PPT4J: Patch Presence Test for Java Binaries
- URL: http://arxiv.org/abs/2312.11013v2
- Date: Mon, 15 Jan 2024 05:16:22 GMT
- Title: PPT4J: Patch Presence Test for Java Binaries
- Authors: Zhiyuan Pan, Xing Hu, Xin Xia, Xian Zhan, David Lo, Xiaohu Yang
- Abstract summary: The number of vulnerabilities reported in open source software has increased substantially in recent years.
The ability to test whether a patch is applied to the target binary, a.k.a. patch presence test, is crucial for practitioners.
We propose a new patch presence test framework named PPT4J ($textbfP$atch $textbfP$resence $textbfT$est $textbffor$ $textbfJ$ava Binaries).
- Score: 15.297767260561491
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The number of vulnerabilities reported in open source software has increased
substantially in recent years. Security patches provide the necessary measures
to protect software from attacks and vulnerabilities. In practice, it is
difficult to identify whether patches have been integrated into software,
especially if we only have binary files. Therefore, the ability to test whether
a patch is applied to the target binary, a.k.a. patch presence test, is crucial
for practitioners. However, it is challenging to obtain accurate semantic
information from patches, which could lead to incorrect results.
In this paper, we propose a new patch presence test framework named PPT4J
($\textbf{P}$atch $\textbf{P}$resence $\textbf{T}$est $\textbf{for}$
$\textbf{J}$ava Binaries). PPT4J is designed for open-source Java libraries. It
takes Java binaries (i.e. bytecode files) as input, extracts semantic
information from patches, and uses feature-based techniques to identify patch
lines in the binaries. To evaluate the effectiveness of our proposed approach
PPT4J, we construct a dataset with binaries that include 110 vulnerabilities.
The results show that PPT4J achieves an F1 score of 98.5% with reasonable
efficiency, improving the baseline by 14.2%. Furthermore, we conduct an
in-the-wild evaluation of PPT4J on JetBrains IntelliJ IDEA. The results suggest
that a third-party library included in the software is not patched for two
CVEs, and we have reported this potential security problem to the vendor.
Related papers
- PatUntrack: Automated Generating Patch Examples for Issue Reports without Tracked Insecure Code [6.6821370571514525]
We propose PatUntrack to automatically generate patch examples from vulnerable issue reports (IRs) without tracked insecure code.
It first generates the completed description of the Vulnerability-Triggering Path (VTP) from vulnerable IRs.
It then corrects hallucinations in the VTP description with external golden knowledge.
Finally, it generates Top-K pairs of Insecure Code and Patch Example based on the corrected VTP description.
arXiv Detail & Related papers (2024-08-16T09:19:27Z) - PatchFinder: A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open-Source Software [15.867607171943698]
We propose a two-phase framework with end-to-end correlation learning for better-tracing security patches.
PatchFinder achieves a Recall@10 of 80.63% and a Mean Reciprocal Rank (MRR) of 0.7951.
When applying PatchFinder in practice, we initially identified 533 patch commits and submitted them to the official, 482 of which have been confirmed by CVE Numbering Authorities.
arXiv Detail & Related papers (2024-07-24T07:46:24Z) - Path-wise Vulnerability Mitigation [3.105656247358225]
This paper describes an approach called PAVER that generates and inserts mitigation patches at the level of program paths.
For each candidate patch location, PAVER generates and inserts a mitigation patch, and tests the patched program to assess the side-effects.
We evaluate the prototype of PAVER on real world vulnerabilities and the evaluation shows that our path-wise vulnerability mitigation patches can achieve minimum side-effects.
arXiv Detail & Related papers (2024-05-25T22:58:37Z) - FoC: Figure out the Cryptographic Functions in Stripped Binaries with LLMs [54.27040631527217]
We propose a novel framework called FoC to Figure out the Cryptographic functions in stripped binaries.
FoC-BinLLM outperforms ChatGPT by 14.61% on the ROUGE-L score.
FoC-Sim outperforms the previous best methods with a 52% higher Recall@1.
arXiv Detail & Related papers (2024-03-27T09:45:33Z) - A Novel Approach for Automatic Program Repair using Round-Trip
Translation with Large Language Models [50.86686630756207]
Research shows that grammatical mistakes in a sentence can be corrected by translating it to another language and back.
Current generative models for Automatic Program Repair (APR) are pre-trained on source code and fine-tuned for repair.
This paper proposes bypassing the fine-tuning step and using Round-Trip Translation (RTT): translation of code from one programming language to another programming or natural language, and back.
arXiv Detail & Related papers (2024-01-15T22:36:31Z) - PS$^3$: Precise Patch Presence Test based on Semantic Symbolic Signature [13.9637348151437]
Existing approaches mainly focus on detecting patches that are compiled in the same compiler options.
PS3 exploits symbolic emulation to extract signatures that are stable under different compiler options.
PS3 achieves scores of 0.82, 0.97, and 0.89 in terms of precision, recall, and F1 score.
arXiv Detail & Related papers (2023-12-06T10:04:15Z) - Jailbreaking GPT-4V via Self-Adversarial Attacks with System Prompts [64.60375604495883]
We discover a system prompt leakage vulnerability in GPT-4V.
By employing GPT-4 as a red teaming tool against itself, we aim to search for potential jailbreak prompts leveraging stolen system prompts.
We also evaluate the effect of modifying system prompts to defend against jailbreaking attacks.
arXiv Detail & Related papers (2023-11-15T17:17:39Z) - RAP-Gen: Retrieval-Augmented Patch Generation with CodeT5 for Automatic
Program Repair [75.40584530380589]
We propose a novel Retrieval-Augmented Patch Generation framework (RAP-Gen)
RAP-Gen explicitly leveraging relevant fix patterns retrieved from a list of previous bug-fix pairs.
We evaluate RAP-Gen on three benchmarks in two programming languages, including the TFix benchmark in JavaScript, and Code Refinement and Defects4J benchmarks in Java.
arXiv Detail & Related papers (2023-09-12T08:52:56Z) - Segment and Complete: Defending Object Detectors against Adversarial
Patch Attacks with Robust Patch Detection [142.24869736769432]
Adversarial patch attacks pose a serious threat to state-of-the-art object detectors.
We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks.
We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
arXiv Detail & Related papers (2021-12-08T19:18:48Z) - DPT: Deformable Patch-based Transformer for Visual Recognition [57.548916081146814]
We propose a new Deformable Patch (DePatch) module which learns to adaptively split the images into patches with different positions and scales in a data-driven way.
The DePatch module can work as a plug-and-play module, which can easily be incorporated into different transformers to achieve an end-to-end training.
arXiv Detail & Related papers (2021-07-30T07:33:17Z) - Exploring Plausible Patches Using Source Code Embeddings in JavaScript [1.3327130030147563]
We trained a Doc2Vec model on an open-source JavaScript project and generated 465 patches for 10 bugs in it.
These plausible patches alongside with the developer fix are then ranked based on their similarity to the original program.
We analyzed these similarity lists and found that plain document embeddings may lead to misclassification.
arXiv Detail & Related papers (2021-03-31T06:57:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.