Affiliation:
1. School of Computer Science and Engineering, Xi’an Technological University, Xi’an, 710021 Shaanxi, China
Abstract
With the rapid growth of open-source software, code cloning has become increasingly prevalent. If there are security vulnerabilities in a cloned code segment, those vulnerabilities may spread in the related software to potentially lead to security incidents. The existing methods of vulnerable code detection are performed on the condition that the source code is converted into an intermediate representation. However, these methods do not fully consider the rich semantic knowledge and patch information available for vulnerable codes, which can induce a high false positive rate (FPR). To address this problem, this paper proposes a vulnerable code clone detection method based on code fingerprints, named the Context-enhanced and Patch-validation-based Vulnerable code clone Detector (CPVDetector). A fingerprint database is built for functions, code snippets, and patches derived from preprocessed vulnerable source code. The target code to be detected is firstly transformed into function-level fingerprints. If clone detection fails at this coarse granularity, the detector is then applied at the finer line-level granularity. When fingerprint matching is successful between the target code and the vulnerable code segments, the detector will proceed to verify the context of vulnerable codes. Finally, CPVDetector can verify the fingerprints of patches corresponding to vulnerable codes to further reduce the FPR. Based on the generally accepted classification of code clones, CPVDetector can identify Type 1 and Type 2 vulnerable code clones at the coarse-grained level and offers significantly improved detection sensitivity for Type 3 and Type 4 code clones at the fine-grained level. Experimental results show that the proposed method can achieve high accuracy with a fast detection speed, and the FPR is as low as 2.35%, which is less than one-third of that of other existing methods. In view of its competitive performance and efficiency, CPVDetector can be applied in large-scale vulnerable code detection scenarios.
Funder
Science and Technology Project Funded by Weiyang District in Xi’an City, Shaanxi Province, China
Subject
Electrical and Electronic Engineering,Computer Networks and Communications,Information Systems
Reference38 articles.
1. Understanding Open Source Software Evolution 181
2. Scaling open source communities: an empirical study of the Linux kernel;X. Tan
3. GitHub
4. Analysis of requirements volatility during software development life cycle;N. Nurmuliani
5. Comparison and Evaluation of Clone Detection Tools
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Investigation on Integration of Machine Learning Techniques into LC/NC Platforms for Code Review, Quality Assessment, and Error Detection Automation;2024 11th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO);2024-03-14
2. Learning to Predict Tendency of CVE Vulnerability;2023 6th International Conference on Computer Network, Electronic and Automation (ICCNEA);2023-09-22
3. A novel prediction method for vulnerability outbreak trend;Computers and Electrical Engineering;2023-05