引用本文: |
-
孙天琦,晁会娜,肖扬,孙晴,石景宜,霍玮.开源软件漏洞修复补丁识别技术评估[J].信息安全学报,已采用 [点击复制]
- suntianqi,chaohuina,xiaoyang,sunqing,shijingyi,huowei.Evaluation of Open Source Software Vulnerability Fixing Patch Identification Techniques[J].Journal of Cyber Security,Accept [点击复制]
|
|
摘要: |
开源软件的广泛使用显著提升了软件开发效率,但也带来了复杂的供应链安全风险。当前漏洞数据库的漏洞收录存在滞后性,部分漏洞被静默修复且未公开披露,导致下游软件易受攻击者利用。近年来,研究者提出了一系列的技术解决补丁难以准确识别的问题,但这些技术的发展脉络和实际效果并未被分析和评估。针对这一问题,本文首次对开源软件漏洞修复补丁识别的研究进行了系统性调研与大规模实证评估。通过数据库检索和“滚雪球”方法收集文献,筛选出29篇代表性工作,总结了近十年的技术发展脉络,并提出漏洞修复补丁识别的统一框架,涵盖输入来源选取、特征表示设计和模型选择三方面。此外,本文提出四个核心研究问题,评估了六款代表性识别工具及ChatGPT在该领域的应用潜力。为此,构建了包含35,955个补丁样本的多语言测试数据集,并在准确性、泛化性和效率三个维度上全面评估工具性能。实验结果表明,现有工具普遍存在高精确率、低召回率的特点,大语言模型展现出良好的应用前景,然而现有工具在处理长上下文补丁时能力不足,且在跨软件补丁的泛化能力方面存在局限性。本文的研究填补了漏洞修复补丁识别领域的空白,为未来研究提供了系统参考和实践指导。 |
关键词: 开源软件 漏洞修复补丁识别 文献综述 实证研究 |
DOI: |
投稿时间:2024-12-31修订日期:2025-02-27 |
基金项目:软件供应链安全课题 |
|
Evaluation of Open Source Software Vulnerability Fixing Patch Identification Techniques |
suntianqi, chaohuina, xiaoyang, sunqing, shijingyi, huowei
|
(Institute of Information Engineering) |
Abstract: |
While the widespread adoption of open-source software has significantly enhanced software development efficiency, it has also introduced complex supply chain security risks. Current vulnerability databases face delays in vulnerability inclusion, and some vulnerabilities are silently patched without public disclosure, leaving downstream software susceptible to exploitation. In recent years, researchers have proposed various techniques to address the challenge of accurate patch identification; however, the evolution and practical effectiveness of these techniques have not been systematically analyzed and evaluated. To address this gap, this paper presents the first systematic survey and large-scale empirical evaluation of vulnerability fixing patch identification in open-source software. Through database searches and the snowballing method, we identified 29 representative studies and traced the technical developments over the past decade. We propose a unified framework for vulnerability fixing patch identification, encompassing input source selection, feature representation design, and model selection. Furthermore, we formulated four core research questions and evaluated six representative identification tools along with ChatGPT's potential applications in this domain. For this evaluation, we constructed a multilingual test dataset containing 35,955 patch samples and comprehensively assessed tool performance across three dimensions: accuracy, generalizability, and efficiency. The experimental results reveal that existing tools generally exhibit high precision but low recall rates. While large language models demonstrate promising potential, current tools show limitations in processing patches with extended context and struggle with cross-software patch generalization. This study fills a crucial gap in vulnerability patch identification research and provides systematic references and practical guidance for future research endeavors. |
Key words: open-source software vulnerability fixing patch identification literature review empirical research |