Automated Software Engineering最新文献

With the rapid development of blockchain technology, various types of fraud is becoming increasingly rampant. Many smart contract-based detection methods have been proposed for typical frauds, such as Ponzi scheme, honeypot and phishing. However, these methods are often lack of the extraction and application of the deep semantics of smart contract or are customized for specific fraud, resulting in limited performance and universality. In this paper, we propose a Ethereum fraud smart contract detection method based on Heterogeneous Semantic Graph(HSG) and Heterogeneous Graph Neural Network(HGNN), which extracts the high-level semantics of smart contracts and designs a graph classifier based on Heterogeneous Graph Transformer(HGT) model to detect fraud smart contracts. Experiments on Ponzi scheme, honeypot and phishing smart contract datasets demonstrate that our method is capable of extracting smart contract semantics more effectively and is superior to or equal to various existing fraud smart contract detection methods, and has universality in fraud smart contract detection tasks.

In recent years, Large Language Models (LLMs) have achieved remarkable success and have been widely used in various downstream tasks, especially in the tasks of the software engineering (SE) field. We find that many studies combining LLMs with SE have employed the concept of agents either explicitly or implicitly. However, there is a lack of an in-depth survey to sort out the development context of existing works, analyze how existing works combine the LLM-based agent technologies to optimize various tasks, and clarify the framework of LLM-based agents in SE. In this paper, we conduct the first survey of the studies on combining LLM-based agents with SE and present a framework of LLM-based agents in SE which includes three key modules: perception, memory, and action. We also summarize the current challenges in combining the two fields and propose future opportunities in response to existing challenges. We maintain a GitHub repository of the related papers at: https://github.com/DeepSoftwareAnalytics/Awesome-Agent4SE.

Code cloning is frequently observed in software development, often leading to a variety of maintenance and security issues. While substantial research has been conducted on code cloning in traditional software, to the best of my knowledge, there is a lack of studies on cloning in virtual reality (VR) software that consider its unique nature, particularly the presence of numerous serialized files in conjunction with the source code. In this paper, we conduct the first large-scale quantitative empirical analysis of software clones in 345 open-source VR projects, using the NiCad detector for source code clone detection and large language models (LLMs) for identifying serialized file clones. Our study leads to a number of insights into cloning phenomena in VR software, guided by seven carefully formulated research questions. These findings, along with their implications, are anticipated to provide useful guidance for both researchers and software developers within the VR field.

Android’s most widely used smartphone OS has several inter-app communication options, such as broadcast receivers, intents, content providers, and objectives. Even though the Android permission system restricts access and safeguards user data, security flaws allow malicious apps to abuse permission systems. Higher-order privilege escalation, where apps cooperate to circumvent security limitations throughout several phases, is a key vulnerability in this ecosystem. This paper presents a new method for n-order case analysis to find undetectable privilege escalations. Our approach systematically identifies multi-stage permission escalations via automated test case generation and stationary analysis. Unlike current methods emphasizing direct permission misuse, our approach analyzes escalation chains across many app interactions and uncovered 52,982 instances of fourth-order privilege escalation that went unnoticed when just first-order transitions were examined. Furthermore, our findings show an important distinction: benign programs gradually gain greater permissions through escalation chains, whereas malignant apps request excessively high upfront rights. This difference emphasizes the necessity of better permission management techniques to reduce the serious risk associated with rising higher-order privilege escalations, which are generally disregarded by current detection systems. Therefore, our method fulfills the need for a more scalable detection technique to address this challenging security concern in Android ecosystem.

The convergence of Quantum Computing (QC), Quantum Software Engineering (QSE), and Artificial Intelligence (AI) presents transformative opportunities across various domains. However, existing methodologies inadequately address the ethical, security, and governance challenges arising from this technological shift. This paper highlights the urgent need for interdisciplinary collaboration to embed ethical principles into the development of Quantum AI (QAI) and QSE, ensuring transparency, inclusivity, and equitable global access. Without proactive governance, there is a risk of deepening digital inequalities and consolidating power among a select few. We call on the software engineering community to actively shape a future where responsible QSE and QAI are foundational for ethical, accountable, and socially beneficial technological progress.

Vulnerability detection in software systems is a critical challenge due to the increasing complexity of code and the rising frequency of security vulnerabilities. Traditional approaches typically rely on single-modality inputs and struggle to distinguish between similar code snippets. However, multi-modal methods find it challenging to balance performance and efficiency. To address these challenges, we propose MCL-VD, a framework that leverages multi-modal inputs including source code, code comments, and AST to capture complementary structural and contextual information. We employ LoRA, which reduces the computational burden by optimizing the number of trainable parameters without sacrificing performance. Additionally, we apply multi-modal contrastive learning to align and differentiate the representations across the three modalities, thereby enhancing the model’s discriminative power and robustness. We designed and conducted experiments on three public benchmark datasets, i.e., Devign, Reveal, and Big-Vul. The experimental results show that MCL-VD significantly outperforms the best-performing baselines, achieving F1-score improvements ranging from 4.86% to 17.26%. These results highlight the effectiveness of combining multi-modal contrastive learning with LoRA optimization, providing a powerful and efficient solution for vulnerability detection.

In the realm of software development, detecting code smells is a critical task for ensuring good code quality. God class code smell specifically has a specific nature associated with a great deal of subjectivity due to the levels of coupling and cohesion associated to it. Automated techniques for code smell detection aim to resolve this subjectivity. Machine learning techniques have shown promising results that tend to improve accuracy and reduce the bias associated with other techniques for God class identification. This is due to their pattern recognition capabilities making them more objective in identifying patterns that indicate code smells. However, current results need to be further improved in terms of both accuracy and generalizability. The challenge in the use of machine learning is not only in selecting the most appropriate technique but also lies in effectively representing source code as input patterns fed to Machine Learning (ML) classifier(s). Code representation plays a pivotal role in encoding source code for ML algorithms. This study aims improving the accuracy and generalizability of God class code smell detection via exploring the effect of using various code representation techniques, namely, tree-based, metric-based, code embedding, and token-based code representation techniques on the ML detection results. The study is conducted on the MLCQ dataset, and applies various ML algorithms (specifically: Logistic Regression, Random Forest, SVM, Decision Tree, Naive Bayes, Gradient Boosting, XGBoost). The evaluation results show how different code representation techniques influence ML detection outcomes and the comparative performance of ML algorithms. The study findings reveal that the F1-score achieved outperforms prior studies on the MLCQ dataset, indicating the effectiveness of the proposed approach. The presented results reveal how the code representation technique used makes a significant impact on the ML classifier results. This paves the way for developing intelligent IDE plugins for just in time God Class code smell detection among other code smells.

Binary analysis, the process of examining software without its source code, plays a crucial role in understanding program behavior, e.g., evaluating the security properties of commercial software, and analyzing malware. One challenging aspect of this process is to classify data encoding schemes, such as encryption and compression, due to the absence of high-level semantic information. Existing approaches either rely on code similarity, which only works for known schemes, or heuristic rules, which lack scalability. In this paper, we propose DESCG, a novel deep learning-based method for automatically classifying four widely employed kinds of data encoding schemes in binary programs: encryption, compression, decompression, and hashing. Our approach leverages dynamic analysis to extract execution traces from binary programs, builds data dependency graphs from these traces, and incorporates critical feature engineering. By combining the specialized graph representation with the Graph Neural Network (GNN), our approach enables accurate classification without requiring prior knowledge of specific encoding schemes. The Evaluation result shows that DESCG achieves 97.7% accuracy and an F1 score of 97.67%, outperforming baseline models. We also conducted an extensive evaluation of DESCG to explore which feature is more important for it and examine its performance and overhead.

Recommending application programming interfaces (APIs) is practical and essential in today’s programming landscape. An accurate API recommendation system could significantly improve developers’ coding efficiency. State-of-the-art (SOTA) API recommendation systems typically employ deep learning models as the backend model. However, training the backend deep learning model for API recommendation systems poses a challenging task due to the significant effort required for data labeling and the need for extensive computations. These challenges deeply affect the process of updating an existing API recommendation system when the API evolves. To address these issues, this paper proposes DPEfficR, a data and parameter efficient method for building API recommendation systems. Specifically, DPEfficR includes (1) the data selection module; (2) the task-specific parameter tuning module; and (3) the runtime API selection module. The data selection module selects representative data, while the task-specific parameter tuning module tunes pre-trained LLMs with a small number of parameters. Once the LLM is well-tuned, the runtime API selection module searches for a more accurate API sequence through consistency checking. We compare our approach against seven baseline methods, which belong to three different types. Our comprehensive evaluation demonstrates the effectiveness of our approach in recommending a more accurate API sequence, achieving improvements of 40% in BLEU-4 and 25% in ROUGE-2 over the baseline methods, with only (varvec{3.61 times 10}^{varvec{4}}) tunable parameters, representing just 0.049% of the parameters used in the baseline methods. Moreover, our ablation study demonstrates the effectiveness of the proposed modules in our systems.

Despite the wide availability of automated testing techniques such as fuzzing, little attention has been devoted to testing computer architecture simulators. We propose a fully automated approach for this task. Our approach uses large language models (LLM) to generate input programs, including information about their parameters and types, as test cases for the simulators. The LLM’s output becomes the initial seed for an existing fuzzer, AFL++, which has been enhanced with three mutation operators, targeting both the input binary program and its parameters. We implement our approach in a tool called SearchSYS . We use it to test the gem5 system simulator. SearchSYS discovered 21 new bugs in gem5 , 14 where gem5 ’s software prediction differs from the real behaviour on actual hardware, and 7 where it crashed. New defects were uncovered with each of the 6 LLMs used.