Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SliceLocator: Locating Vulnerable Statements with Graph-based Detectors

Baijun Cheng, Kailong Wang, Cuiyun Gao, Xiapu Luo, Li Li, Yao Guo, Xiangqun Chen, Haoyu Wang

TL;DR

SliceLocator addresses the gap in vulnerability localization by integrating a GNN-based detector’s differential signals with taint-flow knowledge to pinpoint vulnerability-triggering statements. It performs backward flow-path generation from potential sink points and scores each path via the detector to select the most relevant data flow, achieving around 0.89 TLC and 0.85 FLC on diverse detectors and CWE types. Across experiments, SliceLocator consistently outperforms five explainers and two statement-level detectors, and ablation with random paths confirms the necessity of detector-guided scoring. The approach promises more actionable, fine-grained vulnerability localization with practical implications for faster vulnerability fixes in C/C++ code.

Abstract

Vulnerability detection is a crucial component in the software development lifecycle. Existing vulnerability detectors, especially those based on deep learning (DL) models, have achieved high effectiveness. Despite their capability of detecting vulnerable code snippets from given code fragments, the detectors are typically unable to further locate the fine-grained information pertaining to the vulnerability, such as the precise vulnerability triggering locations. Although explanation methods can filter important statements based on the predictions of code fragments, their effectiveness is limited by the fact that the model primarily learns the difference between vulnerable and non-vulnerable samples. In this paper, we propose SliceLocator, which, unlike previous approaches, leverages the detector's understanding of the differences between vulnerable and non-vulnerable samples, essentially, vulnerability-fixing statements. SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements in the program, in conjunction with the detector. We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors, achieving an accuracy of around 87% in flagging vulnerability-triggering statements across six common C/C++ vulnerabilities. It outperforms five widely used GNN-based explanation methods and two statement-level detectors.

SliceLocator: Locating Vulnerable Statements with Graph-based Detectors

TL;DR

SliceLocator addresses the gap in vulnerability localization by integrating a GNN-based detector’s differential signals with taint-flow knowledge to pinpoint vulnerability-triggering statements. It performs backward flow-path generation from potential sink points and scores each path via the detector to select the most relevant data flow, achieving around 0.89 TLC and 0.85 FLC on diverse detectors and CWE types. Across experiments, SliceLocator consistently outperforms five explainers and two statement-level detectors, and ablation with random paths confirms the necessity of detector-guided scoring. The approach promises more actionable, fine-grained vulnerability localization with practical implications for faster vulnerability fixes in C/C++ code.

Abstract

Vulnerability detection is a crucial component in the software development lifecycle. Existing vulnerability detectors, especially those based on deep learning (DL) models, have achieved high effectiveness. Despite their capability of detecting vulnerable code snippets from given code fragments, the detectors are typically unable to further locate the fine-grained information pertaining to the vulnerability, such as the precise vulnerability triggering locations. Although explanation methods can filter important statements based on the predictions of code fragments, their effectiveness is limited by the fact that the model primarily learns the difference between vulnerable and non-vulnerable samples. In this paper, we propose SliceLocator, which, unlike previous approaches, leverages the detector's understanding of the differences between vulnerable and non-vulnerable samples, essentially, vulnerability-fixing statements. SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements in the program, in conjunction with the detector. We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors, achieving an accuracy of around 87% in flagging vulnerability-triggering statements across six common C/C++ vulnerabilities. It outperforms five widely used GNN-based explanation methods and two statement-level detectors.
Paper Structure (23 sections, 4 equations, 10 figures, 4 tables, 1 algorithm)

This paper contains 23 sections, 4 equations, 10 figures, 4 tables, 1 algorithm.

Table of Contents

  1. introduction
  2. Background
  3. GNN-based Vulnerability Detectors
  4. Explanations approaches for vulnerability detection
  5. Problem Formulation and Challenge
  6. Problem Overview
  7. Challenge
  8. Approach
  9. Flow Path Generation
  10. Potential Sink Points (PSPs)
  11. Dependent Statements
  12. Flow Path Selection
  13. Study Design
  14. Evaluation Methodology
  15. Dataset Construction
  16. ...and 8 more sections

Figures (10)

  • Figure 1: General detection phase of deep-learning-based vulnerability detectors with graph representations
  • Figure 2: Simplified code from the fix commit for CVE-2013-2174
  • Figure 3: A example extracted from SARD.
  • Figure 4: Overview of SliceLocator.
  • Figure 5: An example of ignored data-dependence edges.
  • ...and 5 more figures