Automatic program bug location by program slicing. In Proceedings 2nd international conference on computers and applications. 877–883.
[48]
Ehsan Mashhadi and Hadi Hemmati. 2021. Applying codebert for automated program repair of java simple bugs. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). 505–509.
[49]
Brian S Pak. 2012. Hybrid fuzz testing: Discovering software bugs via fuzzing and symbolic execution. School of Computer Science Carnegie Mellon University.
[50]
Thomas Reps and Genevieve Rosay. 1995. Precise interprocedural chopping. In Proceedings of the 3rd ACM SIGSOFT Symposium on Foundations of Software Engineering. 41–52.
[51]
Rebecca Russell, Louis Kim, Lei Hamilton, Tomo Lazovich, Jacob Harer, Onur Ozdemir, Paul Ellingwood, and Marc McConley. 2018. Automated vulnerability detection in source code using deep representation learning. In 2018 17th IEEE international conference on machine learning and applications (ICMLA). 757–762.
[52]
Ehud Yehuda Shapiro. 1982. Algorithmic program debugging. Yale University.
[53]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In NDSS. 16, 1–16.
[54]
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Ł ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in neural information processing systems, 30 (2017).
[55]
Petar Veličković, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Liò, and Yoshua Bengio. 2018. Graph Attention Networks. In International Conference on Learning Representations.
[56]
Huanting Wang, Guixin Ye, Zhanyong Tang, Shin Hwei Tan, Songfang Huang, Dingyi Fang, Yansong Feng, Lizhong Bian, and Zheng Wang. 2020. Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Transactions on Information Forensics and Security, 16 (2020), 1943–1958.
[57]
Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2019. Superion: Grammar-aware greybox fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). 724–735.
[58]
Wenhan Wang, Ge Li, Bo Ma, Xin Xia, and Zhi Jin. 2020. Detecting code clones with graph neural network and flow-augmented abstract syntax tree. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER). 261–271.
[59]
Yu Wang, Ke Wang, Fengjuan Gao, and Linzhang Wang. 2020. Learning semantic program embeddings with graph interval neural network. Proceedings of the ACM on Programming Languages, 4, OOPSLA (2020), 1–27.
[60]
Jiayi Wei, Maruth Goyal, Greg Durrett, and Isil Dillig. 2020. Lambdanet: Probabilistic type inference using graph neural networks. arXiv preprint arXiv:2005.02161.
[61]
Mark David Weiser. 1979. Program slices: formal, psychological, and practical investigations of an automatic program abstraction method. University of Michigan.
[62]
Bozhi Wu, Shangqing Liu, Ruitao Feng, Xiaofei Xie, Jingkai Siow, and Shang-Wei Lin. 2022. Enhancing Security Patch Identification by Capturing Structures in Commits. IEEE Transactions on Dependable and Secure Computing.
[63]
Baowen Xu, Ju Qian, Xiaofang Zhang, Zhongqiang Wu, and Lin Chen. 2005. A brief survey of program slicing. ACM SIGSOFT Software Engineering Notes, 30, 2 (2005), 1–36.
[64]
Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and discovering vulnerabilities with code property graphs. In 2014 IEEE Symposium on Security and Privacy. 590–604.
[65]
Jianjun Zhao. 1998. Applying slicing technique to software architectures. In Proceedings. Fourth IEEE International Conference on Engineering of Complex Computer Systems (Cat. No. 98EX193). 87–98.
[66]
Yunhui Zheng, Saurabh Pujar, Burn Lewis, Luca Buratti, Edward Epstein, Bo Yang, Jim Laredo, Alessandro Morari, and Zhong Su. 2021. D2A: a dataset built for AI-based vulnerability detection methods using differential analysis. In 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 111–120.
[67]
Jiayuan Zhou, Michael Pacheco, Zhiyuan Wan, Xin Xia, David Lo, Yuan Wang, and Ahmed E Hassan. 2021. Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 705–716.
[68]
Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systems, 32 (2019).
[69]
Yaqin Zhou, Jing Kai Siow, Chenyu Wang, Shangqing Liu, and Yang Liu. 2021. Spi: Automated identification of security patches via commits. ACM Transactions on Software Engineering and Methodology (TOSEM), 31, 1 (2021), 1–27.
[70]
Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. μ VulDeePecker: A Deep Learning-Based System for Multiclass Vulnerability Detection. IEEE Transactions on Dependable and Secure Computing, 18, 5 (2019), 2224–2236.
Index Terms
- Learning Program Semantics for Vulnerability Detection via Vulnerability-Specific Inter-procedural Slicing
Recommendations
On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities
ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software EngineeringSoftware vulnerabilities are a major cyber threat and it is important to detect them. One important approach to detecting vulnerabilities is to use deep learning while treating a program function as a whole, known as function-level vulnerability ...
Automated Software Vulnerability Detection in Statement Level using Vulnerability Reports
EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software EngineeringSoftware vulnerabilities are flaws in a product that compromise system security. In large software systems, developers struggle to find particular vulnerable statements from vulnerable functions when new vulnerabilities arise. Existing research ...
Learning-based Vulnerability Detection in Binary Code
ICMLC '22: Proceedings of the 2022 14th International Conference on Machine Learning and ComputingCyberattacks typically exploit software vulnerabilities to compromise computers and smart devices. To address vulnerabilities, many approaches have been developed to detect vulnerabilities using deep learning. However, most learning-based approaches ...
Comments
Information & Contributors
Information
Published In
November 2023
2215 pages
ISBN:9798400703270
DOI:10.1145/3611643
- General Chair:
- Satish Chandra,
- Program Chairs:
- Kelly Blincoe,
- Paolo Tonella
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Ministry of Education, Singapore under its Academic Research Fund Tier 3
Conference
ESEC/FSE '23
Sponsor:
ESEC/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
December 3 - 9, 2023
CA, San Francisco, USA
Acceptance Rates
Overall Acceptance Rate 112 of 543 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 505Total Downloads
- Downloads (Last 12 months)505
- Downloads (Last 6 weeks)65
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in