PTFix: Rule-Based and LLM Techniques for Java Path Traversal Vulnerability

PTFix: Rule-Based and LLM Techniques for Java Path Traversal Vulnerability

연구 분야: Infrastructure

학회: International Conference on Data Security and Privacy Protection

Path Traversal Vulnerability is a significant security flaw that allows attackers to exploit the file system structure of web applications by manipulating user input to access files outside the intended directory structure. This vulnerability can lead to unauthorized access to sensitive files and directories, resulting in severe consequences such as information disclosure, data manipulation, and system compromise. Despite its high likelihood of exploitation, as ranked eighth in the 2023 CWE Top 25 Most Dangerous Software Weaknesses, automated repair methods for this vulnerability, particularly in Java, remain underdeveloped. This paper introduces a methodology, named PTFix, which is a rule-based and LLM technique for repairing Java Path Traversal vulnerability. PTFix includes two stages: 1) analyze and patch Java path traversal vulnerability based on pre-defined rules; 2) integrate with LLMs to patch Java codes that do not match the rule. A comparative study was conducted using four large language models: Meta Llama2 7B, Codellama Instruct 34B, Claude3, and ChatGPT-4. The results revealed that while Meta Llama2 7B and Codellama Instruct 34B failed to correctly fix any examples, Claude3 successfully repaired two instances, and ChatGPT-4 outperformed the other models by correctly repairing four examples. These findings highlight the potential of combining static rule-based methods with LLMs to improve the automated repair of path traversal vulnerabilities in Java applications.