LCVD: Loop-oriented code vulnerability detection via graph neural network

Abstract

Due to the unique mechanism and complex structure, loops in programs can easily lead to various vulnerabilities such as dead loops, memory leaks, resource depletion, etc. Traditional approaches to loop-oriented program analysis (e.g. loop summarization) are costly with a high rate of false positives in complex software systems. To address the issues above, recent works have applied deep learning (DL) techniques to vulnerability detection. However, existing DL-based approaches mainly focused on the general characteristics of most vulnerabilities without considering the semantic information of specific vulnerabilities. As a typical structure in programs, loops are highly iterative with multi-paths. Currently, there is a lack of available approaches to represent loops, as well as useful methods to extract the implicit vulnerability patterns. Therefore, this paper introduces LCVD, an automated loop-oriented code vulnerability detection approach. LCVD represents the source code as the Loop-flow Abstract Syntax Tree (LFAST), which focuses on interleaving multi-paths around loop structures. Then a novel Loop-flow Graph Neural Network (LFGNN) is proposed to learn both the local and overall structure of loop-oriented vulnerabilities. The experimental results demonstrate that LCVD outperforms the three static analysis-based and four state-of-the-art DL-based vulnerability detection approaches across evaluation settings.