PATEN：通过细粒度补丁增强ast级签名识别未打补丁的第三方api

IF 6.5 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-01-31 DOI:10.1109/TSE.2025.3537102

Li Lin;Jialin Ye;Chao Wang;Rongxin Wu

{"title":"PATEN：通过细粒度补丁增强ast级签名识别未打补丁的第三方api","authors":"Li Lin;Jialin Ye;Chao Wang;Rongxin Wu","doi":"10.1109/TSE.2025.3537102","DOIUrl":null,"url":null,"abstract":"Using a third-party library (TPL) API that is still unpatched with respect to known vulnerabilities would introduce severe security threats, and thus it is important to detect unpatched API as early as possible. Existing vulnerability detection methods often fail to identify subtle differences between patched and vulnerable versions of code, leading to high rates of false positives and missed vulnerabilities. Addressing these limitations, we propose a novel approach that employs a fine-grained, patch-enhanced Abstract Syntax Tree (AST) level signature. This approach consists of two key steps: patch-induced AST difference extraction and vulnerability trace refinement. These steps enable the detailed analysis of structural changes due to patches and enhance the accuracy of vulnerability detection by focusing on the critical elements of code changes. Building on this methodology, we introduce PATEN, a tool designed to accurately detect unpatched TPL APIs. Our evaluation, conducted on a large dataset, demonstrates that PATEN significantly outperforms the state-of-the-art approaches. Specifically, PATEN identified 82 critical vulnerabilities across numerous open-source projects, demonstrating a substantial advancement in the field of unpatched TPL API detection and highlighting its practical implications for improving software security.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 4","pages":"990-1006"},"PeriodicalIF":6.5000,"publicationDate":"2025-01-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"PATEN: Identifying Unpatched Third-Party APIs via Fine-Grained Patch-Enhanced AST-Level Signature\",\"authors\":\"Li Lin;Jialin Ye;Chao Wang;Rongxin Wu\",\"doi\":\"10.1109/TSE.2025.3537102\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Using a third-party library (TPL) API that is still unpatched with respect to known vulnerabilities would introduce severe security threats, and thus it is important to detect unpatched API as early as possible. Existing vulnerability detection methods often fail to identify subtle differences between patched and vulnerable versions of code, leading to high rates of false positives and missed vulnerabilities. Addressing these limitations, we propose a novel approach that employs a fine-grained, patch-enhanced Abstract Syntax Tree (AST) level signature. This approach consists of two key steps: patch-induced AST difference extraction and vulnerability trace refinement. These steps enable the detailed analysis of structural changes due to patches and enhance the accuracy of vulnerability detection by focusing on the critical elements of code changes. Building on this methodology, we introduce PATEN, a tool designed to accurately detect unpatched TPL APIs. Our evaluation, conducted on a large dataset, demonstrates that PATEN significantly outperforms the state-of-the-art approaches. Specifically, PATEN identified 82 critical vulnerabilities across numerous open-source projects, demonstrating a substantial advancement in the field of unpatched TPL API detection and highlighting its practical implications for improving software security.\",\"PeriodicalId\":13324,\"journal\":{\"name\":\"IEEE Transactions on Software Engineering\",\"volume\":\"51 4\",\"pages\":\"990-1006\"},\"PeriodicalIF\":6.5000,\"publicationDate\":\"2025-01-31\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Software Engineering\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10859162/\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10859162/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

摘要

使用针对已知漏洞仍未打补丁的第三方库（TPL） API将引入严重的安全威胁，因此尽早检测未打补丁的API非常重要。现有的漏洞检测方法往往无法识别补丁版本和易受攻击版本之间的细微差异，导致高误报率和漏洞漏检率。针对这些限制，我们提出了一种采用细粒度、补丁增强的抽象语法树（AST）级别签名的新方法。该方法包括两个关键步骤：补丁诱导AST差异提取和漏洞跟踪细化。这些步骤可以详细分析由于补丁导致的结构变化，并通过关注代码变化的关键元素来提高漏洞检测的准确性。在此方法的基础上，我们介绍了PATEN，这是一个旨在准确检测未打补丁的TPL api的工具。我们在大型数据集上进行的评估表明，PATEN的性能明显优于最先进的方法。具体来说，PATEN在众多开源项目中发现了82个关键漏洞，展示了未打补丁的TPL API检测领域的重大进步，并强调了其对提高软件安全性的实际意义。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

PATEN: Identifying Unpatched Third-Party APIs via Fine-Grained Patch-Enhanced AST-Level Signature

Using a third-party library (TPL) API that is still unpatched with respect to known vulnerabilities would introduce severe security threats, and thus it is important to detect unpatched API as early as possible. Existing vulnerability detection methods often fail to identify subtle differences between patched and vulnerable versions of code, leading to high rates of false positives and missed vulnerabilities. Addressing these limitations, we propose a novel approach that employs a fine-grained, patch-enhanced Abstract Syntax Tree (AST) level signature. This approach consists of two key steps: patch-induced AST difference extraction and vulnerability trace refinement. These steps enable the detailed analysis of structural changes due to patches and enhance the accuracy of vulnerability detection by focusing on the critical elements of code changes. Building on this methodology, we introduce PATEN, a tool designed to accurately detect unpatched TPL APIs. Our evaluation, conducted on a large dataset, demonstrates that PATEN significantly outperforms the state-of-the-art approaches. Specifically, PATEN identified 82 critical vulnerabilities across numerous open-source projects, demonstrating a substantial advancement in the field of unpatched TPL API detection and highlighting its practical implications for improving software security.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.