VulPatrol: Interprocedural Vulnerability Detection and Localization through Semantic Graph Learning

VulPatrol: Interprocedural Vulnerability Detection and Localization through Semantic Graph Learning

연구 분야: Strategies

학회: CODASPY '25: Proceedings of the Fifteenth ACM Conference on Data and Application Security and Privacy

The growing complexity of software systems and the management of large, rapidly evolving codebases necessitate the analysis of immense volumes of lines per day due to code modifications and refactoring. Despite the use of static and dynamic analysis, test coverage, and rigorous code reviews, traditional methods often fail to accurately detect all security vulnerabilities, resulting in significant risks in production software. Recently, deep learning models have shown promising possibilities for improving vulnerability detection. Yet, there remains a clear gap between the abilities of current deep learning approaches and the level of performance required for precise source code vulnerability detection. To bridge this gap, it is crucial to develop enhancements in two fundamental areas: a code representation that accurately captures the semantics of programs and a model architecture with adequate expressiveness to analyze this representation effectively. We introduce VulPatrol, a semantic-aware, deep neural network-based system that constructs LLVM-IR interprocedural code property graphs from C/C++ source code. VulPatrol employs message-passing neural networks to capture complex dependencies and dynamic interactions within the code. As a result, it enhances the model's ability to classify potential vulnerabilities. Furthermore, we generate the first Vulnerability database based on compilable C/C++ open-source software to LLVM-IR, along with an obfuscated version. Our extensive evaluation on different benchmark datasets, including real-world programs, shows that VulPatrol outperforms the state-of-the-art baselines, improving the F1 measure by up to 12% for identifying vulnerable functions. Additionally, we evaluate VulPatrol on obfuscated code, which yields superior results regarding string variation and dissimilarity of the original codebase.