TY - GEN
T1 - VulChecker
T2 - 32nd USENIX Security Symposium, USENIX Security 2023
AU - Mirsky, Yisroel
AU - MacOn, George
AU - Brown, Michael
AU - Yagemann, Carter
AU - Pruett, Matthew
AU - Downing, Evan
AU - Mertoguno, Sukarno
AU - Lee, Wenke
N1 - Publisher Copyright:
© 2023 32nd USENIX Security Symposium, USENIX Security 2023. All rights reserved.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - In software development, it is critical to detect vulnerabilities in a project as early as possible. Although, deep learning has shown promise in this task, current state-of-the-art methods cannot classify and identify the line on which the vulnerability occurs. Instead, the developer is tasked with searching for an arbitrary bug in an entire function or even larger region of code. In this paper, we propose VulChecker: a tool that can precisely locate vulnerabilities in source code (down to the exact instruction) as well as classify their type (CWE). To accomplish this, we propose a new program representation, program slicing strategy, and the use of a message-passing graph neural network to utilize all of code's semantics and improve the reach between a vulnerability's root cause and manifestation points. We also propose a novel data augmentation strategy for cheaply creating strong datasets for vulnerability detection in the wild, using free synthetic samples available online.With this training strategy,VulCheckerwas able to identify 24 CVEs (10 from 2019&2020) in 19 projects taken from the wild, with nearly zero false positives compared to a commercial tool that could only detect 4. VulChecker also discovered an exploitable zero-day vulnerability, which has been reported to developers for responsible disclosure.
AB - In software development, it is critical to detect vulnerabilities in a project as early as possible. Although, deep learning has shown promise in this task, current state-of-the-art methods cannot classify and identify the line on which the vulnerability occurs. Instead, the developer is tasked with searching for an arbitrary bug in an entire function or even larger region of code. In this paper, we propose VulChecker: a tool that can precisely locate vulnerabilities in source code (down to the exact instruction) as well as classify their type (CWE). To accomplish this, we propose a new program representation, program slicing strategy, and the use of a message-passing graph neural network to utilize all of code's semantics and improve the reach between a vulnerability's root cause and manifestation points. We also propose a novel data augmentation strategy for cheaply creating strong datasets for vulnerability detection in the wild, using free synthetic samples available online.With this training strategy,VulCheckerwas able to identify 24 CVEs (10 from 2019&2020) in 19 projects taken from the wild, with nearly zero false positives compared to a commercial tool that could only detect 4. VulChecker also discovered an exploitable zero-day vulnerability, which has been reported to developers for responsible disclosure.
UR - http://www.scopus.com/inward/record.url?scp=85172385383&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85172385383
T3 - 32nd USENIX Security Symposium, USENIX Security 2023
SP - 6557
EP - 6574
BT - 32nd USENIX Security Symposium, USENIX Security 2023
PB - USENIX Association
Y2 - 9 August 2023 through 11 August 2023
ER -