A Slicing-Based Approach for Detecting and Patching Vulnerable Code Clones

TL;DR

This paper presents srcVul, a scalable and precise method combining program slicing and hashing to detect and patch vulnerable code clones, improving security in software development.

Contribution

The paper introduces srcVul, a novel approach that uses vulnerability slicing vectors and hashing for accurate detection and patch recommendation of vulnerable code clones.

Findings

Achieves 91% precision and 75% recall in vulnerability detection.

Demonstrates effectiveness across diverse codebases.

Outperforms existing clone detectors in accuracy and scalability.

Abstract

Code cloning is a common practice in software development, but it poses significant security risks by propagating vulnerabilities across cloned segments. To address this challenge, we introduce srcVul, a scalable, precise detection approach that combines program slicing with Locality-Sensitive Hashing to identify vulnerable code clones and recommend patches. srcVul builds a database of vulnerability-related slices by analyzing known vulnerable programs and their corresponding patches, indexing each slice's unique structural characteristics as a vulnerability slicing vector. During clone detection, srcVul efficiently matches slicing vectors from target programs with those in the database, recommending patches upon identifying similarities. Our evaluation of srcVul against three state-of-the-art vulnerable clone detectors demonstrates its accuracy, efficiency, and scalability, achieving 91% precision and 75% recall on established vulnerability databases and open-source repositories. These results highlight srcVul's effectiveness in detecting complex vulnerability patterns across diverse codebases.