为下游项目生成缓解措施以消除上游库漏洞 (Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability)

Third-party libraries are essential in software development as they prevent the need for developers to recreate existing functionalities. However, vulnerabilities within these libraries pose significant risks to dependent projects. Upgrading dependencies to secure versions is not feasible to neutralize vulnerabilities without patches or in projects with specific version requirements. Moreover, repairing the vulnerability proves challenging when the source code of the library is inaccessible. Both the state-of-the-art automatic vulnerability repair and automatic program repair methods fail to address this issue. Therefore, mitigating library vulnerabilities without source code and available patches is crucial for a swift response to potential security attacks. Existing tools encounter challenges concerning generalizability and functional security. In this study, we introduce LUMEN to mitigate library vulnerabilities in impacted projects. Upon disclosing a vulnerability, we retrieve existing workarounds to gather a resembling mitigation strategy. In cases where a resembling strategy is absent, we propose type-based strategies based on the vulnerability reproducing behavior and extract essential information from the vulnerability report to guide mitigation generation. Our assessment of LUMEN spans 121 impacted functions of 40 vulnerabilities, successfully mitigating 70.2% of the functions, which substantially outperforms our baseline in neutralizing vulnerabilities without functionality loss. Additionally, we conduct an ablation study to validate the rationale behind our resembling strategies and type-based strategies.

翻译：第三方库在软件开发中至关重要，它们避免了开发者重复实现已有功能的需求。然而，这些库中的漏洞会给依赖项目带来重大风险。在没有补丁或项目有特定版本要求的情况下，升级依赖至安全版本并不可行。此外，当库的源代码不可访问时，修复漏洞也极具挑战。当前最先进的自动漏洞修复和自动程序修复方法均未能解决此问题。因此，在不具备源代码和可用补丁的情况下缓解库漏洞，对于快速响应潜在安全攻击至关重要。现有工具在通用性和功能安全性方面面临挑战。在本研究中，我们提出了LUMEN，用于在受影响的项目中缓解库漏洞。在漏洞披露后，我们检索现有变通方案以收集相似的缓解策略。若缺乏相似策略，我们则基于漏洞复现行为提出基于类型的策略，并从漏洞报告中提取关键信息以指导缓解措施的生成。我们对LUMEN的评估覆盖了40个漏洞的121个受影响函数，成功缓解了其中70.2%的函数，在消除漏洞且不损失功能方面显著优于基线方法。此外，我们还进行了消融研究，以验证我们提出的相似策略和基于类型策略的基本原理。