Learning to Catch Security Patches

01/24/2020
by   Arthur D. Sawadogo, et al.
0

Timely patching is paramount to safeguard users and maintainers against dire consequences of malicious attacks. In practice, patching is prioritized following the nature of the code change that is committed in the code repository. When such a change is labeled as being security-relevant, i.e., as fixing a vulnerability, maintainers rapidly spread the change and users are notified about the need to update to a new version of the library or of the application. Unfortunately, oftentimes, some security-relevant changes go unnoticed as they represent silent fixes of vulnerabilities. In this paper, we propose a Co-Training-based approach to catch security patches as part of an automatic monitoring service of code repositories. Leveraging different classes of features, we empirically show that such automation is feasible and can yield a precision of over 90 recall of over 80 demonstrates an improvement over the state-of-the-art, we confirmed that our approach can help catch security patches that were not reported as such.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
02/04/2023

Detecting Security Patches via Behavioral Data in Code Repositories

The absolute majority of software today is developed collaboratively usi...
research
08/07/2021

PatchRNN: A Deep Learning-Based System for Security Patch Identification

With the increasing usage of open-source software (OSS) components, vuln...
research
07/06/2018

A Practical Approach to the Automatic Classification of Security-Relevant Commits

The lack of reliable sources of detailed information on the vulnerabilit...
research
05/22/2019

Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities

In this paper, we perform a comprehensive study of 2,470 patched Android...
research
06/18/2020

CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies

Cryptocurrencies have become very popular in recent years. Thousands of ...
research
12/11/2018

Code-less Patching for Heap Vulnerabilities Using Targeted Calling Context Encoding

Exploitation of heap vulnerabilities has been on the rise, leading to ma...
research
05/05/2022

The Race to the Vulnerable: Measuring the Log4j Shell Incident

The critical remote-code-execution (RCE) Log4Shell is a severe vulnerabi...

Please sign up or login with your details

Forgot password? Click here to reset