We present Clovery, a precise approach for detecting vulnerability-affected versions through code-level semantic analysis. Precise management of vulnerability-affected versions is crucial for mitigating risks from vulnerability propagation. However, identifying these versions is challenging, requiring deep understanding of both the syntax and semantics of vulnerable code. Existing approaches often rely on broad assumptions, causing false alarms. Public security reports frequently misclassify dangerous versions as safe and vice versa, further exacerbating the problem. To overcome these limitations, Clovery uses a technique called function-lineage tracking. It focuses on vulnerability-related code lines and uses semantic pairs to capture dependencies. By tracking function histories via semantic pairs, Clovery precisely identifies versions affected by vulnerabilities. On 1,502 NVD CVEs, Clovery found potential CPE issues in 65.65% of cases, indicating risks to vulnerability management. Notably, Clovery achieved 97.43% F1 in identifying affected versions, significantly outperforming existing approaches, which achieved 71.16% and 84.23% F1 scores. These results suggest that Clovery can improve vulnerability response and software supply-chain security.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Clovery: Identifying Affected Versions in C/C++ Public Security Vulnerability Reports

  • Duyeong Kim,
  • Jimin Kang,
  • Yeonhee Kim,
  • Seunghoon Woo,
  • Heejo Lee

摘要

We present Clovery, a precise approach for detecting vulnerability-affected versions through code-level semantic analysis. Precise management of vulnerability-affected versions is crucial for mitigating risks from vulnerability propagation. However, identifying these versions is challenging, requiring deep understanding of both the syntax and semantics of vulnerable code. Existing approaches often rely on broad assumptions, causing false alarms. Public security reports frequently misclassify dangerous versions as safe and vice versa, further exacerbating the problem. To overcome these limitations, Clovery uses a technique called function-lineage tracking. It focuses on vulnerability-related code lines and uses semantic pairs to capture dependencies. By tracking function histories via semantic pairs, Clovery precisely identifies versions affected by vulnerabilities. On 1,502 NVD CVEs, Clovery found potential CPE issues in 65.65% of cases, indicating risks to vulnerability management. Notably, Clovery achieved 97.43% F1 in identifying affected versions, significantly outperforming existing approaches, which achieved 71.16% and 84.23% F1 scores. These results suggest that Clovery can improve vulnerability response and software supply-chain security.