Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ARVO: Atlas of Reproducible Vulnerabilities for Open Source Software

Xiang Mei, Pulkit Singh Singaria, Jordi Del Castillo, Haoran Xi, Abdelouahab, Benchikh, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, Hammond Pearce, Brendan Dolan-Gavitt

TL;DR

ARVO presents a scalable framework and dataset that convert OSS-Fuzz vulnerability reports into reproducible, recompilable instances with exact patches and triggering inputs. By combining a reproducible builder and a precise fix locator, ARVO reproduces thousands of real-world vulnerabilities across hundreds of projects and provides Dockerized artifacts for easy access, enabling robust evaluation of vulnerability repair and detection methods. The work demonstrates substantial improvements over prior reproducers, reveals numerous false positives and even leaked zero-days in OSS-Fuzz, and shows practical value through two case studies on LLM-based bug repair and zero-day discovery. ARVO's open-source design and auto-updating data stream position it as a foundational resource for future binary security research and benchmarking.

Abstract

High-quality datasets of real-world vulnerabilities are enormously valuable for downstream research in software security, but existing datasets are typically small, require extensive manual effort to update, and are missing crucial features that such research needs. In this paper, we introduce ARVO: an Atlas of Reproducible Vulnerabilities in Open-source software. By sourcing vulnerabilities from C/C++ projects that Google's OSS-Fuzz discovered and implementing a reliable re-compilation system, we successfully reproduce more than 5,000 memory vulnerabilities across over 250 projects, each with a triggering input, the canonical developer-written patch for fixing the vulnerability, and the ability to automatically rebuild the project from source and run it at its vulnerable and patched revisions. Moreover, our dataset can be automatically updated as OSS-Fuzz finds new vulnerabilities, allowing it to grow over time. We provide a thorough characterization of the ARVO dataset, show that it can locate fixes more accurately than Google's own OSV reproduction effort, and demonstrate its value for future research through two case studies: firstly evaluating real-world LLM-based vulnerability repair, and secondly identifying over 300 falsely patched (still-active) zero-day vulnerabilities from projects improperly labeled by OSS-Fuzz.

ARVO: Atlas of Reproducible Vulnerabilities for Open Source Software

TL;DR

ARVO presents a scalable framework and dataset that convert OSS-Fuzz vulnerability reports into reproducible, recompilable instances with exact patches and triggering inputs. By combining a reproducible builder and a precise fix locator, ARVO reproduces thousands of real-world vulnerabilities across hundreds of projects and provides Dockerized artifacts for easy access, enabling robust evaluation of vulnerability repair and detection methods. The work demonstrates substantial improvements over prior reproducers, reveals numerous false positives and even leaked zero-days in OSS-Fuzz, and shows practical value through two case studies on LLM-based bug repair and zero-day discovery. ARVO's open-source design and auto-updating data stream position it as a foundational resource for future binary security research and benchmarking.

Abstract

High-quality datasets of real-world vulnerabilities are enormously valuable for downstream research in software security, but existing datasets are typically small, require extensive manual effort to update, and are missing crucial features that such research needs. In this paper, we introduce ARVO: an Atlas of Reproducible Vulnerabilities in Open-source software. By sourcing vulnerabilities from C/C++ projects that Google's OSS-Fuzz discovered and implementing a reliable re-compilation system, we successfully reproduce more than 5,000 memory vulnerabilities across over 250 projects, each with a triggering input, the canonical developer-written patch for fixing the vulnerability, and the ability to automatically rebuild the project from source and run it at its vulnerable and patched revisions. Moreover, our dataset can be automatically updated as OSS-Fuzz finds new vulnerabilities, allowing it to grow over time. We provide a thorough characterization of the ARVO dataset, show that it can locate fixes more accurately than Google's own OSV reproduction effort, and demonstrate its value for future research through two case studies: firstly evaluating real-world LLM-based vulnerability repair, and secondly identifying over 300 falsely patched (still-active) zero-day vulnerabilities from projects improperly labeled by OSS-Fuzz.
Paper Structure (26 sections, 9 figures, 6 tables)

This paper contains 26 sections, 9 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Fuzzing and OSS-Fuzz
  4. Patch Locating
  5. OSV (Open Source Vulnerabilities) and OSS-Fuzz
  6. Reproducibility
  7. Why Recompilation?
  8. Challenges
  9. Unsuitability of Prior Work
  10. ARVO
  11. Overview
  12. Source Data
  13. Reproducer
  14. Fix Locator
  15. Database Access
  16. ...and 11 more sections

Figures (9)

  • Figure 1: Overview of ARVO.
  • Figure 2: ARVO Reproducer Structure
  • Figure 3: Simplified Compiling Procedure
  • Figure 4: Vulnerability lifecycle for OSS-Fuzz issue 44851 on Imagemagick.
  • Figure 5: Revision Control on Locator.
  • ...and 4 more figures