SPVF: security property assisted vulnerability fixing via attention-based models

Zhou, Zhou; Bo, Lili; Wu, Xiaoxue; Sun, Xiaobing; Tao, Zhang; Li, Bin; Zhang, Jiale; Cao, Sicong

doi:10.1007/s10664-022-10216-4

Cited by 13 publications

(4 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Token attention values serve as a feature type in the transformer-based model, and are helpful in identifying key tokens or contents contributing to natural language processing tasks [79]. The attention mechanism can adaptively learn the importance of even distant parts of the input code sequence for a better understating of the code's contextual information and effectively fulfil software vulnerability detection tasks [54][55][56][57][58]. Some researchers found that the attention values can serve as a proxy for the importance of tokens [53].…”

Section: Taxonomy Of Related Workmentioning

confidence: 99%

Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AI

Li,

Liu,

Huang

2024

MAKE

View full text Add to dashboard Cite

Software vulnerability detection aims to proactively reduce the risk to software security and reliability. Despite advancements in deep-learning-based detection, a semantic gap still remains between learned features and human-understandable vulnerability semantics. In this paper, we present an XAI-based framework to assess program code in a graph context as feature representations and their effect on code vulnerability classification into multiple Common Weakness Enumeration (CWE) types. Our XAI framework is deep-learning-model-agnostic and programming-language-neutral. We rank the feature importance of 40 syntactic constructs for each of the top 20 distributed CWE types from three datasets in Java and C++. By means of four metrics of information retrieval, we measure the similarity of human-understandable CWE types using each CWE type’s feature contribution ranking learned from XAI methods. We observe that the subtle semantic difference between CWE types occurs after the variation in neighboring features’ contribution rankings. Our study shows that the XAI explanation results have approximately 78% Top-1 to 89% Top-5 similarity hit rates and a mean average precision of 0.70 compared with the baseline of CWE similarity identified by the open community experts. Our framework allows for code vulnerability patterns to be learned and contributing factors to be assessed at the same stage.

show abstract

Section: Taxonomy Of Related Workmentioning

confidence: 99%

Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AI

Li,

Liu,

Huang

2024

MAKE

View full text Add to dashboard Cite

show abstract

“…Zhou et al [185] propose a novel approach SFVP for automatically fixing vulnerabilities based on the attention-mechanism model. SPVF first extracts the security properties from descriptions of the vulnerabilities (e.g., CWE category).…”

Section: Domain Repairmentioning

confidence: 99%

A Survey of Learning-based Automated Program Repair

Zhang¹,

Fang²,

Ma³

et al. 2023

Preprint

View full text Add to dashboard Cite

Automated program repair (APR) aims to fix software bugs automatically and plays a crucial role in software development and maintenance. With the recent advances in deep learning (DL), an increasing number of APR techniques have been proposed to leverage neural networks to learn bug-fixing patterns from massive opensource code repositories. Such learning-based techniques usually treat APR as a neural machine translation (NMT) task, where buggy code snippets (i.e., source language) are translated into fixed code snippets (i.e., target language) automatically. Benefiting from the powerful capability of DL to learn hidden relationships from previous bug-fixing datasets, learning-based APR techniques have achieved remarkable performance.In this paper, we provide a systematic survey to summarize the current state-of-the-art research in the learning-based APR community. We illustrate the general workflow of learning-based APR techniques and detail the crucial components, including fault localization, patch generation, patch ranking, patch validation, and patch correctness phases. We then discuss the widely-adopted datasets and evaluation metrics and outline existing empirical studies. We discuss several critical aspects of learning-based APR techniques, such as repair domains, industrial deployment, and the open science issue. We highlight several practical guidelines on applying DL techniques for future APR studies, such as exploring explainable patch generation and utilizing code features. Overall, our paper can help researchers gain a comprehensive understanding about the achievements of the existing learning-based APR techniques and promote the practical application of these techniques. Our artifacts are publicly available at https://github.com/QuanjunZhang/AwesomeLearningAPR. CCS Concepts: • Software and its engineering → Software testing and debugging; Software testing and debugging.

show abstract

“…While there has been considerable attention given to semantic bugs (Liu et al, 2021;Yuan et al, 2022;Yi Li, 2022;Nan Jiang, 2021;Lutellier et al, 2020) and vulnerability issues (Fu et al, 2022;Chen et al, 2021;Chi et al, 2022;Zhou et al, 2022) in the field of program repair, there is an increasing interest in learning-based approaches for fixing programming assignments submitted by students (Gupta et al, 2017;Ahmed et al, 2018a;Yasunaga and Liang, 2020;Orvalho et al, 2022;Wang et al, 2018;Yi et al, 2017;Gulwani et al, 2018). Unlike experienced software engineers, students are more prone to making syntactic errors in their code.…”

Section: Automated Program Repairmentioning

confidence: 99%

Iaso: Enhancing Syntax Error Correction using Deep Learning Techniques

Wong

2023

Preprint

View full text Add to dashboard Cite

Syntax errors can significantly impede students' progress and comprehension of programming concepts. AI-generated programs are also prone to syntax bugs, highlighting the importance of effectively addressing and resolving such errors. This paper presents Iaso, an automated program repair tool designed specifically to rectify syntax errors in student and AI-generated C programs. Iaso consists of three components: a syntax-based C program generator, an error localization model, and an ensemble code corrector. The program generator is trained on a seed dataset to generate complete and compilable C programs, which are then used to train the corrector. The corrector, trained on a combination of the seed dataset and a synthetic dataset, adopts an ensemble approach to gather fixes from multiple correctors trained on different datasets. During the repair process, Iaso's error localization model utilizes information from the deep learning model, raw code, and compiler messages to precisely identify the required repairs. To evaluate our method, we compare it against two automated program correctors: DrRepair and TransRepair. Iaso demonstrates notable performance, achieving a full repair rate of 78.8\% (+4.2\%) on the Deepfix test set and 91.0\% (+6.8\%) on the Tracer test set, generating over 1,300,000 erroneous C programs. Compared to the large language model PaLM, our strategy showcases a significant 6\% improvement in accuracy, considering the unlimited edit size used by PaLM. Furthermore, when compared to the state-of-the-art dialogue model ChatGPT, our method exhibits only a slight 1.4\% deviation while utilizing significantly fewer resources.

show abstract

SPVF: security property assisted vulnerability fixing via attention-based models

Cited by 13 publications

References 32 publications

Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AI

Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AI

A Survey of Learning-based Automated Program Repair

Iaso: Enhancing Syntax Error Correction using Deep Learning Techniques

Contact Info

Product

Resources

About