AIBugHunter: A Practical Tool for Predicting, Classifying and Repairing Software Vulnerabilities

05/26/2023
by   Michael Fu, et al.
0

Many ML-based approaches have been proposed to automatically detect, localize, and repair software vulnerabilities. While ML-based methods are more effective than program analysis-based vulnerability analysis tools, few have been integrated into modern IDEs, hindering practical adoption. To bridge this critical gap, we propose AIBugHunter, a novel ML-based software vulnerability analysis tool for C/C++ languages that is integrated into Visual Studio Code. AIBugHunter helps software developers to achieve real-time vulnerability detection, explanation, and repairs during programming. In particular, AIBugHunter scans through developers' source code to (1) locate vulnerabilities, (2) identify vulnerability types, (3) estimate vulnerability severity, and (4) suggest vulnerability repairs. In this article, we propose a novel multi-objective optimization (MOO)-based vulnerability classification approach and a transformer-based estimation approach to help AIBugHunter accurately identify vulnerability types and estimate severity. Our empirical experiments on a large dataset consisting of 188K+ C/C++ functions confirm that our proposed approaches are more accurate than other state-of-the-art baseline methods for vulnerability classification and estimation. Furthermore, we conduct qualitative evaluations including a survey study and a user study to obtain software practitioners' perceptions of our AIBugHunter tool and assess the impact that AIBugHunter may have on developers' productivity in security aspects. Our survey study shows that our AIBugHunter is perceived as useful where 90 least, our user study shows that our AIBugHunter could possibly enhance developers' productivity in combating cybersecurity issues during software development.

READ FULL TEXT

page 5

page 15

page 18

page 20

research
07/19/2021

CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software

Data-driven research on the automated discovery and repair of security v...
research
08/29/2023

Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities

The Common Vulnerability Scoring System (CVSS) is a popular method for e...
research
01/11/2023

ML-FEED: Machine Learning Framework for Efficient Exploit Detection (Extended version)

Machine learning (ML)-based methods have recently become attractive for ...
research
02/11/2021

Why Don't Developers Detect Improper Input Validation?'; DROP TABLE Papers; –

Improper Input Validation (IIV) is a software vulnerability that occurs ...
research
06/12/2023

LIVABLE: Exploring Long-Tailed Classification of Software Vulnerability Types

Prior studies generally focus on software vulnerability detection and ha...
research
08/18/2021

DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning

It is increasingly suggested to identify Software Vulnerabilities (SVs) ...
research
07/29/2023

JFinder: A Novel Architecture for Java Vulnerability Identification Based Quad Self-Attention and Pre-training Mechanism

Software vulnerabilities pose significant risks to computer systems, imp...

Please sign up or login with your details

Forgot password? Click here to reset