Software vulnerabilities are a major cyber threat and it is important to detect them. One important approach to detecting vulnerabilities is to use deep learning while treating a program function as a whole, known as function-level vulnerability detectors. However, the limitation of this approach is not understood. In this paper, we investigate its limitation in detecting one class of vulnerabilities known as inter-procedural vulnerabilities, where the to-be-patched statements and the vulnerability-triggering statements belong to different functions. For this purpose, we create the first Inter-Procedural Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we propose a tool dubbed VulTrigger for identifying vulnerability-triggering statements across functions. Experimental results show that VulTrigger can effectively identify vulnerability-triggering statements and inter-procedural vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are prevalent with an average of 2.8 inter-procedural layers; and (ii) function-level vulnerability detectors are much less effective in detecting to-be-patched functions of inter-procedural vulnerabilities than detecting their counterparts of intra-procedural vulnerabilities.

翻译：软件漏洞是重大网络安全威胁，对其进行检测至关重要。检测漏洞的重要方法之一是使用深度学习，将程序函数视为整体进行处理，即函数级漏洞检测器。然而，该方法的局限性尚不明确。本文研究了该方法在检测一类被称为跨过程漏洞时的局限性，在这类漏洞中，待修补语句和漏洞触发语句属于不同函数。为此，我们基于C/C++开源软件创建了首个跨过程漏洞数据集（InterPVD），并提出了名为VulTrigger的工具，用于识别跨函数的漏洞触发语句。实验结果表明，VulTrigger能有效识别漏洞触发语句和跨过程漏洞。我们的发现包括：（i）跨过程漏洞普遍存在，平均跨过程层数为2.8层；（ii）与检测过程内漏洞的待修补函数相比，函数级漏洞检测器在检测跨过程漏洞的待修补函数时效果显著降低。