A vulnerability detection framework by focusing on critical execution paths

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS Information and Software Technology Pub Date : 2024-06-15 DOI:10.1016/j.infsof.2024.107517

Jianxin Cheng , Yizhou Chen , Yongzhi Cao , Hanpin Wang

{"title":"A vulnerability detection framework by focusing on critical execution paths","authors":"Jianxin Cheng , Yizhou Chen , Yongzhi Cao , Hanpin Wang","doi":"10.1016/j.infsof.2024.107517","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><p>Vulnerability detection is critical to ensure software security, and detecting vulnerabilities in smart contract code is currently gaining massive attention. Existing deep learning-based vulnerability detection methods represent the code as a code structure graph and eliminate vulnerability-irrelevant nodes. Then, they learn vulnerability-related code features from the simplified graph for vulnerability detection. However, this simplified graph struggles to represent relatively complete structural information of code, which may affect the performance of existing vulnerability detection methods.</p></div><div><h3>Objective:</h3><p>In this paper, we present a novel <strong>V</strong>ulnerability <strong>D</strong>etection framework based on <strong>C</strong>ritical <strong>E</strong>xecution <strong>P</strong>aths (VDCEP), which aims to improve smart contract vulnerability detection.</p></div><div><h3>Method:</h3><p>Firstly, given a code structure graph, we deconstruct it into multiple execution paths that reflect rich structural information of code. To reduce irrelevant code information, a path selection strategy is employed to identify critical execution paths that may contain vulnerable code information. Secondly, a feature extraction module is adopted to learn feature representations of critical paths. Finally, we feed all path feature representations into a classifier for vulnerability detection. Also, the feature weights of paths are provided to measure their importance in vulnerability detection.</p></div><div><h3>Results:</h3><p>We evaluate VDCEP on a large dataset with four types of smart contract vulnerabilities. Results show that VDCEP outperforms 14 representative vulnerability detection methods by 5.34%–60.88% in F1-score. The ablation studies analyze the effects of our path selection strategy and feature extraction module on VDCEP. Moreover, VDCEP still outperforms ChatGPT by 34.46% in F1-score.</p></div><div><h3>Conclusion:</h3><p>Compared to existing vulnerability detection methods, VDCEP is more effective in detecting smart contract vulnerabilities by utilizing critical execution paths. Besides, we can provide interpretable details about vulnerability detection by analyzing the path feature weights.</p></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"174 ","pages":"Article 107517"},"PeriodicalIF":3.8000,"publicationDate":"2024-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924001228","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

Vulnerability detection is critical to ensure software security, and detecting vulnerabilities in smart contract code is currently gaining massive attention. Existing deep learning-based vulnerability detection methods represent the code as a code structure graph and eliminate vulnerability-irrelevant nodes. Then, they learn vulnerability-related code features from the simplified graph for vulnerability detection. However, this simplified graph struggles to represent relatively complete structural information of code, which may affect the performance of existing vulnerability detection methods.

Objective:

In this paper, we present a novel Vulnerability Detection framework based on Critical Execution Paths (VDCEP), which aims to improve smart contract vulnerability detection.

Method:

Firstly, given a code structure graph, we deconstruct it into multiple execution paths that reflect rich structural information of code. To reduce irrelevant code information, a path selection strategy is employed to identify critical execution paths that may contain vulnerable code information. Secondly, a feature extraction module is adopted to learn feature representations of critical paths. Finally, we feed all path feature representations into a classifier for vulnerability detection. Also, the feature weights of paths are provided to measure their importance in vulnerability detection.

Results:

We evaluate VDCEP on a large dataset with four types of smart contract vulnerabilities. Results show that VDCEP outperforms 14 representative vulnerability detection methods by 5.34%–60.88% in F1-score. The ablation studies analyze the effects of our path selection strategy and feature extraction module on VDCEP. Moreover, VDCEP still outperforms ChatGPT by 34.46% in F1-score.

Conclusion:

Compared to existing vulnerability detection methods, VDCEP is more effective in detecting smart contract vulnerabilities by utilizing critical execution paths. Besides, we can provide interpretable details about vulnerability detection by analyzing the path feature weights.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

以关键执行路径为重点的漏洞检测框架

背景：漏洞检测对于确保软件安全至关重要，而检测智能合约代码中的漏洞目前正受到广泛关注。现有的基于深度学习的漏洞检测方法将代码表示为代码结构图，并剔除与漏洞无关的节点。然后，它们从简化图中学习与漏洞相关的代码特征，进行漏洞检测。方法：首先，给定代码结构图，将其解构为多个反映代码丰富结构信息的执行路径。为了减少不相关的代码信息，我们采用了路径选择策略来识别可能包含漏洞代码信息的关键执行路径。其次，采用特征提取模块来学习关键路径的特征表示。最后，我们将所有路径特征表征输入分类器进行漏洞检测。结果：我们在一个包含四种智能合约漏洞的大型数据集上对 VDCEP 进行了评估。结果表明，VDCEP 的 F1 分数比 14 种具有代表性的漏洞检测方法高出 5.34%-60.88% 。消融研究分析了我们的路径选择策略和特征提取模块对 VDCEP 的影响。结论：与现有的漏洞检测方法相比，VDCEP 利用关键执行路径检测智能合约漏洞更有效。此外，我们还可以通过分析路径特征权重，提供可解释的漏洞检测细节。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.

期刊最新文献

A software product line approach for developing hybrid software systems Evaluating the understandability and user acceptance of Attack-Defense Trees: Original experiment and replication On the road to interactive LLM-based systematic mapping studies Top-down: A better strategy for incremental covering array generation Editorial Board