VULOC: Vulnerability location framework based on assembly code slicing

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-04-24 DOI:10.1016/j.jss.2025.112459

Xinghang Lv , Jianming Fu , Tao Peng

{"title":"VULOC: Vulnerability location framework based on assembly code slicing","authors":"Xinghang Lv , Jianming Fu , Tao Peng","doi":"10.1016/j.jss.2025.112459","DOIUrl":null,"url":null,"abstract":"<div><div>Automated detection of software vulnerabilities is an important topic in software security. Although the currently proposed deep learning-based approaches are effective in detecting vulnerabilities, their lack of accuracy in pinpointing the location of vulnerabilities leads to significant limitations in real-world usage. To address the above problem, we propose a vulnerability location framework based on assembly code slicing, VULOC, which achieves high detection capability and localization accuracy. VULOC first compiles C/C++ programs to obtain assembly code containing addresses. Then we use Addr2line to generate the mapping between assembly code and source code line numbers, and slice the assembly code into code blocks, which are encoded into the neural network model. Finally, we propose the BLSTM-LOC model for learning vulnerability features and predicting vulnerability locations. To the best of our knowledge, it is the first time that the mapping relationship between assembly code and source code line numbers is exploited for vulnerability detection. Experimental results show that VULOC exhibits higher performance than the current state-of-the-art vulnerability detection methods, both on existing datasets and real-world software products in vulnerability detection.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"227 ","pages":"Article 112459"},"PeriodicalIF":3.7000,"publicationDate":"2025-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016412122500127X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Automated detection of software vulnerabilities is an important topic in software security. Although the currently proposed deep learning-based approaches are effective in detecting vulnerabilities, their lack of accuracy in pinpointing the location of vulnerabilities leads to significant limitations in real-world usage. To address the above problem, we propose a vulnerability location framework based on assembly code slicing, VULOC, which achieves high detection capability and localization accuracy. VULOC first compiles C/C++ programs to obtain assembly code containing addresses. Then we use Addr2line to generate the mapping between assembly code and source code line numbers, and slice the assembly code into code blocks, which are encoded into the neural network model. Finally, we propose the BLSTM-LOC model for learning vulnerability features and predicting vulnerability locations. To the best of our knowledge, it is the first time that the mapping relationship between assembly code and source code line numbers is exploited for vulnerability detection. Experimental results show that VULOC exhibits higher performance than the current state-of-the-art vulnerability detection methods, both on existing datasets and real-world software products in vulnerability detection.

查看原文本刊更多论文

VULOC：基于汇编代码切片的漏洞定位框架

软件漏洞自动检测是软件安全领域的一个重要课题。尽管目前提出的基于深度学习的方法在检测漏洞方面是有效的，但它们在精确定位漏洞位置方面缺乏准确性，导致在实际使用中受到重大限制。针对上述问题，我们提出了一种基于汇编代码切片的漏洞定位框架VULOC，该框架具有较高的检测能力和定位精度。VULOC首先编译C/ c++程序来获得包含地址的汇编代码。然后使用Addr2line生成汇编代码与源代码行号之间的映射关系，并将汇编代码切片成代码块，编码到神经网络模型中。最后，我们提出了学习漏洞特征和预测漏洞位置的BLSTM-LOC模型。据我们所知，这是第一次利用汇编代码和源代码行号之间的映射关系来检测漏洞。实验结果表明，无论在现有数据集上还是在实际软件产品上，VULOC都比目前最先进的漏洞检测方法具有更高的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.