Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unintentional Security Flaws in Code: Automated Defense via Root Cause Analysis

Nafis Tanveer Islam, Mazal Bethany, Dylan Manuel, Murtuza Jadliwala, Peyman Najafirad

TL;DR

This paper addresses the gap in actionable root-cause analysis for software vulnerabilities by introducing T5-RCGCN, an automated tool that combines CodeT5 embeddings, a semantic graph with a graph convolutional network, and DeepLiftSHAP to classify, localize, and identify the root cause of vulnerabilities. Across datasets and real-world IoT code, it achieves state-of-the-art vulnerability classification and localization while enabling improved security outcomes and learning for junior developers; notably, it reports an 11.2 percentage-point gain in F1 and a 16.5 percentage-point gain in IoU over strong baselines, with practical improvements in secure coding ability and faster repairs. The work also demonstrates the model’s capability to discover n-day and zero-day vulnerabilities in IoT OS repositories and provides evidence of educational benefits, suggesting a path toward more proactive and sustainable secure coding practices. Limitations include the dataset and participant scope, but the results motivate broader evaluations and multi-language extensions to generalize root-cause analysis in code security.

Abstract

Software security remains a critical concern, particularly as junior developers, often lacking comprehensive knowledge of security practices, contribute to codebases. While there are tools to help developers proactively write secure code, their actual effectiveness in helping developers fix their vulnerable code remains largely unmeasured. Moreover, these approaches typically focus on classifying and localizing vulnerabilities without highlighting the specific code segments that are the root cause of the issues, a crucial aspect for developers seeking to fix their vulnerable code. To address these challenges, we conducted a comprehensive study evaluating the efficacy of existing methods in helping junior developers secure their code. Our findings across five types of security vulnerabilities revealed that current tools enabled developers to secure only 36.2\% of vulnerable code. Questionnaire results from these participants further indicated that not knowing the code that was the root cause of the vulnerability was one of their primary challenges in repairing the vulnerable code. Informed by these insights, we developed an automated vulnerability root cause (RC) toolkit called T5-RCGCN, that combines T5 language model embeddings with a graph convolutional network (GCN) for vulnerability classification and localization. Additionally, we integrated DeepLiftSHAP to identify the code segments that were the root cause of the vulnerability. We tested T5-RCGCN with 56 junior developers across three datasets, showing a 28.9\% improvement in code security compared to previous methods. Developers using the tool also gained a deeper understanding of vulnerability root causes, resulting in a 17.0\% improvement in their ability to secure code independently. These results demonstrate the tool's potential for both immediate security enhancement and long-term developer skill growth.

Unintentional Security Flaws in Code: Automated Defense via Root Cause Analysis

TL;DR

This paper addresses the gap in actionable root-cause analysis for software vulnerabilities by introducing T5-RCGCN, an automated tool that combines CodeT5 embeddings, a semantic graph with a graph convolutional network, and DeepLiftSHAP to classify, localize, and identify the root cause of vulnerabilities. Across datasets and real-world IoT code, it achieves state-of-the-art vulnerability classification and localization while enabling improved security outcomes and learning for junior developers; notably, it reports an 11.2 percentage-point gain in F1 and a 16.5 percentage-point gain in IoU over strong baselines, with practical improvements in secure coding ability and faster repairs. The work also demonstrates the model’s capability to discover n-day and zero-day vulnerabilities in IoT OS repositories and provides evidence of educational benefits, suggesting a path toward more proactive and sustainable secure coding practices. Limitations include the dataset and participant scope, but the results motivate broader evaluations and multi-language extensions to generalize root-cause analysis in code security.

Abstract

Software security remains a critical concern, particularly as junior developers, often lacking comprehensive knowledge of security practices, contribute to codebases. While there are tools to help developers proactively write secure code, their actual effectiveness in helping developers fix their vulnerable code remains largely unmeasured. Moreover, these approaches typically focus on classifying and localizing vulnerabilities without highlighting the specific code segments that are the root cause of the issues, a crucial aspect for developers seeking to fix their vulnerable code. To address these challenges, we conducted a comprehensive study evaluating the efficacy of existing methods in helping junior developers secure their code. Our findings across five types of security vulnerabilities revealed that current tools enabled developers to secure only 36.2\% of vulnerable code. Questionnaire results from these participants further indicated that not knowing the code that was the root cause of the vulnerability was one of their primary challenges in repairing the vulnerable code. Informed by these insights, we developed an automated vulnerability root cause (RC) toolkit called T5-RCGCN, that combines T5 language model embeddings with a graph convolutional network (GCN) for vulnerability classification and localization. Additionally, we integrated DeepLiftSHAP to identify the code segments that were the root cause of the vulnerability. We tested T5-RCGCN with 56 junior developers across three datasets, showing a 28.9\% improvement in code security compared to previous methods. Developers using the tool also gained a deeper understanding of vulnerability root causes, resulting in a 17.0\% improvement in their ability to secure code independently. These results demonstrate the tool's potential for both immediate security enhancement and long-term developer skill growth.
Paper Structure (46 sections, 5 equations, 5 figures, 8 tables, 1 algorithm)

This paper contains 46 sections, 5 equations, 5 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Code Vulnerability Classification
  4. Code Vulnerability Localization
  5. Code Vulnerability Root Cause
  6. Explainability Methods for Vulnerability Analysis
  7. Motivation
  8. Study Participants
  9. Participant Demographics
  10. Participant Recruitment
  11. Participant Compensation and Study Approval
  12. Junior Developer Proficiency Without Tools
  13. Junior Developer Proficiency in Fixing Vulnerable Code With Existing Tools
  14. Participant Questionnaire
  15. Threat Model
  16. ...and 31 more sections

Figures (5)

  • Figure 1: Sample source code provided to the participants depicted at the top and output at the bottom provided by the SOTA techniques. We conducted our initial survey by providing the participants with this information and determined their capability to repair vulnerability using these two outputs: classification and vulnerable line.
  • Figure 2: The proposed architecture of our system: An LLM-powered source code diagnostic tool that assists programmers in vulnerability identification, classification, localization, and the root cause of vulnerability
  • Figure 3: Multi-class vulnerability classification of vulnerable code from the BigVul datasets, comparing SOTA techniques to our proposed T5-RCGCN. X-axis is the vulnerability category, and Y-axis demonstrates the F1 Score
  • Figure 4: Sample source code provided to the participants depicted at the top and output at the bottom provided by T5-RCGCN. Our system takes in vulnerable code and outputs the vulnerability classification, vulnerability localization, and unlike other methods, our system also outputs the root cause of the vulnerability.
  • Figure 5: Performance of Developer Learning when Comparing T5-RCGCN vs. Baseline Group