NICE: A Framework for Declarative and Machine-Checkable Vulnerability Reproduction
For security researchers, maintainers, and educators, NICE addresses the problem of hard-to-reproduce vulnerabilities by enabling long-term reproducibility and machine-checkable validation.
NICE is a framework using declarative recipes to build and automatically validate vulnerable environments for software vulnerability reproduction. Evaluated on 19 diverse CVEs, it produces concise recipes and integration tests that reproduce vulnerable environments and provide proofs of exploitation.
Reproducing software vulnerabilities is fundamental to security researchers, open-source maintainers, and educators. Yet, vulnerabilities remain hard to reproduce today, and even when they can be reproduced, recreating a software environment where the vulnerability can be exploited becomes harder and harder over time. We present NICE, the NIx CvE reproduction framework, which uses declarative recipes to build and automatically validate vulnerable environments. In NICE, a reproduced CVE comprises one or more NixOS virtual machine configurations, a scripted exploitation scenario, and machine-checkable assertions that provide factual evidence of exploitation. This design facilitates sharing, validation, review, and long-term reproducibility. We evaluate NICE on 19 diverse real-world CVEs spanning multiple CWE categories, attack vectors, and target types (user-space, system software, kernel, and graphical applications). We show that NICE allows to produce concise recipes and integration tests that reproduce vulnerable environments and provide proofs of exploitation. NICE is applicable to security education and training (e.g., creating cyber ranges), but also to vulnerability reporting, where its reproducibility and reviewability properties can make reports easier to audit and verify.