The frequent discovery of security vulnerabilities in both open-source and proprietary software underscores the urgent need for earlier detection during the development lifecycle. Initiatives such as DARPA's Artificial Intelligence Cyber Challenge (AIxCC) aim to accelerate Automated Vulnerability Detection (AVD), seeking to address this challenge by autonomously analyzing source code to identify vulnerabilities. This paper addresses two primary research questions: (RQ1) How is current AVD research distributed across its core components? (RQ2) What key areas should future research target to bridge the gap in the practical applicability of AVD throughout software development? To answer these questions, we conduct a systematization over 79 AVD articles and 17 empirical studies, analyzing them across five core components: task formulation and granularity, input programming languages and representations, detection approaches and key solutions, evaluation metrics and datasets, and reported performance. Our systematization reveals that the narrow focus of AVD research-mainly on specific tasks and programming languages-limits its practical impact and overlooks broader areas crucial for effective, real-world vulnerability detection. We identify significant challenges, including the need for diversified problem formulations, varied detection granularities, broader language support, better dataset quality, enhanced reproducibility, and increased practical impact. Based on these findings we identify research directions that will enhance the effectiveness and applicability of AVD solutions in software security.
翻译:开源软件与专有软件中安全漏洞的频繁发现,凸显了在开发生命周期中尽早检测漏洞的迫切需求。诸如DARPA人工智能网络挑战赛(AIxCC)等倡议旨在加速自动化漏洞检测(AVD)的发展,试图通过自主分析源代码来识别漏洞以应对这一挑战。本文聚焦两个核心研究问题:(RQ1)当前AVD研究在其核心组成部分中如何分布?(RQ2)未来研究应针对哪些关键领域,以弥合AVD在整个软件开发过程中实际适用性的差距?为回答这些问题,我们对79篇AVD论文及17项实证研究进行了系统化梳理,从五个核心维度进行分析:任务定义与粒度、输入编程语言与表示形式、检测方法与关键技术、评估指标与数据集,以及报告的性能表现。我们的系统分析表明,当前AVD研究主要局限于特定任务和编程语言,这种狭窄的聚焦限制了其实际影响力,并忽视了对于实现高效、真实世界漏洞检测至关重要的更广泛领域。我们识别出若干重大挑战,包括需要多样化的问题定义、多层次的检测粒度、更广泛的语言支持、更优质的数据集、更强的可复现性以及更高的实际影响力。基于这些发现,我们提出了能够提升AVD解决方案在软件安全领域效能与适用性的研究方向。