1DRep:Automatic Repair for 1-day Vulnerabilities in Reused C/C++ IoT Open-source Software Components

None, None

1DRep:Automatic Repair for 1-day Vulnerabilities in Reused C/C++ IoT Open-source Software Components

Master Thesis (2024)

Author(s)

W. Cai (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Contributor(s)

Arie Deursen – Mentor (TU Delft - Software Engineering)

Alexios Voulimeneas – Graduation committee member (TU Delft - Cyber Security)

Siqi Ma – Mentor (UNSW Canberra)

Faculty

Electrical Engineering, Mathematics and Computer Science

IoT Security Large language model Automatic Repair 1-day vulnerability OSS dataset

To reference this document use:

https://resolver.tudelft.nl/uuid:3d37234d-7f76-4eab-8195-12c4e2911f51

More Info

expand_more

Publication Year

2024

Language

English

Graduation Date

05-11-2024

Awarding Institution

Delft University of Technology

Programme

['Computer Science']

Faculty

Electrical Engineering, Mathematics and Computer Science

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

The rapid proliferation of the Internet of Things (IoT) has introduced significant security challenges, primarily due to the widespread reuse of open-source software (OSS) components. This practice leaves IoT projects particularly vulnerable to 1-day vulnerabilities especially when developers customize the reused OSS code, rendering template patches inapplicable.

In this thesis, we propose 1DRep, a repair tool designed to automatically detect and repair 1-day vulnerabilities in reused C/C++ IoT OSS components. First, 1DRep integrates with the vulnerability detection tool V1SCAN to identify vulnerable code snippets in target programs. It then employs a large language model (LLM), GPT-4o, to generate and apply tailored fixes, addressing both exactly reused and modified vulnerable code without altering developer-customized functionality.

Our evaluation demonstrates that 1DRep effectively repaired 39 out of 40 CVEs
(97.5\%) in 11 target vulnerable IoT projects, including 14 out of 15 modified CVEs (93.3\%), and effectively fixed 81 out of 90 artificially created vulnerable reuses (90\%). We constructed an IoT-specific dataset containing 1,020 C/C++ libraries which supplements an exisiting dataset Centris to enhance the detection of OSS components commonly reused in IoT projects.
Additionally, we provided security reports containing customized patches for the modified CVEs by creating GitHub issues or pull requests in the affected projects.

The results indicate that 1DRep is a promising tool for automatically repairing 1-day vulnerabilities in IoT projects, particularly in scenarios where developers' customized reuses make traditional patching techniques ineffective.

Lastly, despite the promising outcomes, limitations such as reliance on the precision of the detection model and challenges with complex vulnerabilities highlight areas for future research. Enhancing the detection mechanisms, expanding the CVE dataset, and refining repair strategies are critical steps toward improving the tool's effectiveness.

Files

Final_Weiting_Cai_Automatic_Re... (pdf)

(pdf | 4.21 Mb)

License info not available