VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements

TL;DR

VELVET is an ensemble learning approach that combines graph-based and sequence-based neural networks to accurately locate vulnerable statements in source code, significantly outperforming existing static analyzers and neural models.

Contribution

The paper introduces VELVET, a novel ensemble neural network model that effectively captures code semantics for vulnerability localization, outperforming baseline methods on real-world and synthetic datasets.

Findings

VELVET achieves 4.5x better performance than static analyzers on real-world data.

VELVET attains 99.6% top-1 accuracy on synthetic data.

VELVET outperforms baseline deep-learning models by 5.3-29.0%.

Abstract

Automatically locating vulnerable statements in source code is crucial to assure software security and alleviate developers' debugging efforts. This becomes even more important in today's software ecosystem, where vulnerable code can flow easily and unwittingly within and across software repositories like GitHub. Across such millions of lines of code, traditional static and dynamic approaches struggle to scale. Although existing machine-learning-based approaches look promising in such a setting, most work detects vulnerable code at a higher granularity -- at the method or file level. Thus, developers still need to inspect a significant amount of code to locate the vulnerable statement(s) that need to be fixed. This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements. Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph and effectively understand code semantics and vulnerable patterns. To study VELVET's effectiveness, we use an off-the-shelf synthetic dataset and a recently published real-world dataset. In the static analysis setting, where vulnerable functions are not detected in advance, VELVET achieves 4.5x better performance than the baseline static analyzers on the real-world data. For the isolated vulnerability localization task, where we assume the vulnerability of a function is known while the specific vulnerable statement is unknown, we compare VELVET with several neural networks that also attend to local and global context of code. VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively, outperforming the baseline deep-learning models by 5.3-29.0%.