Exploiting library vulnerability via migration-based automated test generation
In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires deve...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2024
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9253 https://ink.library.smu.edu.sg/context/sis_research/article/10253/viewcontent/2312.09564v1.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-10253 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-102532024-09-02T06:38:55Z Exploiting library vulnerability via migration-based automated test generation CHEN, Zirui HU, Xing XIA, Xin GAO, Yi XU, Tongtong LO, David YANG, Xiaohu In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities.Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called Vesta (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. Vesta extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project.We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, Transfer. The success rate of Vesta is 71.7% which is a 53.4% improvement over Transfer in the effectiveness of verifying exploitable vulnerabilities. 2024-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9253 info:doi/10.1145/3597503.3639583 https://ink.library.smu.edu.sg/context/sis_research/article/10253/viewcontent/2312.09564v1.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Library Vulnerabilities Search-based Test Generation Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Library Vulnerabilities Search-based Test Generation Software Engineering |
| spellingShingle |
Library Vulnerabilities Search-based Test Generation Software Engineering CHEN, Zirui HU, Xing XIA, Xin GAO, Yi XU, Tongtong LO, David YANG, Xiaohu Exploiting library vulnerability via migration-based automated test generation |
| description |
In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities.Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called Vesta (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. Vesta extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project.We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, Transfer. The success rate of Vesta is 71.7% which is a 53.4% improvement over Transfer in the effectiveness of verifying exploitable vulnerabilities. |
| format |
text |
| author |
CHEN, Zirui HU, Xing XIA, Xin GAO, Yi XU, Tongtong LO, David YANG, Xiaohu |
| author_facet |
CHEN, Zirui HU, Xing XIA, Xin GAO, Yi XU, Tongtong LO, David YANG, Xiaohu |
| author_sort |
CHEN, Zirui |
| title |
Exploiting library vulnerability via migration-based automated test generation |
| title_short |
Exploiting library vulnerability via migration-based automated test generation |
| title_full |
Exploiting library vulnerability via migration-based automated test generation |
| title_fullStr |
Exploiting library vulnerability via migration-based automated test generation |
| title_full_unstemmed |
Exploiting library vulnerability via migration-based automated test generation |
| title_sort |
exploiting library vulnerability via migration-based automated test generation |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2024 |
| url |
https://ink.library.smu.edu.sg/sis_research/9253 https://ink.library.smu.edu.sg/context/sis_research/article/10253/viewcontent/2312.09564v1.pdf |
| _version_ |
1814047845559304192 |