RoBin: Facilitating the Reproduction of Configuration-Related Vulnerability
This work addresses the challenge for software developers in reproducing and diagnosing vulnerabilities caused by specific configuration combinations, though it is incremental as it builds on binary similarity methods.
The authors tackled the problem of reproducing configuration-related software vulnerabilities by proposing RoBin, a binary similarity-based tool that infers specific building configurations from crash reports, achieving strong performance in pinpointing configurations across 21 vulnerable cases on 4 open-source programs.
Vulnerability reproduction paves a way in debugging software failures, which need intensive manual efforts. However, some key factors (e.g., software configuration, trigger method) are often missing, so we can not directly reproduce the failure without extra attempts. Even worse, highly customized configuration options of programs create a barrier for reproducing the vulnerabilities that only appear under some specific combinations of configurations. In this paper, we address the problem mentioned above -- reproducing the configuration-related vulnerability. We try to solve it by proposing a binary similarity-based method to infer the specific building configurations via the binary from crash report. The main challenges are as follows: precise compilation option inference, program configuration inference, and source-code-to-binary matching. To achieve the goal, we implement RoBin, a binary similarity-based building configuration inference tool. To demonstrate the effectiveness, we test RoBin on 21 vulnerable cases upon 4 well-known open-source programs. It shows a strong ability in pinpointing the building configurations causing the vulnerability. The result can help developers reproduce and diagnose the vulnerability, and finally, patch the programs.