ISSTA 2024
Mon 16 - Fri 20 September 2024 Vienna, Austria
co-located with ISSTA/ECOOP 2024
Thu 19 Sep 2024 15:30 - 15:50 at EI 10 Fritz Paschke - Vulnerabilities and Malware Chair(s): Wei You

The coordinated vulnerability disclosure model, widely adopted in open-source software (OSS) organizations, recommends the silent resolution of vulnerabilities without revealing vulnerability information until their public disclosure. However, the inherently public nature of OSS development leads to security fixes becoming publicly available in repositories weeks before the official disclosure of vulnerabilities. This time gap poses a significant security risk to OSS users, as attackers could discover the fix and exploit vulnerabilities before disclosure. Thus, there is a critical need for OSS users to sense fixes as early as possible to address the vulnerability before any exploitation occurs.

In response to this challenge, we introduce EarlyVulnFix, a novel approach designed to identify silent fixes for taint-style vulnerabilities—a persistent class of security weaknesses where attacker-controlled input reaches sensitive operations (sink) without proper sanitization. Leveraging data flow and dependency analysis, our tool distinguishes two types of connections between newly introduced code and sinks, tailored for two common fix scenarios. Our evaluation demonstrates that EarlyVulnFix surpasses state-of-the-art baselines by a substantial margin in terms of F1 score. Furthermore, when applied to the 700 latest commits across seven projects, EarlyVulnFix detected three security fixes before their respective security releases, highlighting its effectiveness in identifying unreported vulnerability fixes in the wild.

Thu 19 Sep

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

15:30 - 17:10
Vulnerabilities and MalwareTechnical Papers at EI 10 Fritz Paschke
Chair(s): Wei You Renmin University of China
15:30
20m
Talk
Silent Taint-Style Vulnerability Fixes Identification
Technical Papers
Zhongzhen Wen Nanjing University, Jiayuan Zhou Huawei, Minxue Pan Nanjing University, Shaohua Wang Central University of Finance and Economics, Xing Hu Zhejiang University, Tongtong Xu Huawei, Tian Zhang Nanjing University, Xuandong Li Nanjing University
DOI
15:50
20m
Talk
FortifyPatch: Towards Tamper-Resistant Live Patching in Linux-Based Hypervisor
Technical Papers
Zhenyu Ye Hunan University, Lei Zhou National University of Defense Technology, Fengwei Zhang Southern University of Science and Technology, Wenqiang Jin Hunan University, Zhenyu Ning Hunan University; Xinchuang Haihe Laboratory, Yupeng Hu Hunan University, Zheng Qin Hunan University
DOI
16:10
20m
Talk
Maltracker: A Fine-Grained NPM Malware Tracker Copiloted by LLM-Enhanced Dataset
Technical Papers
Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Xiaochen Guo Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
DOI
16:30
20m
Talk
PatchFinder: A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open-Source Software
Technical Papers
Kaixuan Li East China Normal University; Nanyang Technological University, Jian Zhang Nanyang Technological University, Sen Chen Tianjin University, Han Liu East China Normal University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University
DOI Pre-print
16:50
20m
Talk
An Empirical Study of Static Analysis Tools for Secure Code Review
Technical Papers
Wachiraphan (Ping) Charoenwet University of Melbourne, Patanamon Thongtanunam University of Melbourne, Thuan Pham University of Melbourne, Christoph Treude Singapore Management University
DOI

Information for Participants
Thu 19 Sep 2024 15:30 - 17:10 at EI 10 Fritz Paschke - Vulnerabilities and Malware Chair(s): Wei You
Info for room EI 10 Fritz Paschke:

Map: https://tuw-maps.tuwien.ac.at/?q=CAEG31

Room tech: https://raumkatalog.tiss.tuwien.ac.at/room/13948