Qixuan Guo (Beijing Jiaotong University), Yongzhong He (Beijing Jiaotong University)

When a vulnerability is detected in a specific software version, it is critical to trace the commit history to accurately identify the first commit where the vulnerability was introduced, known as Vulnerability-Introducing Commit(VIC).
This article proposes a method to accurately identify the VIC based on differential analysis of vulnerability patching patterns. Firstly, we compare the two files, before and after patching a vulnerability, to classify vulnerability-related statements in the patch into different patching patterns, such as coding errors, improper data flow, misplaced statements, and missing critical checks. Then, based on the patching patterns, we extract a vulnerability-critical statement sequence from the vulnerable file and match it with the earlier commits to determine the introducing commit. To evaluate the effectiveness of this method, we collected a dataset comprising 6,920 CVEs and 5,859,238 commits from open-source software, including the Linux kernel, MySQL, and OpenSSL, etc. The experimental results demonstrate that the proposed method achieves a detection accuracy of 94.94% and a recall rate of 86.92%, significantly outperforming existing approaches.

View More Papers

PROMPTGUARD: Zero Trust Prompting for Securing LLM-Driven O-RAN Control

Yuhui Wang (Department of Electrical and Computer Engineering, University of Michigan-Dearborn), Xingqi Wu (Department of Electrical and Computer Engineering, University of Michigan-Dearborn), Junaid Farooq (Department of Electrical and Computer Engineering, University of Michigan-Dearborn), Juntao Chen (Department of Computer and Information Sciences, Fordham University)

Read More

CoordMail: Exploiting SMTP Timeout and Command Interaction to Coordinate...

Ruixuan Li (Tsinghua University and Beijing National Research Center for Information Science and Technology), Chaoyi Lu (Zhongguancun Laboratory), Baojun Liu (Tsinghua University and Beijing National Research Center for Information Science and Technology), Yanzhong Lin (Coremail Technology Co. Ltd), Qingfeng Pan (Coremail Technology Co. Ltd), Jun Shao (Zhejiang Gongshang University and Zhejiang Key Laboratory of Big…

Read More

Vision: Profiling Human Attackers: Personality and Behavioral Patterns in...

Khalid Alasiri (School of Computing and Augmented Intelligence Arizona State University), Rakibul Hasan (School of Computing and Augmented Intelligence Arizona State University)

Read More