Well Begun is Half Done: Location-Aware and Trace-Guided Iterative Automated Vulnerability Repair

TL;DR

This paper introduces \\sysname, an LLM-based vulnerability repair method that incorporates location guidance and patch quality assessment, significantly improving the number and correctness of generated patches on real-world C/C++ vulnerabilities.

Contribution

velops \\sysname, a novel LLM-based vulnerability repair approach that considers patch locations and assesses patch quality to enhance repair effectiveness.

Findings

hieves 27 plausible patches, outperforming baselines.

complishes 8 to 13 more correct repairs than existing methods.

emonstrates substantial improvements on a real-world vulnerability dataset.

Abstract

The advances of large language models (LLMs) have paved the way for automated software vulnerability repair approaches, which iteratively refine the patch until it becomes plausible. Nevertheless, existing LLM-based vulnerability repair approaches face notable limitations: 1) they ignore the concern of locations that need to be patched and focus solely on the repair content. 2) they lack quality assessment for generated candidate patches in the iterative process. To tackle the two limitations, we propose \sysname, an LLM-based approach that provides information about where should be patched first. Furthermore, \sysname improves the iterative repair strategy by assessing the quality of test-failing patches and selecting the best patch for the next iteration. We introduce two dimensions to assess the quality of patches: whether they introduce new vulnerabilities and the taint statement coverage. We evaluated \sysname on a real-world C/C++ vulnerability repair dataset VulnLoc+, which contains 40 vulnerabilities and their Proofs-of-Vulnerability. The experimental results demonstrate that \sysname exhibits substantial improvements compared with the Neural Machine Translation-based, Program Analysis-based, and LLM-based state-of-the-art vulnerability repair approaches. Specifically, \sysname is able to generate 27 plausible patches, which is comparable to or even 8 to 22 more plausible patches than the baselines. In terms of correct patch generation, \sysname repairs 8 to 13 additional vulnerabilities compared with existing approaches.