HaiTao Tian,Liusheng Huang

2003-01-01

Abstract:Discovery, dissemination and avoidance of vulnerabilities efficiently in information systems play the central role in security area. Vulnerability information from different sources is currently ambiguous text-based description that is not machine-readable and can not be efficiently data-mined, combined or used in other in-depth automatic process. This paper presents a common vulnerability markup language (CVML) based on XML that describes vulnerabilities in a more structural and formal way to sovle the problem. There are mainly 4 parts in CVML: General information, how to Judge-Exsitence, Solutions, and how to Eploit. A prototype of zero-administration framework of system securtiy based on CVML is also implemented. In the framwork, more manageable vulnerability databases are built; promulgating and sharing of vulnerability knowledge are easier; compare, combine and refinement of vulnerability information from different sources are done more efficiently; moreover automatic scan and patch of system vulnerabilities leads to self managing systems.

H. T. Tian,Liusheng Huang,Z. Zhou,Yonglong Luo

DOI: https://doi.org/10.1109/ISPAN.2004.1300542

2004-01-01

Abstract:With the continuous flood of vulnerabilities of computers, vulnerability management is a very important task for administrators to keep systems as secure as possible. Facing numerous attackers armed with complicated, automated tools, current manual vulnerability management by administrators is so time-consuming, error-prone. Administrators also do need automated defensive tools. This paper proposes an open framework of automated vulnerability management that dramatically alleviates the burden of administrators and improves the security of systems. In this framework, we present three XML based markup languages, Common Vulnerability Markup Language (CVML), System Information Markup Language (SIML), Network System Markup Language (NSML) to express crucial information related to systems and vulnerabilities to facilitate automated exchange and processing. Host Vulnerability Managers (HVMs) running on the target host maintain the crucial system information in SIML, receive vulnerability advisories in CVML from various sources, decide what vulnerabilities exist, and try to fix vulnerabilities automatically if possible. Domain vulnerability managers (DVMs) are responsible for the vulnerability management in NSML of the local network. DVMs correlate reports from HVMs and scan for network-based vulnerabilities in this domain. We have implemented a prototype of the framework that shows the effectiveness and efficiency of our solution.

H. T. Tian,L. S. Huang,J. L. Shan,G. L. Chen

DOI: https://doi.org/10.1007/978-3-540-24679-4_182

2004-01-01

Abstract:Vulnerability management plays a key role in the security area, but it is now too time-consuming, and error-prone. Based on a machine-readable vulnerability description language CVML, this paper proposes an automated vulnerability management framework through web services, which alleviates the burden of administrators and improves the security of systems dramatically.

Chao Ni,Liyu Shen,Xiaohu Yang,Yan Zhu,Shaohua Wang

DOI: https://doi.org/10.1145/3643991.3644886

2024-01-01

Abstract:We constructed a newly large-scale and comprehensive C/C++ vulnerability dataset named MegaVul by crawling the Common Vulnerabilities and Exposures (CVE) database and CVE-related open-source projects. Specifically, we collected all crawlable descriptive information of the vulnerabilities from the CVE database and extracted all vulnerability-related code changes from 28 Git-based websites. We adopt advanced tools to ensure the extracted code integrality and enrich the code with four different transformed representations. Totally, MegaVul contains 17,380 vulnerabilities collected from 992 open-source repositories spanning 169 different vulnerability types disclosed from January 2006 to October 2023. Thus, MegaVul can be used for a variety of software security-related tasks including detecting vulnerabilities and assessing vulnerability severity. All information is stored in the JSON format for easy usage. MegaVul is publicly available on GitHub and will be continuously updated. It can be easily extended to other programming languages.

Qiuyuan Chen,Lingfeng Bao,Li Li,Xin Xia,Liang Cai

DOI: https://doi.org/10.1109/APSEC.2018.00049

2018-01-01

Abstract:To share vulnerability information across separate databases, tools, and services, newly identified vulnerabilities are recurrently reported to Common Vulnerabilities and Exposures (CVE) database.Unfortunately, not all vulnerability reports will be accepted. Some of them might get rejected or be accepted with disputations.In this work, we refer to those rejected or disputed CVEs as invalid vulnerability reports. Invalid vulnerability reports not only cause unnecessary efforts to confirm the vulnerability but also impact the reputation of the software vendors. In this paper, we aim to understand the root causes of invalid vulnerability reports and build a prediction model to automatically identify them.To this end, we first leverage card sorting to categorize invalid vulnerability reports, from which six main reasons are observed for rejected and disputed CVEs, respectively.Then, we propose a text mining approach to predict the invalid vulnerability reports. Our experiments reveal that the proposed text mining approach can achieve an AUC score of 0.87 for predicting invalid vulnerabilities. We also discuss the implications of our study: our categorization can be used to guide new committer to avoid these traps; some root causes of invalid CVEs can be avoided by using automatic techniques or optimizing reviewing mechanism; invalid vulnerability reports data should not be neglected.

Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3663529.3663835

2024-01-01

Abstract:Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) poses huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing pro-cess) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Shengyi Pan,Jiayuan Zhou,Filipe Roseiro Cogo,Xin Xia,Lingfeng Bao,Xing Hu,Shanping Li,Ahmed E. Hassan

DOI: https://doi.org/10.1145/3540250.3549156

2022-01-01

Abstract:The coordinated vulnerability disclosure (CVD) process is commonly adopted for open source software (OSS) vulnerability management, which suggests to privately report the discovered vulnerabilities and keep relevant information secret until the official disclosure. However, in practice, due to various reasons (e.g., lacking security domain expertise or the sense of security management), many vulnerabilities are first reported via public issue reports (IRs) before its official disclosure. Such IRs are dangerous IRs, since attackers can take advantages of the leaked vulnerability information to launch zero-day attacks. It is crucial to identify such dangerous IRs at an early stage, such that OSS users can start the vulnerability remediation process earlier and OSS maintainers can timely manage the dangerous IRs. In this paper, we propose and evaluate a deep learning based approach, namely MemVul, to automatically identify dangerous IRs at the time they are reported. MemVul augments the neural networks with a memory component, which stores the external vulnerability knowledge from Common Weakness Enumeration (CWE). We rely on publicly accessible CVE-referred IRs (CIRs) to operationalize the concept of dangerous IR. We mine 3,937 CIRs distributed across 1,390 OSS projects hosted on GitHub. Evaluated under a practical scenario of high data imbalance, MemVul achieves the best trade-off between precision and recall among all baselines. In particular, the F1-score of MemVul (i.e., 0.49) improves the best performing baseline by 44%. For IRs that are predicted as CIRs but not reported to CVE, we conduct a user study to investigate their usefulness to OSS stakeholders. We observe that 82% (41 out of 50) of these IRs are security-related and 28 of them are suggested by security experts to be publicly disclosed, indicating MemVul is capable of identifying undisclosed dangerous IRs.

Min Tang,Shang-Ching Chou,Jinxiang Dong

DOI: https://doi.org/10.1145/1044588.1044610

2004-01-01

Abstract:CVE makes collaborative feature modeling among multi-users possible, but the token-passing method that most of current collaborative feature modeling systems use as its collaborative strategy makes the design inflexible and inefficient. Based on the analysis of feature operation in collaborative environment, we propose a new method to solve the conflicts and define a process for non-locked multi-user collaborative design. Based on this method, we have implemented a prototype system integrating C++, Java3D and VML, CORBA technologies to achieve flexibility and efficiency in CVE for feature based modeling.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen

DOI: https://doi.org/10.1093/comjnl/bxp040

2009-01-01

The Computer Journal

Abstract:The dictionary of common vulnerabilities and exposures (CVEs) is a compilation of known security loopholes whose objective is to both facilitate the exchange of security-related information and expedite vulnerability analysis of computer systems. Its lack of categorization and generalization capability renders the dictionary ineffective when it comes to developing defense strategies for clustered vulnerabilities instead of individual exploits. To address this issue, we propose a CVE categorization framework termed CVE Classifier that transforms the dictionary into a classifier that not only categorizes CVEs with respect to diverse taxonomic features but can also evaluate general trends in the evolution of vulnerabilities. With the help of support vector machines, CVE Classifier builds learning models for taxonomic features based on training data automatically extracted from pertinent vulnerability databases including BID, X-Force and Secunia, and CVE entries containing telltale keywords unique to taxonomic features. We use word-stemming and stopword-removal techniques to reduce the dimensions of the feature space formed by CVEs and develop a data fusion and cleansing process to eliminate data inconsistencies to improve classification performance. The CVE classification produced by the proposed framework reveals that the majority of the Internet security loopholes are harbored by a small set of services. Moreover, it becomes evident that the widespread deployment of security devices provides many additional attack points as such devices demonstrate a great mount of vulnerabilities. Finally, the CVE Classifier points out that remotely exploitable security loopholes continue to dominate the CVEs landscape.

CHEN Xiu-zhen,LI Jian-hua

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.09.004

2007-01-01

Abstract:The main intention of vulnerability assessment technology is to find existed vulnerabilities hidden in the networked systems by active probing and to provide corresponding solutions before hackers exploit them. It is based on the idea of nip in the bud. The most vulnerability assessment systems have shortcomings of high false rate, long-term scanning period and using exploit code. Aimed at these shortcomings, a novel model of vulnerability assessment based on open vulnerability assessment language is proposed in this paper. The proposed system consists of three modules: central console, checking agent and data center, which corporate to achieve vulnerability assessment. Compared with other vulnerability assessment systems, it is of high precision, low impact on the audited system performance, short term scanning period and strong scalability. Moreover, it avoids the work of developing exploit code required by traditional vulnerability assessment systems.

Ruyi Wang,Ling Gao,Qian Sun,Deheng Sun

DOI: https://doi.org/10.1109/mines.2011.27

2011-01-01

Abstract:Through scoring vulnerabilities according to their risks, mastering statuses of vulnerabilities, security managers could adjust the configuration for computer security in time and give repair methods to different vulnerabilities flexibly. Since scoring vulnerabilities is significant for evaluating and repairing vulnerabilities, this paper presents a vulnerability scoring mechanism based on CVSS by analyzing advantages and disadvantages of CVSS and comparing with some improved CVSS-based methods. Our improved scoring mechanism makes the vulnerability evaluating more exactly and effectively, simplifying the process of vulnerability evaluating.

Ming Huang,Yisha Lu,Qingkai Zeng

2010-01-01

Abstract:As the core of various security problems, software vulnerability is the main challenge in the information security field. Particularly, software vulnerability modeling is an actively defensive measure for software security, aiming to detect and eliminate the potential vulnerabilities before they have been exploited. In this paper, a structured and graphic method for modeling vulnerability is proposed. The method combines the advantages of existing methods to depict and reason about security vulnerabilities, which would be useful for a better understanding of the nature of vulnerabilities, and become an effective way to detect and prevent the software vulnerabilities. The practical application result shows that GSM could reveal some related information and properties that existing methods cannot find in the vulnerability databases in public.

Hao Zhuang,Florian Pydde

DOI: https://doi.org/10.48550/arXiv.1611.07383

2016-12-07

Abstract:Understanding the severity of vulnerabilities within cloud services is particularly important for today service <a class="link-external link-http" href="http://administrators.Although" rel="external noopener nofollow">this http URL</a> many systems, e.g., CVSS, have been built to evaluate and score the severity of vulnerabilities for administrators, the scoring schemes employed by these systems fail to take into account the contextual information of specific services having these vulnerabilities, such as what roles they play in a particular service. Such a deficiency makes resulting scores unhelpful. This paper presents a practical framework, NCVS, that offers automatic and contextual scoring mechanism to evaluate the severity of vulnerabilities for a particular service. Specifically, for a given service S, NCVS first automatically collects S contextual information including topology, configurations, vulnerabilities and their dependencies. Then, NCVS uses the collected information to build a contextual dependency graph, named CDG, to model S context. Finally, NCVS scores and ranks all the vulnerabilities in S by analyzing S context, such as what roles the vulnerabilities play in S, and how critical they affect the functionality of S. NCVS is novel and useful, because 1) context-based vulnerability scoring results are highly relevant and meaningful for administrators to understand each vulnerability importance specific to the target service; and 2) the workflow of NCVS does not need instrumentation or modifications to any source code. Our experimental results demonstrate that NCVS can obtain more relevant vulnerability scoring results than comparable system, such as CVSS.

Cryptography and Security

Matthew Tassava,Cameron Kolodjski,Jeremy Straub

2023-06-07

Abstract:A system vulnerability analysis technique (SVAT) for complex mission critical systems (CMCS) was developed in response to the need to be able to conduct penetration testing on large industrial systems which cannot be taken offline or risk disablement or impairment for conventional penetration testing. SVAT-CMCS facilitates the use of known vulnerability and exploit information, incremental testing of system components and data analysis techniques to identify attack pathways in CMCSs. This data can be utilized for corrective activities or to target controlled manual follow-up testing. This paper presents the SVAT-CMCS paradigm and describes its implementation in a software tool, which was built using the Blackboard Architecture, that can be utilized for attack pathway identification. The performance of this tool is characterized using three example models. In particular, it explores the path generation speed and the impact of link cap restrictions on system operations, under different levels of network size and complexity. Accurate fact-rule processing is also tested using these models. The results show significant decreases in path generation efficiency as the link cap and network complexity increase; however, rule processing accuracy is not impacted.

Cryptography and Security

Ziliang Wang,Ge Li,Jia Li,Yingfei Xiong,Jia Li,Meng Yan,Zhi Jin

2024-07-19

Abstract:Large Language Models (LLMs) have strong capabilities in code comprehension, but fine-tuning costs and semantic alignment issues limit their project-specific optimization; conversely, code models such CodeBERT are easy to fine-tune, but it is often difficult to learn vulnerability semantics from complex code languages. To address these challenges, this paper introduces the Multi-Model Collaborative Vulnerability Detection approach (M2CVD) that leverages the strong capability of analyzing vulnerability semantics from LLMs to improve the detection accuracy of code models. M2CVD employs a novel collaborative process: first enhancing the quality of vulnerability semantic description produced by LLMs through the understanding of project code by code models, and then using these improved vulnerability semantic description to boost the detection accuracy of code models. We demonstrated M2CVD's effectiveness on two real-world datasets, where M2CVD significantly outperformed the baseline. In addition, we demonstrate that the M2CVD collaborative method can extend to other different LLMs and code models to improve their accuracy in vulnerability detection tasks.

Software Engineering

Bonan Ruan,Jiahao Liu,Weibo Zhao,Zhenkai Liang

2024-09-24

Abstract:Software vulnerabilities pose critical security and risk concerns for many software systems. Many techniques have been proposed to effectively assess and prioritize these vulnerabilities before they cause serious consequences. To evaluate their performance, these solutions often craft their own experimental datasets from limited information sources, such as MITRE CVE and NVD, lacking a global overview of broad vulnerability intelligence. The repetitive data preparation process further complicates the verification and comparison of new solutions. To resolve this issue, in this paper, we propose VulZoo, a comprehensive vulnerability intelligence dataset that covers 17 popular vulnerability information sources. We also construct connections among these sources, enabling more straightforward configuration and adaptation for different vulnerability assessment tasks (e.g., vulnerability type prediction). Additionally, VulZoo provides utility scripts for automatic data synchronization and cleaning, relationship mining, and statistics generation. We make VulZoo publicly available and maintain it with incremental updates to facilitate future research. We believe that VulZoo serves as a valuable input to vulnerability assessment and prioritization studies. The dataset with utility scripts is available at <a class="link-external link-https" href="https://github.com/NUS-Curiosity/VulZoo" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Software Engineering

Ziliang Wang,Ge Li,Jia Li,Yingfei Xiong,Jia Li,Meng Yan,Zhi Jin

DOI: https://doi.org/10.48550/arxiv.2406.05940

2024-06-10

Software Engineering

Abstract:Large Language Models (LLMs) have strong capabilities in code comprehension, but fine-tuning costs and semantic alignment issues limit their project-specific optimization; conversely, code models such CodeBERT are easy to fine-tune, but it is often difficult to learn vulnerability semantics from complex code languages. To address these challenges, this paper introduces the Multi-Model Collaborative Vulnerability Detection approach (M2CVD) that leverages the strong capability of analyzing vulnerability semantics from LLMs to improve the detection accuracy of code models. M2CVD employs a novel collaborative process: first enhancing the quality of vulnerability semantic description produced by LLMs through the understanding of project code by code models, and then using these improved vulnerability semantic description to boost the detection accuracy of code models. We demonstrated M2CVD's effectiveness on two real-world datasets, where M2CVD significantly outperformed the baseline. In addition, we demonstrate that the M2CVD collaborative method can extend to other different LLMs and code models to improve their accuracy in vulnerability detection tasks.