| The reproduction of vulnerabilities is a key step in debugging software defects.Based on the current technologies,it still takes a lot of time to complete manually.Although the crash report is captured when an error occurs in the software and sent to the software vendor,it can hardly be used to reproduce the vulnerability.The main reason is that crash reports from software users often lack many key factors(e.g.,software installation,triggering methods),which makes it more difficult to reproduce the vulnerability.To make matters worse,the uncertainty of software configurable options(that is,the ability of a software system to be customized for use in a specific context or scenario)is not enough to reproduce those vulnerabilities that only exist in certain specific software configuration options brings greater challenges.In this paper,we propose a solution based on similarity comparison,which uses crash reports to assist in the reproduction of vulnerabilities related to software configuration options to complete the process of building a defective binary.Firstly,we investigate the configuration options that may affect similarity during the software construction process,build a measurement method through similarity analysis,and summarize some patterns.Secondly,the speculative compilation option is modeled as a search problem,and through the feedback of the binary code similarity,an binary file is generated to have the maximum similarity to the code segment in the crash report.Finally,we use this binary file to reproduce the vulnerability.To demonstrate the effectiveness in pinpointing the building configurations in the software building process,we have implemented Ro Bin and tested it with various software crashes caused by 16 vulnerabilities.We show Ro Bin could effectively figure out the building configurations needed to generate the vulnerable binary,thus helping software developers reproduce vulnerability reports. |
PDF Full Text Request