SoK: Towards Effective Automated Vulnerability Repair

TL;DR

This paper systematically reviews automated vulnerability repair techniques, categorizing existing methods, evaluating their strengths and limitations, and highlighting future research directions to improve software security.

Contribution

It provides a comprehensive taxonomy and benchmarking of AVR methods, analyzing their effectiveness and identifying challenges and trends in the field.

Findings

No single best AVR approach exists.

Learning-based methods perform well in specific scenarios.

Complex vulnerabilities remain challenging for current methods.

Abstract

The increasing prevalence of software vulnerabilities necessitates automated vulnerability repair (AVR) techniques. This Systematization of Knowledge (SoK) provides a comprehensive overview of the AVR landscape, encompassing both synthetic and real-world vulnerabilities. Through a systematic literature review and quantitative benchmarking across diverse datasets, methods, and strategies, we establish a taxonomy of existing AVR methodologies, categorizing them into template-guided, search-based, constraint-based, and learning-driven approaches. We evaluate the strengths and limitations of these approaches, highlighting common challenges and practical implications. Our comprehensive analysis of existing AVR methods reveals a diverse landscape with no single ``best'' approach. Learning-based methods excel in specific scenarios but lack complete program understanding, and both learning and non-learning methods face challenges with complex vulnerabilities. Additionally, we identify emerging trends and propose future research directions to advance the field of AVR. This SoK serves as a valuable resource for researchers and practitioners, offering a structured understanding of the current state-of-the-art and guiding future research and development in this critical domain.