SliceLocator: Locating Vulnerable Statements with Graph-based Detectors

TL;DR

SliceLocator is a novel graph-based method that accurately locates vulnerability-triggering statements in code by leveraging the detector's understanding of vulnerability differences, outperforming existing explanation techniques.

Contribution

It introduces SliceLocator, which effectively identifies vulnerability-triggering statements by selecting the most relevant taint flow, enhancing the interpretability of GNN-based vulnerability detectors.

Findings

Achieves around 87% accuracy in locating vulnerability statements.

Outperforms five explanation methods and two detectors.

Consistently effective across multiple vulnerabilities.

Abstract

Vulnerability detection is a crucial component in the software development lifecycle. Existing vulnerability detectors, especially those based on deep learning (DL) models, have achieved high effectiveness. Despite their capability of detecting vulnerable code snippets from given code fragments, the detectors are typically unable to further locate the fine-grained information pertaining to the vulnerability, such as the precise vulnerability triggering locations. Although explanation methods can filter important statements based on the predictions of code fragments, their effectiveness is limited by the fact that the model primarily learns the difference between vulnerable and non-vulnerable samples. In this paper, we propose SliceLocator, which, unlike previous approaches, leverages the detector's understanding of the differences between vulnerable and non-vulnerable samples, essentially, vulnerability-fixing statements. SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements in the program, in conjunction with the detector. We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors, achieving an accuracy of around 87% in flagging vulnerability-triggering statements across six common C/C++ vulnerabilities. It outperforms five widely used GNN-based explanation methods and two statement-level detectors.