Example-Based Vulnerability Detection and Repair in Java Code

TL;DR

Seader is an example-based tool that detects and repairs security-API misuses in Java code by inferring templates from insecure-secure code pairs, significantly improving vulnerability detection and fixing accuracy.

Contribution

We developed Seader, a novel example-based approach that infers API-misuse templates from code pairs to detect and repair vulnerabilities, addressing limitations of pattern-based tools.

Findings

Seader inferred 21 unique API-misuse templates and fixes from 28 code pairs.

Achieved 95% precision and 72% recall in vulnerability detection on a benchmark.

Correctly repaired 76 out of 77 manually checked cases in open-source projects.

Abstract

The Java libraries JCA and JSSE offer cryptographic APIs to facilitate secure coding. When developers misuse some of the APIs, their code becomes vulnerable to cyber-attacks. To eliminate such vulnerabilities, people built tools to detect security-API misuses via pattern matching. However, most tools do not (1) fix misuses or (2) allow users to extend tools' pattern sets. To overcome both limitations, we created Seader-an example-based approach to detect and repair security-API misuses. Given an exemplar <insecure, secure>code pair, Seader compares the snippets to infer any API-misuse template and corresponding fixing edit. Based on the inferred info, given a program, Seader performs inter-procedural static analysis to search for security-API misuses and to propose customized fixes. For evaluation, we applied Seader to 28 <insecure, secure> codepairs; Seader successfully inferred 21 unique API-misuse templates and related fixes. With these <vulnerability, fix> patterns, we applied SEADER to a program benchmark that has 86 known vulnerabilities. Seader detected vulnerabilities with 95% precision, 72% recall, and82% F-score. We also applied Seader to 100 open-source projects and manually checked 77 suggested repairs; 76 of the repairs were correct. Seader can help developers correctly use security APIs.