Bofei Chen, Shuang Liao, and Lei Zhang, Fudan University; Chibin Zhang and Mathias Payer, EPFL; Yuan Zhang, Fudan University
Security-sensitive APIs are critical components in modern Java applications, yet improper usage of these APIs frequently leads to severe vulnerabilities such as remote code execution. Existing methods for generating API security rules are limited as they rely on incomplete documentation or infer patterns from source code based on discovered inconsistencies.
We introduce VulGenie, a patch-driven framework that extracts precise API security rules from confirmed security patches to then detect API misuse vulnerabilities. VulGenie addresses three key challenges. First, it isolates violated constraints and defenses-related changes from noisy patches using our novel modification behavior dependency patch graph datastructure. Second, it identifies protected security-sensitive APIs and synthesizes rules through attack-defense cross-validation. Third, it scales analysis with adaptive, deviation-guided static analysis to balance precision and performance. Evaluated on 150 recent Java security patches, VulGenie extracts 198 API security rules with 81.82% precision, uncovering 177 rules absent in CodeQL. On ten popular Java applications, VulGenie detects 46 0-day vulnerabilities, substantially outperforming state-of-the-art works. Through our responsible vulnerability disclosure, 25 vulnerabilities have already been fixed with ten CVE identifiers assigned.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
