Learning Program Semantics for Vulnerability Detection via Type-specific Inter-procedural Slicing

Abstract

Recently, the learning-based approaches that learn code representations for software vulnerability detection have been proven to produce inspiring results. However, they still suffer from some limitations. On one hand, some learning-based works learn code representation on a single function for vulnerability detection, which ignore the fact that many vulnerabilities can span multiple functions. On the other hand, other works attempt to leverage slicing techniques to extract program semantics of vulnerable parts starting from dangerous API calls or variables (i.e., source) to generate code representations for vulnerability detection, but they fail to identify precise vulnerable parts since slicing cannot discriminate the sink so that every statement that depends on the source will be included. To address these limitations, in this work, we propose a learning-based approach namely  SnapVuln. It first utilizes multiple type-specific inter-procedural slicing algorithms that identify the source and sink and further operate on inter-procedural graphs to capture precise program semantics of various vulnerability types. Then it leverages a Gated Graph Neural Network (GGNN) to learn graph structures and  further incorporates it with an attention mechanism to learn to assign different weights to different program semantics. Extensive experiments are conducted on two public datasets. We compare SnapVuln with five state-of-the-art learning-based vulnerability detection approaches and two pre-trained approaches. Experimental results confirm that SnapVuln outperforms these baselines. We further perform an ablation study to demonstrate that the completeness and precision of vulnerability semantics captured by SnapVuln contribute to the improvement of vulnerability detection.

Motivations

1. The extracted vulnerability semantics are incomplete.

2. The extracted vulnerability semantics are imprecise.

Contributions

1. We propose dedicated slicing algorithms for the six most dangerous vulnerabilities of C/C++ in Top 25 Most Dangerous Software Weaknesses to achieve precise vulnerability semantics. To the best of our knowledge, we are the first to design type-specific slicing algorithms to capture precise vulnerability semantics based on different vulnerability characteristics.

2. We incorporate the attention mechanism into the gated graph neural network (GGNN) to ensure that the model can learn to assign different weights to subgraphs produced by slicing algorithms, so as to help the model learn better representations for vulnerability detection.

3. We systematically analyse the limitations of existing deep learning-based works for vulnerability detection and show that the completeness and precision of vulnerability semantics is vital for automated vulnerability detection by extensive experiments.

4. We conduct extensive experiments to compare \tool with seven state-of-the-art baselines, including five learning-based vulnerability detection baselines and two pre-trained approaches on two public datasets. Experimental results show that the overall accuracy of \tool exceeds the five vulnerability detection baselines by at least 11.05\% and surpasses two pre-trained baselines by at least 3.39\%. We have made our code and data public at our website~\cite{website} for reproduction. 

Overview