Exploiting Library Vulnerability via Migration Based Automating Test Generation
CoRR(2023)
摘要
In software development, developers extensively utilize third-party libraries
to avoid implementing existing functionalities. When a new third-party library
vulnerability is disclosed, project maintainers need to determine whether their
projects are affected by the vulnerability, which requires developers to invest
substantial effort in assessment. However, existing tools face a series of
issues: static analysis tools produce false alarms, dynamic analysis tools
require existing tests and test generation tools have low success rates when
facing complex vulnerabilities.
Vulnerability exploits, as code snippets provided for reproducing
vulnerabilities after disclosure, contain a wealth of vulnerability-related
information. This study proposes a new method based on vulnerability exploits,
called VESTA (Vulnerability Exploit-based Software Testing Auto-Generator),
which provides vulnerability exploit tests as the basis for developers to
decide whether to update dependencies. VESTA extends the search-based test
generation methods by adding a migration step, ensuring the similarity between
the generated test and the vulnerability exploit, which increases the
likelihood of detecting potential library vulnerabilities in a project.
We perform experiments on 30 vulnerabilities disclosed in the past five
years, involving 60 vulnerability-project pairs, and compare the experimental
results with the baseline method, TRANSFER. The success rate of VESTA is 71.7\%
which is a 53.4\% improvement over TRANSFER in the effectiveness of verifying
exploitable vulnerabilities.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要