Generating API Parameter Security Rules with LLM for API Misuse Detection

Jinghua Liu, Yi Yang, Kai Chen, Miaoqian Lin
{"title":"Generating API Parameter Security Rules with LLM for API Misuse Detection","authors":"Jinghua Liu, Yi Yang, Kai Chen, Miaoqian Lin","doi":"arxiv-2409.09288","DOIUrl":null,"url":null,"abstract":"In this paper, we present a new framework, named GPTAid, for automatic APSRs\ngeneration by analyzing API source code with LLM and detecting API misuse\ncaused by incorrect parameter use. To validate the correctness of the\nLLM-generated APSRs, we propose an execution feedback-checking approach based\non the observation that security-critical API misuse is often caused by APSRs\nviolations, and most of them result in runtime errors. Specifically, GPTAid\nfirst uses LLM to generate raw APSRs and the Right calling code, and then\ngenerates Violation code for each raw APSR by modifying the Right calling code\nusing LLM. Subsequently, GPTAid performs dynamic execution on each piece of\nViolation code and further filters out the incorrect APSRs based on runtime\nerrors. To further generate concrete APSRs, GPTAid employs a code differential\nanalysis to refine the filtered ones. Particularly, as the programming language\nis more precise than natural language, GPTAid identifies the key operations\nwithin Violation code by differential analysis, and then generates the\ncorresponding concrete APSR based on the aforementioned operations. These\nconcrete APSRs could be precisely interpreted into applicable detection code,\nwhich proven to be effective in API misuse detection. Implementing on the\ndataset containing 200 randomly selected APIs from eight popular libraries,\nGPTAid achieves a precision of 92.3%. Moreover, it generates 6 times more APSRs\nthan state-of-the-art detectors on a comparison dataset of previously reported\nbugs and APSRs. We further evaluated GPTAid on 47 applications, 210 unknown\nsecurity bugs were found potentially resulting in severe security issues (e.g.,\nsystem crashes), 150 of which have been confirmed by developers after our\nreports.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.09288","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

In this paper, we present a new framework, named GPTAid, for automatic APSRs generation by analyzing API source code with LLM and detecting API misuse caused by incorrect parameter use. To validate the correctness of the LLM-generated APSRs, we propose an execution feedback-checking approach based on the observation that security-critical API misuse is often caused by APSRs violations, and most of them result in runtime errors. Specifically, GPTAid first uses LLM to generate raw APSRs and the Right calling code, and then generates Violation code for each raw APSR by modifying the Right calling code using LLM. Subsequently, GPTAid performs dynamic execution on each piece of Violation code and further filters out the incorrect APSRs based on runtime errors. To further generate concrete APSRs, GPTAid employs a code differential analysis to refine the filtered ones. Particularly, as the programming language is more precise than natural language, GPTAid identifies the key operations within Violation code by differential analysis, and then generates the corresponding concrete APSR based on the aforementioned operations. These concrete APSRs could be precisely interpreted into applicable detection code, which proven to be effective in API misuse detection. Implementing on the dataset containing 200 randomly selected APIs from eight popular libraries, GPTAid achieves a precision of 92.3%. Moreover, it generates 6 times more APSRs than state-of-the-art detectors on a comparison dataset of previously reported bugs and APSRs. We further evaluated GPTAid on 47 applications, 210 unknown security bugs were found potentially resulting in severe security issues (e.g., system crashes), 150 of which have been confirmed by developers after our reports.
利用 LLM 生成 API 参数安全规则,用于 API 滥用检测
在本文中,我们提出了一个名为 GPTAid 的新框架,通过使用 LLM 分析 API 源代码并检测因参数使用不当而导致的 API 误用,从而自动生成 APSR。为了验证 LLM 生成的 APSR 的正确性,我们提出了一种执行反馈检查方法,该方法基于以下观察:安全关键 API 的误用通常是由违反 APSR 引起的,其中大多数会导致运行时错误。具体来说,GPTAid 首先使用 LLM 生成原始 APSR 和正确调用代码,然后通过使用 LLM 修改正确调用代码为每个原始 APSR 生成违规代码。随后,GPTAid 对每段违规代码执行动态执行,并根据运行时错误进一步过滤出错误的 APSR。为了进一步生成具体的 APSR,GPTAid 采用了代码差异分析法来完善过滤后的 APSR。特别是,由于编程语言比自然语言更加精确,GPTAid 通过差分分析识别出违规代码中的关键操作,然后根据上述操作生成相应的具体 APSR。这些具体的 APSR 可以被精确地解释为适用的检测代码,在 API 滥用检测中被证明是有效的。GPTAid 在包含从八个流行库中随机抽取的 200 个 API 的数据集上实现了 92.3% 的精确度。此外,在以前报道过的漏洞和APSR的对比数据集上,它生成的APSR是最先进检测器的6倍。我们在 47 个应用程序上对 GPTAid 进行了进一步评估,发现了 210 个可能导致严重安全问题(如系统崩溃)的未知安全漏洞,其中 150 个漏洞在我们报告后得到了开发人员的确认。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信