29 June 2021 – A research team from NUS Computing has won the Best Paper Award at the 16th ACM ASIA Conference on Computer and Communications Security (ACM AsiaCCS 2021), held online from 7 to 11 June 2021.
The team, consisting Professor Abhik Roychoudhury, Associate Professor Prateek Saxena, Senior Research Fellow Dong Zhen, and PhD students Shen Shiqi and Aashish Kolluri, won the award for their paper, titled ‘Localising Vulnerabilities Statistically From One Exploit’.
The paper describes a new approach for automatic vulnerability diagnosis, which can help analysts quickly identify and fix security vulnerabilities in software.
The team’s approach is based on statistical fault localisation, a method for localising faults in software that is commonly used in settings where extensive pre-existing test harnesses are available.
However, it is not commonly used in the case of software vulnerabilities where such test-suites are not available beforehand. This is often the case for most public vulnerability reports, which only contain just one exploit, or crash input.
Therefore, simply applying statistical fault localisation will not produce high-fidelity results on software vulnerabilities. Instead, it will often lead to ‘over-fitting’, which is when estimated scores will either be biased towards failing tests (exploits) or benign ones.
Ad-hoc or poorly chosen test-suites fail to distinguish between potential vulnerable locations, essentially assigning most of them the same score. The problem is magnified in large applications, where more than a thousand possible locations may be observed in a single test run.
To combat this problem, the team came up with a solution to synthesise a ‘concentrated’ test-suite that can accurately localise vulnerabilities in large programs.
The procedure is called concentrated fuzzing or ConcFuzz, a new variation of the technique known as directed fuzzing.
The team’s approach is implemented in a tool called VulnLoc, which can be used for localising different kinds of bugs directly in binaries, making it usable in software development and operational security processes.
According to the team, VulnLoc is highly accurate in localising vulnerabilities, and is scalable to be used in large applications.
Shen, the lead author of the paper, said: “We are very happy that our work, which provides a simple solution for a complicated problem that has been studied for a few decades, has been recognised by the community. The key insight behind our work can be simply extended to other applications, such as program repair and directed fuzzing.”