PPT4J: Patch presence test for Java binaries

The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into softwar...

Full description

Saved in:
Bibliographic Details
Main Authors: PAN, Zhiyuan, HU, Xing, XIA, Xin, ZHAN, Xian, LO, David, YANG, Xiaohu
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2024
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/9252
https://ink.library.smu.edu.sg/context/sis_research/article/10252/viewcontent/2312.11013v2.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-10252
record_format dspace
spelling sg-smu-ink.sis_research-102522024-09-02T06:39:26Z PPT4J: Patch presence test for Java binaries PAN, Zhiyuan HU, Xing XIA, Xin ZHAN, Xian LO, David YANG, Xiaohu The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into software, especially if we only have binary files. Therefore, the ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners. However, it is challenging to obtain accurate semantic information from patches, which could lead to incorrect results.In this paper, we propose a new patch presence test framework named Ppt4J (Patch Presence Test for Java Binaries). Ppt4J is designed for open-source Java libraries. It takes Java binaries (i.e. bytecode files) as input, extracts semantic information from patches, and uses feature-based techniques to identify patch lines in the binaries. To evaluate the effectiveness of our proposed approach Ppt4J, we construct a dataset with binaries that include 110 vulnerabilities. The results show that Ppt4J achieves an F1 score of 98.5% with reasonable efficiency, improving the baseline by 14.2%. Furthermore, we conduct an in-the-wild evaluation of Ppt4J on JetBrains IntelliJ IDEA. The results suggest that a third-party library included in the software is not patched for two CVEs, and we have reported this potential security problem to the vendor. 2024-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9252 info:doi/10.1145/3597503.3639231 https://ink.library.smu.edu.sg/context/sis_research/article/10252/viewcontent/2312.11013v2.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Patch Presence Test Binary Analysis Software Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Patch Presence Test
Binary Analysis
Software Security
Software Engineering
spellingShingle Patch Presence Test
Binary Analysis
Software Security
Software Engineering
PAN, Zhiyuan
HU, Xing
XIA, Xin
ZHAN, Xian
LO, David
YANG, Xiaohu
PPT4J: Patch presence test for Java binaries
description The number of vulnerabilities reported in open source software has increased substantially in recent years. Security patches provide the necessary measures to protect software from attacks and vulnerabilities. In practice, it is difficult to identify whether patches have been integrated into software, especially if we only have binary files. Therefore, the ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners. However, it is challenging to obtain accurate semantic information from patches, which could lead to incorrect results.In this paper, we propose a new patch presence test framework named Ppt4J (Patch Presence Test for Java Binaries). Ppt4J is designed for open-source Java libraries. It takes Java binaries (i.e. bytecode files) as input, extracts semantic information from patches, and uses feature-based techniques to identify patch lines in the binaries. To evaluate the effectiveness of our proposed approach Ppt4J, we construct a dataset with binaries that include 110 vulnerabilities. The results show that Ppt4J achieves an F1 score of 98.5% with reasonable efficiency, improving the baseline by 14.2%. Furthermore, we conduct an in-the-wild evaluation of Ppt4J on JetBrains IntelliJ IDEA. The results suggest that a third-party library included in the software is not patched for two CVEs, and we have reported this potential security problem to the vendor.
format text
author PAN, Zhiyuan
HU, Xing
XIA, Xin
ZHAN, Xian
LO, David
YANG, Xiaohu
author_facet PAN, Zhiyuan
HU, Xing
XIA, Xin
ZHAN, Xian
LO, David
YANG, Xiaohu
author_sort PAN, Zhiyuan
title PPT4J: Patch presence test for Java binaries
title_short PPT4J: Patch presence test for Java binaries
title_full PPT4J: Patch presence test for Java binaries
title_fullStr PPT4J: Patch presence test for Java binaries
title_full_unstemmed PPT4J: Patch presence test for Java binaries
title_sort ppt4j: patch presence test for java binaries
publisher Institutional Knowledge at Singapore Management University
publishDate 2024
url https://ink.library.smu.edu.sg/sis_research/9252
https://ink.library.smu.edu.sg/context/sis_research/article/10252/viewcontent/2312.11013v2.pdf
_version_ 1814047845305548800