Document Open Access Logo

Detecting Functionality-Specific Vulnerabilities via Retrieving Individual Functionality-Equivalent APIs in Open-Source Repositories

Authors Tianyu Chen , Zeyu Wang, Lin Li , Ding Li , Zongyang Li , Xiaoning Chang, Pan Bian , Guangtai Liang , Qianxiang Wang , Tao Xie

PDF

File

Thumbnail PDF
PDF
LIPIcs.ECOOP.2025.6.pdf
  • Filesize: 1.12 MB
  • 27 pages

Document Identifiers

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
Keywords
  • Application Security
  • Vulnerability Detection
  • Large Language Model

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

Abstract

Functionality-specific vulnerabilities, which mainly occur in Application Programming Interfaces (APIs) with specific functionalities, are crucial for software developers to detect and avoid. When detecting individual functionality-specific vulnerabilities, the existing two categories of approaches are ineffective because they consider only the API bodies and are unable to handle diverse implementations of functionality-equivalent APIs. To effectively detect functionality-specific vulnerabilities, we propose APISS, the first approach to utilize API doc strings and signatures instead of API bodies. APISS first retrieves functionality-equivalent APIs for APIs with existing vulnerabilities and then migrates Proof-of-Concepts (PoCs) of the existing vulnerabilities for newly detected vulnerable APIs. To retrieve functionality-equivalent APIs, we leverage a Large Language Model for API embedding to improve the accuracy and address the effectiveness and scalability issues suffered by the existing approaches. To migrate PoCs of the existing vulnerabilities for newly detected vulnerable APIs, we design a semi-automatic schema to substantially reduce manual costs. We conduct a comprehensive evaluation to empirically compare APISS with four state-of-the-art approaches of detecting vulnerabilities and two state-of-the-art approaches of retrieving functionality-equivalent APIs. The evaluation subjects include 180 widely used Java repositories using 10 existing vulnerabilities, along with their PoCs. The results show that APISS effectively retrieves functionality-equivalent APIs, achieving a Top-1 Accuracy of 0.81 while the best of the baselines under comparison achieves only 0.55. APISS is highly efficient: the manual costs are within 10 minutes per vulnerability and the end-to-end runtime overhead of testing one candidate API is less than 2 hours. APISS detects 179 new vulnerabilities and receives 60 new CVE IDs, bringing high value to security practice.

Cite As Get BibTex

Tianyu Chen, Zeyu Wang, Lin Li, Ding Li, Zongyang Li, Xiaoning Chang, Pan Bian, Guangtai Liang, Qianxiang Wang, and Tao Xie. Detecting Functionality-Specific Vulnerabilities via Retrieving Individual Functionality-Equivalent APIs in Open-Source Repositories. In 39th European Conference on Object-Oriented Programming (ECOOP 2025). Leibniz International Proceedings in Informatics (LIPIcs), Volume 333, pp. 6:1-6:27, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025) https://doi.org/10.4230/LIPIcs.ECOOP.2025.6

Author Details

Tianyu Chen
  • Peking University, Beijing, China
Zeyu Wang
  • Huawei Cloud Computing Technologies Co., Ltd., Guiyang, China
Lin Li
  • Huawei Cloud Computing Technologies Co., Ltd., Guiyang, China
Ding Li
  • Peking University, Beijing, China
Zongyang Li
  • Peking University, Beijing, China
Xiaoning Chang
  • Huawei Cloud Computing Technologies Co., Ltd., Guiyang, China
Pan Bian
  • Huawei Cloud Computing Technologies Co., Ltd., Guiyang, China
Guangtai Liang
  • Huawei Cloud Computing Technologies Co., Ltd., Guiyang, China
Qianxiang Wang
  • Huawei Cloud Computing Technologies Co., Ltd., Guiyang, China
Tao Xie
  • Peking University, Beijing, China

Funding

This work was partially supported by National Natural Science Foundation of China under Grant No. 92464301. Tao Xie is also affiliated with the School of Computer Science, Peking University; Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education, Beijing, China.

References

  1. ChatGPT, 2023. URL: https://openai.com/chatgpt.
  2. Maya Almaraz, Michelle Y Wong, and Wendy H Yang. Looking back to look ahead: a vision for soil denitrification research. Ecology, 101(1):e02917, 2020. Google Scholar
  3. Liat Antwarg, Ronnie Mindlin Miller, Bracha Shapira, and Lior Rokach. Explaining anomalies detected by autoencoders using shapley additive explanations. Expert Systems with Applications, 186:115736, 2021. URL: https://doi.org/10.1016/J.ESWA.2021.115736.
  4. Vaggelis Atlidakis, Patrice Godefroid, and Marina Polishchuk. Restler: stateful REST API fuzzing. In Proceedings of the 41st International Conference on Software Engineering, pages 748-758, 2019. URL: https://doi.org/10.1109/ICSE.2019.00083.
  5. Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2329-2344, 2017. URL: https://doi.org/10.1145/3133956.3134020.
  6. Nghi DQ Bui, Yijun Yu, and Lingxiao Jiang. SAR: learning cross-language API mappings with little knowledge. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 796-806, 2019. Google Scholar
  7. Sicong Cao, Xiaobing Sun, Xiaoxue Wu, David Lo, Lili Bo, Bin Li, and Wei Liu. Coca: improving and explaining graph neural network-based vulnerability detection systems. arXiv preprint arXiv:2401.14886, 2024. URL: https://doi.org/10.48550/arXiv.2401.14886.
  8. Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. Deep learning based vulnerability detection: Are we there yet? IEEE Transactions on Software Engineering, 48(9):3280-3296, 2022. URL: https://doi.org/10.1109/TSE.2021.3087402.
  9. Junjie Chen, Hongxu Hou, Jing Gao, Yatu Ji, and Tiangang Bai. RGCN: recurrent graph convolutional networks for target-dependent sentiment analysis. In Proceedings of International Conference on Knowledge Science, Engineering and Management, pages 667-675, 2019. URL: https://doi.org/10.1007/978-3-030-29551-6_59.
  10. Tianyu Chen, Lin Li, Taotao Qian, Zeyu Wang, Guangtai Liang, Ding Li, Qianxiang Wang, and Tao Xie. Identifying vulnerability patches by comprehending code commits with comprehensive change contexts. arXiv preprint arXiv:2310.02530, 2023. URL: https://doi.org/10.48550/arXiv.2310.02530.
  11. Lei Cui, Jiancong Cui, Yuede Ji, Zhiyu Hao, Lun Li, and Zhenquan Ding. API2Vec: learning representations of API sequences for malware detection. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 261-273, 2023. URL: https://doi.org/10.1145/3597926.3598054.
  12. HWJ Debeye and P Van Riel. Lp-norm deconvolution. Geophysical Prospecting, 38(4):381-403, 1990. Google Scholar
  13. Yinlin Deng, Chenyuan Yang, Anjiang Wei, and Lingming Zhang. Fuzzing deep-learning libraries via automated relational API inference. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 44-56, 2022. URL: https://doi.org/10.1145/3540250.3549085.
  14. Yunfan Gao, Yun Xiong, Xinyu Gao, Kangxiang Jia, Jinliu Pan, Yuxi Bi, Yi Dai, Jiawei Sun, and Haofen Wang. Retrieval-augmented generation for large language models: a survey. arXiv preprint arXiv:2312.10997, 2023. Google Scholar
  15. Patrice Godefroid, Bo-Yuan Huang, and Marina Polishchuk. Intelligent REST API data fuzzing. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 725-736, 2020. URL: https://doi.org/10.1145/3368089.3409719.
  16. Harrison Green and Thanassis Avgerinos. Graphfuzz: Library api fuzzing with lifetime-aware dataflow graphs. In Proceedings of the 44th International Conference on Software Engineering, pages 1070-1081, 2022. URL: https://doi.org/10.1145/3510003.3510228.
  17. Hazim Hanif and Sergio Maffeis. Vulberta: simplified source code pre-training for vulnerability detection. In Proceedings of 2022 International Joint Conference on Neural Networks, pages 1-8, 2022. URL: https://doi.org/10.1109/IJCNN55064.2022.9892280.
  18. Java2CSharp. https://github.com/codejuicer/java2csharp, 2017. Google Scholar
  19. Jianfeng Jiang, Hui Xu, and Yangfan Zhou. RULF: Rust library fuzzing via API dependency graph traversal. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering, pages 581-592, 2021. URL: https://doi.org/10.1109/ASE51524.2021.9678813.
  20. Zhi Jing, Yongye Su, Yikun Han, Bo Yuan, Chunjiang Liu, Haiyun Xu, and Kehai Chen. When large language models meet vector databases: a survey. arXiv preprint arXiv:2402.01763, 2024. Google Scholar
  21. Thomas N Kipf and Max Welling. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907, 2016. URL: https://arxiv.org/abs/1609.02907.
  22. Yi Li, Shaohua Wang, and Tien N Nguyen. Vulnerability detection with fine-grained interpretations. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 292-303, 2021. URL: https://doi.org/10.1145/3468264.3468597.
  23. Yujia Li, Daniel Tarlow, Marc Brockschmidt, and Richard Zemel. Gated graph sequence neural networks. arXiv preprint arXiv:1511.05493, 2015. Google Scholar
  24. Zhenqin Li and Harold A Scheraga. Monte carlo-minimization approach to the multiple-minima problem in protein folding. Proceedings of the National Academy of Sciences, 84(19):6611-6615, 1987. Google Scholar
  25. Hongliang Liang, Xiaoxiao Pei, Xiaodong Jia, Wuwei Shen, and Jian Zhang. Fuzzing: State of the art. IEEE Transactions on Reliability, 67(3):1199-1218, 2018. URL: https://doi.org/10.1109/TR.2018.2834476.
  26. Miaoqian Lin, Kai Chen, and Yang Xiao. Detecting API post-handling bugs using code and description in patches. In Proceedings of the 32nd USENIX Security Symposium, pages 3709-3726, 2023. URL: https://www.usenix.org/conference/usenixsecurity23/presentation/lin.
  27. Xiong Luo, Xiaohui Chang, and Xiaojuan Ban. Regression and classification using extreme learning machine based on l1-norm and l2-norm. Neurocomputing, 174:179-186, 2016. URL: https://doi.org/10.1016/J.NEUCOM.2015.03.112.
  28. Riyadh Mahmood, Jay Pennington, Danny Tsang, Tan Tran, and Andrea Bogle. A framework for automated API fuzzing at enterprise scale. In Proceedings of 2022 IEEE Conference on Software Testing, Verification and Validation, pages 377-388, 2022. URL: https://doi.org/10.1109/ICST53961.2022.00018.
  29. Trong Duc Nguyen, Anh Tuan Nguyen, Hung Dang Phan, and Tien N Nguyen. Exploring API embedding for API usages and applications. In Proceedings of the 39th International Conference on Software Engineering, pages 438-449, 2017. URL: https://doi.org/10.1109/ICSE.2017.47.
  30. Truong Giang Nguyen, Thanh Le-Cong, Hong Jin Kang, Ratnadira Widyasari, Chengran Yang, Zhipeng Zhao, Bowen Xu, Jiayuan Zhou, Xin Xia, Ahmed E. Hassan, Xuan-Bach D. Le, and David Lo. Multi-granularity detector for vulnerability fixes. IEEE Transactions on Software Engineering, 49(8):4035-4057, 2023. URL: https://doi.org/10.1109/TSE.2023.3281275.
  31. Van-Anh Nguyen, Dai Quoc Nguyen, Van Nguyen, Trung Le, Quan Hung Tran, and Dinh Phung. Regvd: Revisiting graph neural networks for vulnerability detection. In Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings, pages 178-182, 2022. URL: https://doi.org/10.1145/3510454.3516865.
  32. Yasunobu Nohara, Koutarou Matsumoto, Hidehisa Soejima, and Naoki Nakashima. Explanation of machine learning models using shapley additive explanation and application for real data in hospital. Computer Methods and Programs in Biomedicine, 214:106584, 2022. URL: https://doi.org/10.1016/J.CMPB.2021.106584.
  33. Gustavo G Rondina and Juarez LF Da Silva. Revised basin-hopping monte carlo algorithm for structure optimization of clusters and nanoparticles. Journal of Chemical Information and Modeling, 53(9):2282-2298, 2013. URL: https://doi.org/10.1021/CI400224Z.
  34. Baptiste Roziere, Jonas Gehring, Fabian Gloeckle, Sten Sootla, Itai Gat, Xiaoqing Ellen Tan, Yossi Adi, Jingyu Liu, Tal Remez, Jérémy Rapin, et al. CodeLlama: open foundation models for code. arXiv preprint arXiv:2308.12950, 2023. Google Scholar
  35. Karen Scarfone and Peter Mell. An analysis of CVSS version 2 vulnerability scoring. In Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement, pages 516-525, 2009. URL: https://doi.org/10.1109/ESEM.2009.5314220.
  36. Youkun Shi, Yuan Zhang, Tianhao Bai, Lei Zhang, Xin Tan, and Min Yang. RecurScan: detecting recurring vulnerabilities in PHP web applications. In Proceedings of the ACM Web Conference 2024, pages 1746-1755, 2024. URL: https://doi.org/10.1145/3589334.3645530.
  37. Benjamin Steenhoek, Hongyang Gao, and Wei Le. Dataflow analysis-inspired deep learning for efficient vulnerability detection. In Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, pages 1-13, 2024. URL: https://doi.org/10.1145/3597503.3623345.
  38. Huanting Wang, Guixin Ye, Zhanyong Tang, Shin Hwei Tan, Songfang Huang, Dingyi Fang, Yansong Feng, Lizhong Bian, and Zheng Wang. Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Transactions on Information Forensics and Security, 16:1943-1958, 2020. URL: https://doi.org/10.1109/TIFS.2020.3044773.
  39. Wenbo Wang, Tien N Nguyen, Shaohua Wang, Yi Li, Jiyuan Zhang, and Aashish Yadavally. DeepVD: toward class-separation features for neural network vulnerability detection. In Proceedings of the 45th International Conference on Software Engineering, pages 2249-2261, 2023. URL: https://doi.org/10.1109/ICSE48619.2023.00189.
  40. Ying Wang, Bihuan Chen, Kaifeng Huang, Bowen Shi, Congying Xu, Xin Peng, Yijian Wu, and Yang Liu. An empirical study of usages, updates and risks of third-party libraries in Java projects. In Proceedings of 2020 IEEE International Conference on Software Maintenance and Evolution, pages 35-45, 2020. URL: https://doi.org/10.1109/ICSME46990.2020.00014.
  41. Xin-Cheng Wen, Yupan Chen, Cuiyun Gao, Hongyu Zhang, Jie M Zhang, and Qing Liao. Vulnerability detection with graph simplification and enhanced graph representation learning. arXiv preprint arXiv:2302.04675, 2023. URL: https://doi.org/10.48550/arXiv.2302.04675.
  42. Xin-Cheng Wen, Xinchen Wang, Cuiyun Gao, Shaohua Wang, Yang Liu, and Zhaoquan Gu. When less is enough: Positive and unlabeled learning model for vulnerability detection. In Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering, pages 345-357, 2023. URL: https://doi.org/10.1109/ASE56229.2023.00144.
  43. Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, et al. MVP: detecting vulnerabilities using patch-enhanced vulnerability signatures. In Proceedings of the 29th USENIX Security Symposium, pages 1165-1182, 2020. Google Scholar
  44. Danning Xie, Yitong Li, Mijung Kim, Hung Viet Pham, Lin Tan, Xiangyu Zhang, and Michael W Godfrey. Docter: documentation-guided fuzzing for testing deep learning API functions. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 176-188, 2022. URL: https://doi.org/10.1145/3533767.3534220.
  45. Shengzhe Xu, Ziqi Dong, and Na Meng. Meditor: inference and application of API migration edits. In Proceedings of 2019 IEEE/ACM 27th International Conference on Program Comprehension, pages 335-346, 2019. URL: https://doi.org/10.1109/ICPC.2019.00052.
  46. Chen Yang, Junjie Chen, Bin Lin, Jianyi Zhou, and Ziqi Wang. Enhancing LLM-based test generation for hard-to-cover branches via program analysis. arXiv preprint arXiv:2404.04966, 2024. URL: https://doi.org/10.48550/arXiv.2404.04966.
  47. Zejun Zhang, Minxue Pan, Tian Zhang, Xinyu Zhou, and Xuandong Li. Deep-diving into documentation to develop improved Java-to-Swift API mapping. In Proceedings of the 28th International Conference on Program Comprehension, pages 106-116, 2020. URL: https://doi.org/10.1145/3387904.3389282.
  48. Yafan Zhao, Xin Chen, and Jun Li. Tgmin: A global-minimum structure search program based on a constrained basin-hopping algorithm. Nano Research, 10:3407-3420, 2017. Google Scholar
  49. Weining Zheng, Yuan Jiang, and Xiaohong Su. Vu1SPG: vulnerability detection based on slice property graph representation learning. In Proceedings of 2021 IEEE 32nd International Symposium on Software Reliability Engineering, pages 457-467, 2021. URL: https://doi.org/10.1109/ISSRE52982.2021.00054.
  50. Hao Zhong, Suresh Thummalapenta, Tao Xie, Lu Zhang, and Qing Wang. Mining API mapping for language migration. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering-Volume 1, pages 195-204, 2010. URL: https://doi.org/10.1145/1806799.1806831.
  51. Jiayuan Zhou, Michael Pacheco, Zhiyuan Wan, Xin Xia, David Lo, Yuan Wang, and Ahmed E Hassan. Finding a needle in a haystack: automated mining of silent vulnerability fixes. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering, pages 705-716, 2021. URL: https://doi.org/10.1109/ASE51524.2021.9678720.
  52. Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in Neural Information Processing Systems, 32, 2019. Google Scholar
  53. Xiaogang Zhu, Sheng Wen, Seyit Camtepe, and Yang Xiang. Fuzzing: a survey for roadmap. ACM Computing Surveys, 54(11s):1-36, 2022. URL: https://doi.org/10.1145/3512345.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact