English

VulDeeLocator: A Deep Learning-based Fine-grained Vulnerability Detector

Cryptography and Security 2021-05-04 v2

Abstract

Automatically detecting software vulnerabilities is an important problem that has attracted much attention from the academic research community. However, existing vulnerability detectors still cannot achieve the vulnerability detection capability and the locating precision that would warrant their adoption for real-world use. In this paper, we present a vulnerability detector that can simultaneously achieve a high detection capability and a high locating precision, dubbed Vulnerability Deep learning-based Locator (VulDeeLocator). In the course of designing VulDeeLocator, we encounter difficulties including how to accommodate semantic relations between the definitions of types as well as macros and their uses across files, how to accommodate accurate control flows and variable define-use relations, and how to achieve high locating precision. We solve these difficulties by using two innovative ideas: (i) leveraging intermediate code to accommodate extra semantic information, and (ii) using the notion of granularity refinement to pin down locations of vulnerabilities. When applied to 200 files randomly selected from three real-world software products, VulDeeLocator detects 18 confirmed vulnerabilities (i.e., true-positives). Among them, 16 vulnerabilities correspond to known vulnerabilities; the other two are not reported in the National Vulnerability Database (NVD) but have been "silently" patched by the vendor of Libav when releasing newer versions.

Keywords

Cite

@article{arxiv.2001.02350,
  title  = {VulDeeLocator: A Deep Learning-based Fine-grained Vulnerability Detector},
  author = {Zhen Li and Deqing Zou and Shouhuai Xu and Zhaoxuan Chen and Yawei Zhu and Hai Jin},
  journal= {arXiv preprint arXiv:2001.02350},
  year   = {2021}
}
R2 v1 2026-06-23T13:05:35.911Z