AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Many Machine Learning(ML)-based approaches have been proposed to automatically detect, localize, and repair software vulnerabilities. While ML-based methods are more effective than program analysis-based vulnerability analysis tools, few have been integrated into modern Integrated Development Enviro...

Full description

Saved in:
Bibliographic Details
Published in:Empirical software engineering : an international journal Vol. 29; no. 1; p. 4
Main Authors: Fu, Michael, Tantithamthavorn, Chakkrit, Le, Trung, Kume, Yuki, Nguyen, Van, Phung, Dinh, Grundy, John
Format: Journal Article
Language:English
Published: New York Springer US 01.02.2024
Springer Nature B.V
Subjects:
C++ (programming language)
Classification
Compilers
Computer Science
Cybersecurity
Empirical analysis
Interpreters
Machine learning
Mining Software Repositories (MSR)
Multiple objective analysis
Productivity
Programming environments
Programming Languages
Security aspects
Software development
Software Engineering/Programming and Operating Systems
Software reliability
Source code
Visual programming languages
Vulnerability
Vulnerability localization
Vulnerability repair
Vulnerability classification
Vulnerability prediction
ISSN:1382-3256, 1573-7616
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Many Machine Learning(ML)-based approaches have been proposed to automatically detect, localize, and repair software vulnerabilities. While ML-based methods are more effective than program analysis-based vulnerability analysis tools, few have been integrated into modern Integrated Development Environments (IDEs), hindering practical adoption. To bridge this critical gap, we propose in this article AIBugHunter , a novel Machine Learning-based software vulnerability analysis tool for C/C++ languages that is integrated into the Visual Studio Code (VS Code) IDE. AIBugHunter  helps software developers to achieve real-time vulnerability detection, explanation, and repairs during programming. In particular, AIBugHunter  scans through developers’ source code to (1) locate vulnerabilities, (2) identify vulnerability types, (3) estimate vulnerability severity, and (4) suggest vulnerability repairs. We integrate our previous works (i.e., LineVul and VulRepair) to achieve vulnerability localization and repairs. In this article, we propose a novel multi-objective optimization (MOO)-based vulnerability classification approach and a transformer-based estimation approach to help AIBugHunter  accurately identify vulnerability types and estimate severity. Our empirical experiments on a large dataset consisting of 188K+ C/C++ functions confirm that our proposed approaches are more accurate than other state-of-the-art baseline methods for vulnerability classification and estimation. Furthermore, we conduct qualitative evaluations including a survey study and a user study to obtain software practitioners’ perceptions of our AIBugHunter  tool and assess the impact that AIBugHunter  may have on developers’ productivity in security aspects. Our survey study shows that our AIBugHunter  is perceived as useful where 90% of the participants consider adopting our AIBugHunter  during their software development. Last but not least, our user study shows that our AIBugHunter  can enhance developers’ productivity in combating cybersecurity issues during software development. AIBugHunter  is now publicly available in the Visual Studio Code marketplace.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1382-3256
1573-7616
DOI:10.1007/s10664-023-10346-3