Bran: Reduce Vulnerability Search Space in Large Open Source Repositories by Learning Bug Symptoms


Software is continually increasing in size and complexity, and therefore, vulnerability discovery would benefit from techniques that identify potentially vulnerable regions within large code bases, as this allows for easing vulnerability detection tools by reducing their search space. Previous work has explored the use of conventional code-quality and complexity metrics in highlighting suspicious sections of (source) code. Recently, researchers also proposed to reduce the vulnerability search space by studying code property with neural networks. However, previous work generally failed in leveraging the rich metadata available for long-running, large code repositories. In this paper, we present an approach (Bran) to reduce the vulnerability search space by combining conventional code metrics with fine-grained repository metadata. Bran locates code sections that are more likely to contain vulnerabilities in large code bases, potentially improving the efficiency of both manual and automatic code audits. In our experiments on four large code bases, Bran successfully highlighted potentially vulnerable functions, outperforming several baselines, including state-of-art vulnerability prediction tools. We also assess Bran’s effectiveness in assisting automated testing tools. We use Bran to guide syzkaller, a known kernel fuzzer, in fuzzing a recent version of the Linux kernel. The guided fuzzer identified 26 bugs (10 are zero-day flaws), including arbitrary writes and reads.

Conference paper
In Proceedings of the ACM ASIA Conference on Computer and Communications Security (ASIACCS)