Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability
Zirui Chen, Xing Hu, Puhua Sun, Xin Xia, Xiaohu Yang
TL;DR
Library vulnerabilities in dependent software are difficult to neutralize when patches or source code are unavailable. Lumen presents a two-component, LLM-driven framework that combines a domain-knowledge retrieval module with a mitigation generation module to produce non-invasive mitigations at the API call site, avoiding library modification. It leverages a mitigation database of historical vulnerabilities for resembling strategies and, when unavailable, applies four type-based strategies to address reproducing behaviors, achieving 70.2% mitigation over 121 impacted functions and 413/440 functionality tests passing. The results demonstrate that integrating resemblance and type-based strategies with context-aware generation substantially outperforms baselines and existing AVR/APR methods, enabling rapid vulnerability containment in downstream projects with practical impact for secure software supply chains.
Abstract
Third-party libraries are essential in software development as they prevent the need for developers to recreate existing functionalities. However, vulnerabilities within these libraries pose significant risks to dependent projects. Upgrading dependencies to secure versions is not feasible to neutralize vulnerabilities without patches or in projects with specific version requirements. Moreover, repairing the vulnerability proves challenging when the source code of the library is inaccessible. Both the state-of-the-art automatic vulnerability repair and automatic program repair methods fail to address this issue. Therefore, mitigating library vulnerabilities without source code and available patches is crucial for a swift response to potential security attacks. Existing tools encounter challenges concerning generalizability and functional security. In this study, we introduce LUMEN to mitigate library vulnerabilities in impacted projects. Upon disclosing a vulnerability, we retrieve existing workarounds to gather a resembling mitigation strategy. In cases where a resembling strategy is absent, we propose type-based strategies based on the vulnerability reproducing behavior and extract essential information from the vulnerability report to guide mitigation generation. Our assessment of LUMEN spans 121 impacted functions of 40 vulnerabilities, successfully mitigating 70.2% of the functions, which substantially outperforms our baseline in neutralizing vulnerabilities without functionality loss. Additionally, we conduct an ablation study to validate the rationale behind our resembling strategies and type-based strategies.