Vulnerability Fix Technology Research And System Implementation Based On Vulnerability-inducing Commits

In the process of software maintenance and evolution,vulnerabilities inevitably are introduced.The occurrence of vulnerabilities will cause certain security risks to the operation of software systems,and even seriously threaten personal privacy and property security,resulting in social and economic losses.The lack of dynamic information such as test cases and stack traces related to vulnerabilities in the vulnerability database greatly increases the difficulty of vulnerability localization and fixing.However,code commits in open source software bases often contain rich information.Analyzing code commits to explore the reasons for vulnerability introduction and the correlation between vulnerability-inducing commits and vulnerability-fixing commits,can provide a new way of thinking about vulnerability localization and fix.From the perspective of vulnerability introduction,this thesis conducts research on vulnerability localization and fix technology based on vulnerability-inducing commits through the discovery of a series of empirical researches such as "the statements in vulnerability-fixing commits can be inferred from the modified statements in vulnerability-inducing commits".The specific work is as follows:(1)Vulnerability localization technology based on vulnerability-inducing commits.Firstly,the vulnerability introduction and fix data set are constructed,and the vulnerability data in the data set was empirically researched.Then,according to the findings,three features are defined,namely,extract the statements modified in the vulnerability-inducing commits;extract the statements with the keywords which are split from the variable names and method names in the modified statements of the vulnerability-inducing commits;extract the if statements in the files that vulnerability-inducing commits are involved in.The statements extracted from the three features constitute the suspicious statement space.Then,the statements in the suspicious statement space are assigned and input to the learning to rank model for training,and finally,the ranking list is output.Experimental results show that VulLoc outperforms existing approaches in both effect and efficiency.(2)Vulnerability fixing technology based on vulnerability-inducing commits.First,we further explored the changes in the fix components in the vulnerability-inducing commits and fixing commits and concluded that some fixes in the vulnerability fix can be inferred from the vulnerability-inducing commits.After abstraction and normalization,it is converted into a token sequence and input into the Transformer model,and the predicted sequence is obtained through Beam Search.Then,through empirical research,it is found that the defined rules are abstracted and filled in a normalized manner,and then the patches are verified.The experimental results show that this approach improves the effect of vulnerability fixing compared to the vulnerability fixing technique that only runs Transformer,and works best in the CWE-119(Improper Restriction of Operations within the Bounds of a Memory Buffer).(3)Based on the proposed theoretical technologies,a vulnerability-oriented localization,and fix system is designed and implemented.The system is aimed at researchers in software development,maintenance,and software fields,including three modules:vulnerability management,vulnerability localization,and vulnerability fix.The system can help developers complete software maintenance work more efficiently and quickly,to improve the software security.