Thu 7 Dec 2023 15:15 - 15:30 at Golden Gate C3 - Security II Chair(s): Caroline Lemieux

Though many deep learning (DL)-based vulnerability detection approaches have been proposed and indeed achieved remarkable performance, they still have limitations in the generalization as well as the practical usage. More precisely, existing DL-based approaches (1) perform negatively on prediction tasks among functions that are lexically similar but have contrary semantics; (2) provide no intuitive developer-oriented explanations to detected results. In this paper, we propose a novel approach named SVulD, a function-level subtle semantic embedding for Vulnerability Detection along with intuitive explanations, to alleviate the above limitations. Specifically, SVulD firstly trains a model to learn distinguishing semantic representations of functions regardless of their lexical similarity. Then, for detected vulnerable functions, SVulD provides natural language explanations (e.g., root cause) of results to help developers intuitively understand the vulnerability. To evaluate the effectiveness of SVulD, we conduct a large-scale experiment on a widely used practical vulnerability dataset to compare with four state-of-the-art (SOTA) approaches by considering five performance measures. The experimental results indicate that SVulD outperforms all SOTAs with a substantial improvement (i.e., 23.5%-68.0% in terms of F1-score, 15.9%-134.8% in terms of PR-AUC and 7.4%-64.4% in terms of Accuracy). Besides, we conduct a user-case study to evaluate the practical usefulness of SVulD to developers on understanding the vulnerable code and the participants’ feedback confirms the usefulness of SVulD.

Thu 7 Dec

Displayed time zone: Pacific Time (US & Canada) change

14:00 - 15:30
Security IIResearch Papers / Journal First at Golden Gate C3
Chair(s): Caroline Lemieux University of British Columbia
14:00
15m
Talk
Mate! Are You Really Aware? An Explainability-Guided Testing Framework for Robustness of Malware Detectors
Research Papers
Ruoxi Sun CSIRO's Data61, Jason Minhui Xue CSIRO’s Data61, Gareth Tyson Hong Kong University of Science and Technology, Tian Dong Shanghai Jiao Tong University, Shaofeng Li Shanghai Jiao Tong University, Shuo Wang CSIRO's Data61, Haojin Zhu Shanghai Jiao Tong University, Seyit Camtepe CSIRO Data61, Surya Nepal CSIRO’s Data61
Media Attached
14:15
15m
Talk
Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study
Journal First
Akond Rahman Auburn University, USA, Shazibul Islam Shamim Auburn University, Dibyendu Brinto Bose Virginia Tech, Rahul Pandita GitHub, Inc.
Media Attached
14:30
15m
Talk
Crystallizer: A Hybrid Path Analysis Framework To Aid in Uncovering Deserialization Vulnerabilities
Research Papers
Prashast Srivastava Columbia University, USA, Flavio Toffalini EPFL, Kostyantyn Vorobyov Oracle Labs, Australia, François Gauthier Oracle Labs, Antonio Bianchi Purdue University, Mathias Payer EPFL
Media Attached
14:45
15m
Talk
Neural Transfer Learning for Repairing Security Vulnerabilities in C Code
Journal First
Zimin Chen KTH Royal Institute of Technology, Steve Kommrusch Leela AI, Martin Monperrus KTH Royal Institute of Technology
Media Attached
15:00
15m
Talk
ViaLin: Path-Aware Dynamic Taint Analysis for Android
Research Papers
Khaled Ahmed University of British Columbia (UBC), Yingying Wang University of British Columbia, Mieszko Lis The University of British Columbia, Canada, Julia Rubin University of British Columbia, Canada
Media Attached
15:15
15m
Talk
[Remote] Distinguishing Look-Alike Innocent and Vulnerable Code by Subtle Semantic Representation Learning and Explanation
Research Papers
Chao Ni School of Software Technology, Zhejiang University, Xin Yin The State Key Laboratory of Blockchain and Data Security, Zhejiang University, Kaiwen Yang College of Computer Science and Technology, Zhejiang University, Dehai Zhao Australian National University, Australia, Zhenchang Xing Data61, Xin Xia Huawei Technologies
Media Attached