five

Replication Package for ASE 2026

收藏
Zenodo2026-05-01 更新2026-05-26 收录
下载链接:
https://zenodo.org/doi/10.5281/zenodo.19230103
下载链接
链接失效反馈
官方服务:
资源简介:
🧪 Replication Package for ASE 2026       This repository contains the first large-scale empirical study on the cross-version applicability of Java library vulnerability exploits. It challenges the prevailing wisdom that exploits are highly version-specific, demonstrating an 83.0% recall in identifying affected versions using disclosed exploits. Furthermore, it provides a comprehensive benchmark for exploit migration, enabling the recovery of 77.1% of failed cases.     🏆 Real-World Impact: Contributions to CPE One of the key contributions of this work is the identification of missing affected versions in official vulnerability databases. We systematically reported our findings to the National Vulnerability Database (NVD) team. 2026.5.1 updates: Our contribution to 7 CVEs in the Jackson-databind library has been partially confirmed by NVD. So far, we have contributed to 20 CVEs (796+723=1519 Versions). Our contributions have been verified and accepted, resulting in updates to the CPE dictionary for the following 13 CVEs: CVE ID Verified Omission in Original CPE Entry Missing Versions Change Date CVE-2017-1000190 Omits all versions prior to 2.7.1. 74 9/12/2025 CVE-2018-1274 Omits all versions prior to 1.13. 62 9/12/2025 CVE-2019-11272 Omits all versions prior to 4.2.0. 79 9/12/2025 CVE-2019-5312 Omits all versions prior to 3.3.0. 36 9/12/2025 CVE-2021-29425 Omits versions 1.1 through 2.1. 8 Confirmed CVE-2023-42276 Omits all versions prior to 5.8.21. 174 9/12/2025 CVE-2023-51080 Omits version 5.8.22. 1 9/12/2025 CVE-2019-5427 Omits version 0.9.5.3. 1 9/05/2025 CVE-2021-3878 Omits version 4.3.0. 1 9/08/2025 CVE-2023-50572 Omits all versions prior to 3.24.1. 13 9/05/2025 CVE-2023-51075 Omits all versions prior to 5.8.23. 176 9/05/2025 CVE-2022-45690 Omits all versions prior to 5.8.10. 165 9/12/2025 CVE-2023-51074 Omits all versions prior to 2.8.0. 6 9/12/2025 Total 13 CVEs Updated 796       2026.5.1 updates: 7 CVEs that were validated by NVD after the submission of our paper.   CVE-2020-11112 2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1), and all branches prior to 2.9. 110 (2.10,2.11 omitted) 4/29/2026 CVE-2020-11113 2.10 branch  (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1), and all branches prior to 2.9. 110 (2.10,2.11 omitted) 4/29/2026 CVE-2020-11619 2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1), and all branches prior to 2.9. 110 (2.10,2.11 omitted) 4/29/2026 CVE-2020-14060 2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1 - 2.11.0), and all branches prior to 2.9. 110 (2.10,2.11 omitted) 4/29/2026 CVE-2020-14062 2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1 - 2.11.0), and all branches prior to 2.9. 110 (2.10,2.11 omitted) 4/29/2026 CVE-2020-35728 2.10 branch (2.10.0.pr1 - 2.10.5.1), 2.11 branch  (2.11.0.rc1 - 2.11.4), 2.12  branch  (2.12.0.rc1 - 2.12.0.rc2), and all branches prior to 2.9. 106 (2.10,2.11,2.12 omitted) 4/29/2026 CVE-2020-9546 2.10 branch (2.10.0.pr1 - 2.10.2), as well as branches prior to 2.7. 67 (2.10 omitted) 4/29/2026 Total 7 CVEs Updated 723     📊 CWE Coverage To characterize the representativeness of our exploit dataset, we further analyze its coverage over vulnerability types in the Maven ecosystem. Detailed results are provided in: DataCollection/├── CWE-Coverage This directory contains the CWE coverage statistics of our dataset, including both the CWE categories represented in our collected exploits and their coverage over historical Java Maven vulnerabilities. Overall, among the 5,889 historical Java Maven CVEs collected from GitHub Advisory up to 2025, the CWE categories covered by our dataset account for 76.33% of all vulnerabilities (4,495 / 5,889). In addition, our dataset covers 68.96% of all distinct CWE types appearing in these vulnerabilities. These results indicate that, although our dataset does not include every vulnerability in the Maven ecosystem, it already captures the majority of practically relevant vulnerability types. To further understand the security landscape covered by our dataset, we organize the included CWEs according to their higher-level CWE pillars, together with the number of corresponding CVEs observed in our collected dataset. CWE Pillar Distribution Pillar Contained CWEs and Corresponding CVE Counts Improper Access Control CWE-287/295/863 (2), CWE-306/522/732/862 (1) Improper Control of a Resource Through its Lifetime CWE-502 (48), CWE-22 (18), CWE-611 (20), CWE-787 (19), CWE-770 (11), CWE-94 (11), CWE-400 (6), CWE-121/918 (6), CWE-434 (4), CWE-120 (3), CWE-200/776 (2), CWE-61/123/125/178/195/377/404/416/470/494/522/665/668/681/732/1321/1333 (1) Insufficient Control Flow Management CWE-835 (8), CWE-674/834 (2), CWE-776 (2), CWE-248 (1) Improper Adherence to Coding Standards CWE-476 (1) Improper Check or Handling of Exceptional Conditions CWE-130/248/476/754/755 (1) Protection Mechanism Failure CWE-184 (2), CWE-331/347/494 (1) Incorrect Comparison CWE-184 (2) Improper Interaction Between Multiple Correctly-Behaving Entities CWE-444 (4), CWE-113 (2), CWE-436 (1) Improper Neutralization CWE-20 (12), CWE-79 (11), CWE-94 (9), CWE-74/78 (5), CWE-917 (3), CWE-77/89/113/116 (2), CWE-87/91/117/130/176 (1) Incorrect Calculation CWE-190 (3)       📂 Repository Structure This package is organized according to the research questions (RQs) and data collection phases described in the paper. Plaintext .├── DataCollection/   │   ├──CWE-Coverage│   ├ Exploits/           │   │   ├── Origin/         # Original disclosed exploits (GitHub/NVD)│   │   └── Vision/         # Exploits aligned with the Vision dataset│   └── Version/            │       ├── candidate-version.csv    │       └── true-affected-version.csv # Manually verified Ground Truth│├── reproduce/               # attack environments for exploit reproduction│├── RQ1/                     │   ├── CrossVersionRun/     │   │   ├── logs/           │   │   ├── results/         │   │   ├── run.py           # Script for cross-version execution│   │   └── run_vision.py       # Script for cross-version execution│   ├── datasource/         # Database snapshots and comparison results│   └── sota/               # Comparison with State-of-the-Art tools│├── RQ2/                    │   ├── build-failure-*.csv # Analysis of build/environment errors│   ├── exploit-failure.csv # Analysis of logic/payload errors│   ├── unexpected-behavior.csv # Analysis of false positives/anomalies│   └── overall.csv         # Summary of failure taxonomy│└── RQ3/                       ├── exploit-migration.csv   # The Exploit Migration Benchmark   ├── migration/               # Source code of migrated exploits (1,885 cases)   ├── edit_distance.py         # Script to calculate migration cost   └── edit_distance_results.jsonl     🛠️ Runtime Environment & Prerequisites To fully reproduce the experiments, please ensure the following environment and dependencies are set up. ☕ Java & Maven Apache Maven (Reference Version): 3.8.8 Java: Multiple JDK versions are required for RQ3 (see RQ3 section). Download and place them into a java/ folder at the repository root. 🐍 Python Environment Python (Reference Version): 3.8.10 (default, Nov 22 2023) Install dependencies with: pip install \  bidict==0.23.1 \  certifi==2025.1.31 \  charset-normalizer==3.4.1 \  click==8.1.8 \  Flask==2.0.3 \  Flask-SocketIO==4.3.1 \  h11==0.16.0 \  idna==3.10 \  itsdangerous==2.2.0 \  Jinja2==3.1.6 \  MarkupSafe==2.1.5 \  pip==20.0.2 \  python-engineio==3.13.2 \  python-socketio==4.6.0 \  requests==2.32.3 \  setuptools==45.2.0 \  simple-websocket==1.1.0 \  six==1.17.0 \  urllib3==2.2.3 \  Werkzeug==2.0.3 \  wheel==0.34.2 \  wsproto==1.2.0   🖼️ PDF Processing For PDF-based result processing, install Ghostscript: sudo apt install ghostscriptexport ITEXT_GS_EXEC=/usr/bin/gs   ⚡ Required Local Servers Some exploits rely on network services (LDAP/RMI/HTTP). Start the servers before running exploit execution: # Build marshalsec first (in ./reproduce/servers/marshalsec)cd ./reproduce/servers/marshalsecmvn package# Start LDAP & RMI serversjava -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8080/#Exploit" 1389java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer  "http://127.0.0.1:8080/#Exploit" 1340# Start HTTP and socket servers (in ./reproduce/servers/attack)cd ../attackpython -m http.server 3306python socket-server.pypython remote.py       🧪 Reproducing RQ1: Cross-Version Applicability Use the following scripts to reproduce the large-scale cross-version execution results, calculate metrics against vulnerability databases, and compare with SOTA tools. cd RQ1/CrossVersionRun# Step 1: Execute exploits across historical versionspython run.py# Step 2: Execute exploits in visionpython run_vision.py 📊 Metric Calculation & Results Analysis To generate the specific recall metrics for the 5 vulnerability databases (NVD, GitHub, GitLab, Snyk, Veracode), run the following script: # Calculate and output recall metrics for all 5 databasespython ../datasource/parsed/recall.py Key Result Files: File Path Description RQ1/CrossVersionRun/results/ The raw output of our cross-version exploit execution. RQ1/datasource/parsed/NVD.csv Detailed comparison results between our exploits and the NVD data source. RQ1/sota/vision-result.json The raw execution results provided by the SOTA tool Vision [43]. RQ1/sota/SOTA-result.csv Summary CSV comparing our approach against Vision and other baselines.   🔍 Analyzing RQ2: Limiting Factors The RQ2/ directory contains the detailed failure analysis data, categorizing why specific exploits failed on vulnerable versions. File Description exploit-failure.csv Contains semantic failure categorizations (e.g., Invalid Payload, Logic Incompatible). build-failure-\*.csv Contains failures related to build errors, including Environment Issues and Symbol Resolution Failures. unexpected-behavior.csv Records cases where exploits triggered false positives or anomalies.     🛠️ Exploring RQ3: Exploit Migration Benchmark We provide the largest benchmark of migrated exploits to date, offering both the source code and cost analysis tools. 📂 Migration Code: The RQ3/migration folder contains the actual source code for the 1,885 adapted exploits. 📂 Migration Conclusion: Stored in exploit-migration.csv. 📉 Cost Analysis: Run the following script to calculate the Edit Distance (LoC changes) for the migration strategies. cd RQ3# Calculate migration costs (Lines of Code modified)python edit_distance.py The results will be saved to edit_distance_results.jsonl .     📊 Dataset Statistics Metric Count Libraries 128 Total Versions Scanned 28,150 Reproducible Exploits 259 True Affected Versions 14,378 Migrated Exploit Cases 1,885
提供机构:
Zenodo
创建时间:
2026-03-26
二维码
社区交流群
二维码
科研交流群
商业服务