VulDeeLocator: A Deep Learning-Based Fine-Grained Vulnerability Detector

Automatically detecting software vulnerabilities is an important problem that has attracted much attention from the academic research community. However, existing vulnerability detectors still cannot achieve detection capability and locating precision would warrant their adoption for real-world use. In this paper, we present a detector can simultaneously high precision, dubbed Vulnerability Deep learning-based Locator (VulDeeLocator). course of designing VulDeeLocator, encounter difficulties including how to accommodate semantic relations between definitions types as well macros uses across files, accurate control flows variable define-use relations, precision. We solve these by using two innovative ideas: (i) leveraging intermediate code extra information, (ii) notion granularity refinement pin down locations vulnerabilities. When applied 200 files randomly selected three products, VulDeeLocator detects 18 confirmed (i.e., true-positives). Among them, 16 correspond known vulnerabilities; other are not reported in National Database (NVD) but have been "silently" patched vendor Libav when releasing newer versions.