We propose a tool, dubbed VulTrigger, for identifying vulnerability-triggering statements across functions and investigating the effectiveness of function-level vulnerability detectors in detecting inter-procedural vulnerabilities. For this purpose, we built the first Inter-Procedural Vulnerability Dataset (InterPVD) for C/C++ open-source software. We find:

1. inter-procedural vulnerabilities are prevalent with an average of 2.8 inter-procedural layers;
2. detecting inter-procedural vulnerabilities is significantly more challenging than detecting intra-procedural vulnerabilities for function-level vulnerability detectors.

To use VulTrigger, you need:

1. python 2.x, 3.
2. joern 0.3.1 (jdk 1.7)
3. neo4j 2.1.5

You can run it step-by-step for a better understanding of the VulTrigger tool, or use the script all_data.py to more efficiently get results from multiple CVEs.

(1) Step-by-step

1. Enter the software repository and switch it to the corresponding version. Take CVE-2013-0852 as an example: CVE-2013-0852's hash is c0d68be555f5858703383040e04fcd6529777061, execute in the ./gitrepos/ffmpeg_git: git checkout c0d68be555f5858703383040e04fcd6529777061
2. Stop neo4j service and delete the .joernIndex in the joern installation directory.
3. Execute the file ./gitrepos/collect.py.
4. Restart neo4j server.
5. Execute the file get_depen.py [software].
6. Copy dependent files to [joern installation directory]/testCode.
7. Execute the command ./joern testCode in joern installation directory.
8. Modify config.json.
9. Put the relevant files of the CVE to be tested in the ./data/C-Diffs, ./data/C-Non_Vulnerable_Files, ./data/C-Vulnerable_Files folders.
10. Execute the file cv_extract.py.
11. Put the generated dependency files in the ./testCode folder.
12. Execute the file get_cfg_relation.py.
13. Execute the file complete_PDG.py.
14. Execute the file access_db_operate.py.
15. Execute the file extract_df2.py.
16. Execute the file match_sink.py [cwe] [software].

(2) Automated method

1. Put all the CVEs to be detected in the ./pre_data/test directory. It should be noted that they must be CVEs of the same software.
2. Modify config.json.
3. Execute the file all_data_test.py [software].
4. Execute the file match_sink.py [cwe] [software].

We provide the environments and test code of other vulnerability detection tools we evaluate, including three open-sourced tools (i.e., Flawfinder, Infer, and CodeQL) and five function-level vulnerability detectors (i.e., VulBERTa, LineVul, Devign, ReVeal, and VulCNN) in the form of docker images. We publish them on Docker Hub and the link is available at https://hub.docker.com/r/vultrigger/models_tools_env/tags.

VulTrigger is developed at SCTS&CGCL Lab (http://grid.hust.edu.cn) by Zhen Li, Ning Wang, Deqing Zou, Yating Li, Ruqian Zhang, Shouhuai Xu, Chao Zhang, and Hai Jin. For any questions, please contact Zhen Li ([email protected]) , Ning Wang ([email protected]) , Deqing Zou ([email protected]) , Yating Li ([email protected]) , Ruqian Zhang ([email protected]) , Shouhuai Xu ([email protected]) , Chao Zhang ([email protected]) and Hai Jin ([email protected]).

Copyright (C) 2023, STCS & CGCL and Huazhong University of Science and Technology.