VULDEFF: Vulnerability detection method based on function fingerprints and code differences

The significant increase in Open Source Software has led to a sharp increase in code cloning vulnerabilities. Code similarity detection methods are usually used to detect these vulnerabilities. However, cloned code often modifies the original code to varying degrees, and the difference between vulnerable code and patch code can be very small. Traditional code similarity detection methods cannot effectively detect common mutation patterns in code cloning and distinguish vulnerable code from patch code. The paper proposes a vulnerability detection method named VULDEFF based on function fingerprints and code differences. This paper designs a lightweight function fingerprint method based on the Context Triggered Piecewise Hashing algorithm, which can characterize the basic syntax features of function source code. In particular, the fingerprint of the vulnerable function contains the syntax features, vulnerability features, and patch features of the vulnerable function. VULDEFF detects whether target function has vulnerabilities by searching target function fingerprint in the vulnerable function fingerprint library. Compared with five advanced software vulnerability detection tools, VULDEFF significantly reduces the false positive and false negative rates while ensuring the scalability of vulnerability detection. VULDEFF discovered 111 new vulnerabilities in 10 open source projects.