TL;DR
PatchRNN is a deep learning system designed to automatically identify secret security patches in open-source software by analyzing commit messages and source code features, enabling timely vulnerability fixes.
Contribution
The paper introduces PatchRNN, a novel deep learning approach that combines text and code analysis to detect security patches that are not explicitly documented.
Findings
Successfully detects secret security patches with low false positives.
Effective on large-scale real-world datasets and case studies.
Improves security patch identification in open-source projects.
Abstract
With the increasing usage of open-source software (OSS) components, vulnerabilities embedded within them are propagated to a huge number of underlying applications. In practice, the timely application of security patches in downstream software is challenging. The main reason is that such patches do not explicitly indicate their security impacts in the documentation, which would be difficult to recognize for software maintainers and users. However, attackers can still identify these "secret" security patches by analyzing the source code and generate corresponding exploits to compromise not only unpatched versions of the current software, but also other similar software packages that may contain the same vulnerability due to code cloning or similar design/implementation logic. Therefore, it is critical to identify these secret security patches to enable timely fixes. To this end, we…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
