亲爱的研友该休息了!由于当前在线用户较少,发布求助请尽量完整地填写文献信息,科研通机器人24小时在线,伴您度过漫漫科研夜!身体可是革命的本钱,早点休息,好梦!

Detecting Functionality-Specific Vulnerabilities via Retrieving Individual Functionality-Equivalent APIs in Open-Source Repositories

计算机科学 图形 卷积神经网络 可扩展性 人工智能 编码 边距(机器学习) 理论计算机科学 模式识别(心理学) 机器学习 生物化学 化学 数据库 基因
作者
Chen, Tianyu,Wang, Zeyu,Li, Lin,Li, Ding,Li, Zongyang,Chang, Xiaoning,Bian, Pan,Liang, Guangtai,Wang, Qianxiang,Xie, Tao
标识
DOI:10.4230/lipics.ecoop.2025.6
摘要

Functionality-specific vulnerabilities, which mainly occur in Application Programming Interfaces (APIs) with specific functionalities, are crucial for software developers to detect and avoid. When detecting individual functionality-specific vulnerabilities, the existing two categories of approaches are ineffective because they consider only the API bodies and are unable to handle diverse implementations of functionality-equivalent APIs. To effectively detect functionality-specific vulnerabilities, we propose APISS, the first approach to utilize API doc strings and signatures instead of API bodies. APISS first retrieves functionality-equivalent APIs for APIs with existing vulnerabilities and then migrates Proof-of-Concepts (PoCs) of the existing vulnerabilities for newly detected vulnerable APIs. To retrieve functionality-equivalent APIs, we leverage a Large Language Model for API embedding to improve the accuracy and address the effectiveness and scalability issues suffered by the existing approaches. To migrate PoCs of the existing vulnerabilities for newly detected vulnerable APIs, we design a semi-automatic schema to substantially reduce manual costs. We conduct a comprehensive evaluation to empirically compare APISS with four state-of-the-art approaches of detecting vulnerabilities and two state-of-the-art approaches of retrieving functionality-equivalent APIs. The evaluation subjects include 180 widely used Java repositories using 10 existing vulnerabilities, along with their PoCs. The results show that APISS effectively retrieves functionality-equivalent APIs, achieving a Top-1 Accuracy of 0.81 while the best of the baselines under comparison achieves only 0.55. APISS is highly efficient: the manual costs are within 10 minutes per vulnerability and the end-to-end runtime overhead of testing one candidate API is less than 2 hours. APISS detects 179 new vulnerabilities and receives 60 new CVE IDs, bringing high value to security practice.
最长约 10秒,即可获得该文献文件

科研通智能强力驱动
Strongly Powered by AbleSci AI
科研通是完全免费的文献互助平台,具备全网最快的应助速度,最高的求助完成率。 对每一个文献求助,科研通都将尽心尽力,给求助人一个满意的交代。
实时播报
我是老大应助大气大侠采纳,获得10
8秒前
18秒前
大气大侠发布了新的文献求助10
22秒前
24秒前
wuyouping发布了新的文献求助10
28秒前
flyinthesky完成签到,获得积分10
29秒前
Owen应助wuyouping采纳,获得10
38秒前
HC完成签到,获得积分10
40秒前
大气大侠完成签到,获得积分20
43秒前
张晓祁完成签到,获得积分10
50秒前
55秒前
yueying完成签到,获得积分0
1分钟前
1分钟前
1分钟前
1分钟前
xfcy完成签到,获得积分10
1分钟前
1分钟前
Kao应助三体人采纳,获得10
1分钟前
1分钟前
在水一方应助君莫笑采纳,获得10
1分钟前
1分钟前
mengzhe完成签到,获得积分10
1分钟前
2分钟前
2分钟前
2分钟前
2分钟前
3分钟前
3分钟前
3分钟前
3分钟前
酷波er应助houshyari采纳,获得30
3分钟前
3分钟前
3分钟前
4分钟前
4分钟前
4分钟前
吴梓豪发布了新的文献求助10
4分钟前
4分钟前
英俊的铭应助leinei采纳,获得10
4分钟前
4分钟前
高分求助中
Principles of Economics, 11th Edition 10000
University Physics with Modern Physics, 16th edition 10000
(应助此贴封号)【重要!!请各用户(尤其是新用户)详细阅读】【科研通的精品贴汇总】 10000
Matrix Methods in Data Mining and Pattern Recognition 510
Social Skills Improvement System-Rating Scales--Chinese Version 500
Dynamische Polarisation von H-1 und B-11 in (CH-3)-3NBH-3 500
CLSI M07 2024 500
热门求助领域 (近24小时)
化学 材料科学 医学 生物 纳米技术 工程类 有机化学 化学工程 生物化学 计算机科学 内科学 物理 复合材料 催化作用 细胞生物学 无机化学 光电子学 物理化学 电极 基因
热门帖子
关注 科研通微信公众号,转发送积分 7247683
求助须知:如何正确求助?哪些是违规求助? 8870694
关于积分的说明 18712095
捐赠科研通 6925862
什么是DOI,文献DOI怎么找? 3197998
关于科研通互助平台的介绍 2373730
邀请新用户注册赠送积分活动 2172844