Aligning Core Aspects: Improving Vulnerability Proof-of-Concepts via Cross-Source Insights

TL;DR

This study analyzes the information gaps in public vulnerability PoC reports and proposes a multi-source fusion approach to enhance their completeness, significantly improving the utility of these reports for researchers.

Contribution

It is the first to systematically study PoC report deficiencies across platforms and introduces a novel multi-source fusion method to complete missing information.

Findings

All public PoC reports have at least one missing key aspect.

The proposed method completed 40.18% of PoC reports, totaling 69,583 reports.

The approach effectively mitigates information deficiency in PoC reports.

Abstract

For vulnerabilities, Proof-of-Concept (PoC) plays an irreplaceable role in demonstrating the exploitability. PoC reports may include critical information such as specific usage, test platforms, and more, providing essential insights for researchers. However, in reality, due to various PoC templates across PoC platforms, PoC reports extensively suffer from information deficiency, leading the suboptimal quality and limited usefulness. Fortunately, we found that information deficiency of PoC reports could be mitigated by the completion from multiple sources given the same referred vulnerability. In this paper, we conduct the first study on the deficiency of information in PoC reports across public platforms. We began by collecting 173,170 PoC reports from 4 different platforms and defined 8 key aspects that PoCs should contain. By integrating rule-based matching and a fine-tuned BERT-NER model for extraction of key aspects, we discovered that all PoC reports available on public platforms have at least one missing key aspect. Subsequently, we developed a multi-source information fusion method to complete the missing aspect information in PoC reports by leveraging CVE entries and related PoC reports from different sources. Finally, we successfully completed 69,583 PoC reports (40.18% of all reports).