Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability

• URL: http://arxiv.org/abs/2503.24273v1
• Date: Mon, 31 Mar 2025 16:20:29 GMT
• Title: Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability
• Authors: Zirui Chen, Xing Hu, Puhua Sun, Xin Xia, Xiaohu Yang,
• Abstract summary: Third-party libraries are essential in software development as they prevent the need for developers to recreate existing functionalities.<n> upgrading dependencies to secure versions is not feasible to neutralize vulnerabilities without patches or in projects with specific version requirements.<n>Both the state-of-the-art automatic vulnerability repair and automatic program repair methods fail to address this issue.
• Score: 8.673798395456185
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Third-party libraries are essential in software development as they prevent the need for developers to recreate existing functionalities. However, vulnerabilities within these libraries pose significant risks to dependent projects. Upgrading dependencies to secure versions is not feasible to neutralize vulnerabilities without patches or in projects with specific version requirements. Moreover, repairing the vulnerability proves challenging when the source code of the library is inaccessible. Both the state-of-the-art automatic vulnerability repair and automatic program repair methods fail to address this issue. Therefore, mitigating library vulnerabilities without source code and available patches is crucial for a swift response to potential security attacks. Existing tools encounter challenges concerning generalizability and functional security. In this study, we introduce LUMEN to mitigate library vulnerabilities in impacted projects. Upon disclosing a vulnerability, we retrieve existing workarounds to gather a resembling mitigation strategy. In cases where a resembling strategy is absent, we propose type-based strategies based on the vulnerability reproducing behavior and extract essential information from the vulnerability report to guide mitigation generation. Our assessment of LUMEN spans 121 impacted functions of 40 vulnerabilities, successfully mitigating 70.2% of the functions, which substantially outperforms our baseline in neutralizing vulnerabilities without functionality loss. Additionally, we conduct an ablation study to validate the rationale behind our resembling strategies and type-based strategies.

Related papers

• There are More Fish in the Sea: Automated Vulnerability Repair via Binary Templates [4.907610470063863]
  We propose a template-based automated vulnerability repair approach for Java binaries.<n>Experiments on the Vul4J dataset demonstrate that TemVUR successfully repairs 11 vulnerabilities.<n>To assess the generalizability of TemVUR, we curate the ManyVuls4J dataset.
  arXiv  Detail & Related papers  (2024-11-27T06:59:45Z)
• In-Context Experience Replay Facilitates Safety Red-Teaming of Text-to-Image Diffusion Models [104.94706600050557]
  Text-to-image (T2I) models have shown remarkable progress, but their potential to generate harmful content remains a critical concern in the ML community. We propose ICER, a novel red-teaming framework that generates interpretable and semantic meaningful problematic prompts. Our work provides crucial insights for developing more robust safety mechanisms in T2I systems.
  arXiv  Detail & Related papers  (2024-11-25T04:17:24Z)
• Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
  Apache Log4J was found to be vulnerable to remote code execution attacks. More than 35,000 packages were forced to update their Log4J libraries with the latest version. It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
  arXiv  Detail & Related papers  (2024-11-12T01:55:51Z)
• A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features [6.814841205623832]
  This paper investigates the perspectives of OSS maintainers on vulnerability management and platform security features.<n>We find that supply chain mistrust and lack of automation for vulnerability management are the most challenging.<n> barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary.
  arXiv  Detail & Related papers  (2024-09-12T00:15:03Z)
• Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
  This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects. We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks. Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
  arXiv  Detail & Related papers  (2024-08-26T13:46:48Z)
• Benchmarking and Defending Against Indirect Prompt Injection Attacks on Large Language Models [79.0183835295533]
  We introduce the first benchmark for indirect prompt injection attacks, named BIPIA, to assess the risk of such vulnerabilities. Our analysis identifies two key factors contributing to their success: LLMs' inability to distinguish between informational context and actionable instructions, and their lack of awareness in avoiding the execution of instructions within external content. We propose two novel defense mechanisms-boundary awareness and explicit reminder-to address these vulnerabilities in both black-box and white-box settings.
  arXiv  Detail & Related papers  (2023-12-21T01:08:39Z)
• Exploiting Library Vulnerability via Migration Based Automating Test Generation [16.39796265296833]
  In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called VESTA, which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies.
  arXiv  Detail & Related papers  (2023-12-15T06:46:45Z)
• Enhancing Large Language Models for Secure Code Generation: A Dataset-driven Study on Vulnerability Mitigation [24.668682498171776]
  Large language models (LLMs) have brought significant advancements to code generation, benefiting both novice and experienced developers. However, their training using unsanitized data from open-source repositories, like GitHub, introduces the risk of inadvertently propagating security vulnerabilities. This paper presents a comprehensive study focused on evaluating and enhancing code LLMs from a software security perspective.
  arXiv  Detail & Related papers  (2023-10-25T00:32:56Z)
• Analyzing Maintenance Activities of Software Libraries [65.268245109828]
  Industrial applications heavily integrate open-source software libraries nowadays. I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)
• VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements [62.93814803258067]
  This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code. Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph. VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
  arXiv  Detail & Related papers  (2021-12-20T22:45:27Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)
• Autosploit: A Fully Automated Framework for Evaluating the Exploitability of Security Vulnerabilities [47.748732208602355]
  Autosploit is an automated framework for evaluating the exploitability of vulnerabilities. It automatically tests the exploits on different configurations of the environment. It is able to identify the system properties that affect the ability to exploit a vulnerability in both noiseless and noisy environments.
  arXiv  Detail & Related papers  (2020-06-30T18:49:18Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.