On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities
Abstract
Software vulnerabilities are a major cyber threat and it is important to detect them. One important approach to detecting vulnerabilities is to use deep learning while treating a program function as a whole, known as function-level vulnerability detectors. However, the limitation of this approach is not understood. In this paper, we investigate its limitation in detecting one class of vulnerabilities known as inter-procedural vulnerabilities, where the to-be-patched statements and the vulnerability-triggering statements belong to different functions. For this purpose, we create the first Inter-Procedural Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we propose a tool dubbed VulTrigger for identifying vulnerability-triggering statements across functions. Experimental results show that VulTrigger can effectively identify vulnerability-triggering statements and inter-procedural vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are prevalent with an average of 2.8 inter-procedural layers; and (ii) function-level vulnerability detectors are much less effective in detecting to-be-patched functions of inter-procedural vulnerabilities than detecting their counterparts of intra-procedural vulnerabilities.
Cite
@article{arxiv.2401.09767,
title = {On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities},
author = {Zhen Li and Ning Wang and Deqing Zou and Yating Li and Ruqian Zhang and Shouhuai Xu and Chao Zhang and Hai Jin},
journal= {arXiv preprint arXiv:2401.09767},
year = {2024}
}
Comments
12 pages, 7 figures. To appear in the Proceedings of the 46th International Conference on Software Engineering (ICSE'24)