ARVO: Atlas of Reproducible Vulnerabilities for Open Source Software
Mei, Xiang, Singaria, Pulkit Singh, Del Castillo, Jordi, Xi, Haoran, Abdelouahab, null, Benchikh, null, Bao, Tiffany, Wang, Ruoyu, Shoshitaishvili, Yan, Doupé, Adam, Pearce, Hammond, Dolan-Gavitt, Brendan
–arXiv.org Artificial Intelligence
High-quality datasets of real-world vulnerabilities are enormously valuable for downstream research in software security, but existing datasets are typically small, require extensive manual effort to update, and are missing crucial features that such research needs. In this paper, we introduce ARVO: an Atlas of Reproducible Vulnerabilities in Open-source software. By sourcing vulnerabilities from C/C++ projects that Google's OSS-Fuzz discovered and implementing a reliable re-compilation system, we successfully reproduce more than 5,000 memory vulnerabilities across over 250 projects, each with a triggering input, the canonical developer-written patch for fixing the vulnerability, and the ability to automatically rebuild the project from source and run it at its vulnerable and patched revisions. Moreover, our dataset can be automatically updated as OSS-Fuzz finds new vulnerabilities, allowing it to grow over time. We provide a thorough characterization of the ARVO dataset, show that it can locate fixes more accurately than Google's own OSV reproduction effort, and demonstrate its value for future research through two case studies: firstly evaluating real-world LLM-based vulnerability repair, and secondly identifying over 300 falsely patched (still-active) zero-day vulnerabilities from projects improperly labeled by OSS-Fuzz.
arXiv.org Artificial Intelligence
Aug-4-2024
- Country:
- Oceania > Australia
- New South Wales (0.04)
- North America
- United States
- District of Columbia > Washington (0.05)
- Arizona (0.05)
- Maryland > Baltimore (0.04)
- New York > New York County
- New York City (0.04)
- Colorado > Denver County
- Denver (0.04)
- Canada > British Columbia
- United States
- Oceania > Australia
- Genre:
- Research Report (1.00)
- Industry:
- Information Technology > Security & Privacy (1.00)
- Technology:
- Information Technology
- Software (1.00)
- Security & Privacy (1.00)
- Artificial Intelligence
- Machine Learning (0.94)
- Natural Language > Large Language Model (0.89)
- Information Technology