Write a Blog >>
ESEC/FSE 2022
Mon 14 - Fri 18 November 2022 Singapore
Wed 16 Nov 2022 14:00 - 14:15 at SRC LT 50 - Security

The coordinated vulnerability disclosure (CVD) process is commonly adopted for open source software (OSS) vulnerability management, which suggests to privately report the discovered vulnerabilities and keep relevant information secret until the official disclosure. However, in practice, due to various reasons (e.g., lacking security domain expertise or the sense of security management), many vulnerabilities are first reported via public issue reports (IRs) before its official disclosure. Such IRs are dangerous IRs, since attackers can take advantages of the leaked vulnerability information to launch zero-day attacks. It is crucial to identify such dangerous IRs at an early stage, such that OSS users can start the vulnerability remediation process earlier and OSS maintainers can timely manage the dangerous IRs. In this paper, we propose and evaluate a deep learning based approach, namely MemVul, to automatically identify dangerous IRs at the time they are reported. MemVul augments the neural networks with a memory component, which stores the external vulnerability knowledge from Common Weakness Enumeration (CWE). We rely on publicly accessible CVE-referred IRs (CIRs) to operationalize the concept of dangerous IR. We mine 3,937 CIRs distributed across 1,390 OSS projects hosted on GitHub. Evaluated under a practical scenario of high data imbalance, MemVul achieves the best trade-off between precision and recall among all baselines. In particular, the F1-score of MemVul (i.e., 0.49) improves the best performing baseline by 44%. For IRs that are predicted as CIRs but not reported to CVE, we conduct a user study to investigate their usefulness to OSS stakeholders. We observe that 82% (41 out of 50) of these IRs are security-related and 28 of them are suggested by security experts to be publicly disclosed, indicating MemVul is capable of identifying undisclosed dangerous IRs.

Wed 16 Nov

Displayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change

14:00 - 15:30
14:00
15m
Talk
Automated Unearthing of Dangerous Issue Reports
Research Papers
shengyi pan Zhejiang University, Jiayuan Zhou Centre for Software Excellence, Huawei, Canada, Filipe Cogo Centre for Software Excellence, Huawei, Canada, Xin Xia Huawei Software Engineering Application Technology Lab, Lingfeng Bao Zhejiang University, Xing Hu Zhejiang University, Shanping Li Zhejiang University, Ahmed E. Hassan Queen's University
14:15
15m
Talk
On the Vulnerability Proneness of Multilingual Code
Research Papers
Wen Li , Li Li Monash University, Haipeng Cai Washington State University, USA
Pre-print
14:30
15m
Talk
Tracking Patches for Open Source Software Vulnerabilities
Research Papers
Congying Xu , Bihuan Chen Fudan University, China, Chenhao Lu Fudan University, Kaifeng Huang Fudan University, Xin Peng Fudan University, Yang Liu Nanyang Technological University
14:45
15m
Talk
DeJITLeak: Eliminating JIT-Induced Timing Side-Channel Leaks
Research Papers
Qi Qin ShanghaiTech University, JulianAndres JiYang ShanghaiTech University, Fu Song ShanghaiTech University, Taolue Chen Birkbeck University of London, Xinyu Xing Northwestern University
15:00
7m
Talk
VulCurator: A Vulnerability-Fixing Commit Detector
Demonstrations
Truong Giang Nguyen School of Computing and Information Systems, Singapore Management University, Le-Cong Thanh Singapore Management University, Singapore, Hong Jin Kang Singapore Management University, Singapore, Xuan-Bach D. Le Singapore Management University, Singapore, David Lo Singapore Management University
15:08
7m
Talk
KVS: A Tool for Knowledge-Driven Vulnerability Searching
Demonstrations
Xingqi Cheng Yangzhou University, Xiaobing Sun Yangzhou University, Lili Bo Yangzhou University, Ying Wei Yangzhou University
15:15
7m
Talk
MANDO-GURU: Vulnerability Detection for Smart Contract Source Code By Heterogeneous Graph Embeddings
Demonstrations
Hoang H. Nguyen L3S Research Center, Leibniz Universit├Ąt Hannover, Hannover, Germany, Nhat-Minh Nguyen Singapore Management University, Singapore, Hong-Phuc Doan Hanoi University of Science and Technology, Hanoi, Vietnam, Zahra Ahmadi L3S Research Center, Leibniz Universit├Ąt Hannover, Hannover, Germany, Thanh-Nam Doan Independent Researcher, Atlanta, Georgia, USA, Lingxiao Jiang Singapore Management University
15:23
7m
Talk
FastKLEE: Faster Symbolic Execution via Reducing Redundant Bound Checking of Type-Safe Pointers
Demonstrations
Haoxin Tu Singapore Management University, Singapore, Lingxiao Jiang Singapore Management University, Xuhua Ding Singapore Management University, He Jiang School of Software, Dalian University of Technology