Software vulnerabilities are a major cyber threat and it is important to detect them. One important approach to detecting vulnerabilities is to use deep learning while treating a program function as a whole, known as function-level vulnerability detectors. However, the limitation of this approach is not understood. In this paper, we investigate its limitation in detecting one class of vulnerabilities known as inter-procedural vulnerabilities, where the to-be-patched statements and the vulnerability-triggering statements belong to different functions. For this purpose, we create the first Inter-Procedural Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we propose a tool dubbed VulTrigger for identifying vulnerability-triggering statements across functions. Experimental results show that VulTrigger can effectively identify vulnerability-triggering statements and inter-procedural vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are prevalent with an average of 2.8 inter-procedural layers; and (ii) function-level vulnerability detectors are much less effective in detecting to-be-patched functions of inter-procedural vulnerabilities than detecting their counterparts of intra-procedural vulnerabilities.

翻译：软件漏洞是主要的网络威胁，检测这些漏洞至关重要。一种重要的漏洞检测方法是利用深度学习技术，将程序函数视为整体进行处理，即函数级漏洞检测器。然而，该方法的局限性尚未被充分理解。本文研究了该方法在检测一类称为跨过程漏洞时的局限——这类漏洞中，待修补语句与触发漏洞的语句属于不同函数。为此，我们基于C/C++开源软件构建了首个跨过程漏洞数据集（InterPVD），并提出名为VulTrigger的工具用于识别跨函数的漏洞触发语句。实验结果表明，VulTrigger能有效识别漏洞触发语句和跨过程漏洞。我们的发现包括：（i）跨过程漏洞普遍存在，平均跨过程层级为2.8层；（ii）函数级漏洞检测器对跨过程漏洞待修补函数的检测效果远低于其对过程内漏洞对应函数的检测效果。