GLICE: Combining Graph Neural Networks and Program Slicing to Improve Software Vulnerability Detection

Abstract

This paper introduces the GLICE (Graph Neural Network with program slice) model for static code analysis to detect vulnerabilities in source code. GLICE combines inter-procedural program slicing with a Graph Neural Network. It builds upon and extends prior work that applies program slicing (as in the SySeVR model) and Graph Neural Networks (as in the FUNDED model) for vulnerability detection. We apply GLICE on a data set of C/C++ code samples with out-of-bounds write (CWE-787) and out-of-bounds read (CWE-125) butter overflow vulnerabilities. We perform experiments with GLICE to evaluate trade-offs in the depth of the inter-procedural analysis, and to compare GLICE with prior models by evaluating the effectiveness for vulnerability detection and the usage of resources. Our experimental results show that detection accuracy of GLICE improves up to 13% when compared to FUNDED, while the time required to train the GLICE model is about 9 times smaller. GLICE allows configuring the depth of the interprocedural analysis. Our experimental results show that increasing the depth will improve detection, which however requires more computing resources. This allows a user of GLICE to steer the trade-off between detection accuracy and computational efficiency.