Shiyu Sun and Yunlong Xing, George Mason University; Xinda Wang, University of Texas at Dallas; Shu Wang, Palo Alto Networks, Inc.; Qi Li, Tsinghua University; Kun Sun, George Mason University
Security patches are crucial for preserving the integrity, confidentiality, and availability of computing resources. However, their deployment can be significantly postponed when intertwined with non-security patches. Existing code change decomposition methods are primarily designed for code review, focusing on connecting related parts. However, they often include irrelevant statements in a bloated security patch, complicating security patch detection, verification, and deployment. In this paper, we develop a patch decomposition system named DISPATCH for unraveling individual security patches from entangled code changes. We first introduce a graph representation named PatchGraph to capture the fine-grained code modifications by retaining changed syntax and dependency. Next, we perform a two-stage patch dependency analysis to group the changed statements addressing the same vulnerability into individual security patches. The first stage focuses on the statement level, where boundaries are defined to exclude unrelated statements. The second stage analyzes the unvisited dependencies, ensuring the patch's applicability by maintaining syntactic correctness and function completeness. In the evaluation across four popular software repositories (i.e., OpenSSL, Linux Kernel, ImageMagick, and Nginx), DISPATCH can unravel individual security patches from entangled ones with over 91.9% recall, outperforming existing methods by at least 20% in accuracy.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
