Litcius/Paper detail

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Michael C. Fu, Chakkrit Tantithamthavorn, Trung Le, Yuki Kume, Van Nguyen, Dinh Phung, John Grundy

2023Empirical Software Engineering59 citationsDOIOpen Access PDF

Abstract

Abstract Many Machine Learning(ML)-based approaches have been proposed to automatically detect, localize, and repair software vulnerabilities. While ML-based methods are more effective than program analysis-based vulnerability analysis tools, few have been integrated into modern Integrated Development Environments (IDEs), hindering practical adoption. To bridge this critical gap, we propose in this article AIBugHunter , a novel Machine Learning-based software vulnerability analysis tool for C/C++ languages that is integrated into the Visual Studio Code (VS Code) IDE. AIBugHunter helps software developers to achieve real-time vulnerability detection, explanation, and repairs during programming. In particular, AIBugHunter scans through developers’ source code to (1) locate vulnerabilities, (2) identify vulnerability types, (3) estimate vulnerability severity, and (4) suggest vulnerability repairs. We integrate our previous works (i.e., LineVul and VulRepair) to achieve vulnerability localization and repairs. In this article, we propose a novel multi-objective optimization (MOO)-based vulnerability classification approach and a transformer-based estimation approach to help AIBugHunter accurately identify vulnerability types and estimate severity. Our empirical experiments on a large dataset consisting of 188K+ C/C++ functions confirm that our proposed approaches are more accurate than other state-of-the-art baseline methods for vulnerability classification and estimation. Furthermore, we conduct qualitative evaluations including a survey study and a user study to obtain software practitioners’ perceptions of our AIBugHunter tool and assess the impact that AIBugHunter may have on developers’ productivity in security aspects. Our survey study shows that our AIBugHunter is perceived as useful where 90% of the participants consider adopting our AIBugHunter during their software development. Last but not least, our user study shows that our AIBugHunter can enhance developers’ productivity in combating cybersecurity issues during software development. AIBugHunter is now publicly available in the Visual Studio Code marketplace.

Topics & Concepts

Vulnerability (computing)Computer scienceSecure codingSoftwareMachine learningArtificial intelligenceSoftware engineeringVulnerability assessmentCode smellSoftware security assuranceEmpirical researchSoftware developmentSoftware qualityComputer securityInformation securityProgramming languageEpistemologyPsychotherapistSecurity servicePhilosophyPsychological resiliencePsychologySoftware Engineering ResearchSoftware Reliability and Analysis ResearchAdvanced Malware Detection Techniques
AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities | Litcius