{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,20]],"date-time":"2025-06-20T04:08:52Z","timestamp":1750392532658,"version":"3.41.0"},"reference-count":77,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,19]]},"abstract":"<jats:p>Detecting semantically recurring vulnerabilities with similar root causes remains a challenge due to the complex interactions between multiple variables. This paper introduces VulPA, a novel approach for precisely identifying such vulnerabilities through complex inter-procedural data and control flows across multiple objects. VulPA tackles this challenge in two steps: 1) Defining root causes with a Vulnerability Pattern Description Language (VPDL) that specifies variable relations and bug-triggering operations, and 2) Detecting these patterns using an inter-procedural multi-object analysis that tracks dataflows and variable interactions. Built on the Heros IFDS framework, VulPA was evaluated on 26 Java applications using rules from 34 CVEs. It identified 90 new vulnerabilities (23.7% false positive rate), outperforming existing tools (ReDeBug, VUDDY, SourcererCC, PHunter, PPT4J, FlowDroid, and IDE\ud835\udc4e\ud835\udc59), which collectively found only 13. VulPA effectively uncovers complex vulnerabilities missed by state-of-the-art tools.<\/jats:p>","DOI":"10.1145\/3729378","type":"journal-article","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:15:34Z","timestamp":1750346134000},"page":"2430-2453","source":"Crossref","is-referenced-by-count":0,"title":["VulPA: Detecting Semantically Recurring Vulnerabilities with Multi-object Typestate Analysis"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-8023-7150","authenticated-orcid":false,"given":"Liqing","family":"Cao","sequence":"first","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0931-8767","authenticated-orcid":false,"given":"Haofeng","family":"Li","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3055-8929","authenticated-orcid":false,"given":"Chenghang","family":"Shi","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4162-0404","authenticated-orcid":false,"given":"Jie","family":"Lu","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-7149-7671","authenticated-orcid":false,"given":"Haining","family":"Meng","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4476-0541","authenticated-orcid":false,"given":"Lian","family":"Li","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"},{"name":"University of Chinese Academy of Sciences, Beijing, China"},{"name":"Zhongguancun Laboratory, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0380-3506","authenticated-orcid":false,"given":"Jingling","family":"Xue","sequence":"additional","affiliation":[{"name":"University of New South Wales, Sydney, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,6,19]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1094811.1094839"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.3166\/jancl.19.403-429"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"key":"e_1_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Dirk Beyer Sumit Gulwani and David A Schmidt. 2018. Combining model checking and data-flow analysis. Handbook of Model Checking 493\u2013540.","DOI":"10.1007\/978-3-319-10575-8_16"},{"key":"e_1_2_1_5_1","volume-title":"The 36th Annual ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages","author":"Brunel Julien","year":"2009","unstructured":"Julien Brunel, Damien Doligez, Ren\u00e9 Rydhof Hansen, Julia L. Lawall, and Gilles Muller. 2009. A Foundation for Flow-Based Program Matching Using Temporal Logic and Model Checking. In The 36th Annual ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages. Savannah, GA, USA. 114\u2013126."},{"key":"e_1_2_1_6_1","volume-title":"CHARME 2005, Saarbr\u00fccken, Germany, October 3-6, 2005. Proceedings 13","author":"Bustan Doron","year":"2005","unstructured":"Doron Bustan, Alon Flaisher, Orna Grumberg, Orna Kupferman, and Moshe Y Vardi. 2005. Regular vacuity. In Correct Hardware Design and Verification Methods: 13th IFIP WG 10.5 Advanced Research Working Conference, CHARME 2005, Saarbr\u00fccken, Germany, October 3-6, 2005. Proceedings 13. 191\u2013206."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","unstructured":"Liqing Cao. 2025. VulPA: Detecting Semantically Recurring Vulnerabilities with Multi-object Typestate Analysis (Artifact). 4 https:\/\/doi.org\/10.6084\/m9.figshare.27002680.v2 10.6084\/m9.figshare.27002680.v2","DOI":"10.6084\/m9.figshare.27002680.v2"},{"key":"e_1_2_1_8_1","volume-title":"Computer Aided Verification: 11th International Conference, CAV\u201999 Trento, Italy, July 6\u201310, 1999 Proceedings 11","author":"Cimatti Alessandro","year":"1999","unstructured":"Alessandro Cimatti, Edmund Clarke, Fausto Giunchiglia, and Marco Roveri. 1999. NuSMV: A new symbolic model verifier. In Computer Aided Verification: 11th International Conference, CAV\u201999 Trento, Italy, July 6\u201310, 1999 Proceedings 11. 495\u2013499."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/5397.5399"},{"key":"e_1_2_1_10_1","unstructured":"CodeQL. 2024. github\/codeql: CodeQL: the libraries and queries that power security researchers around the world as well as code scanning in GitHub Advanced Security. https:\/\/github.com\/github\/codeql"},{"key":"e_1_2_1_11_1","unstructured":"CVE. 2024. CVE Website. https:\/\/www.cve.org\/"},{"key":"e_1_2_1_12_1","first-page":"854","article-title":"Linear Temporal Logic and Linear Dynamic Logic on Finite Traces","volume":"13","author":"Giacomo Giuseppe De","year":"2013","unstructured":"Giuseppe De Giacomo and Moshe Y Vardi. 2013. Linear Temporal Logic and Linear Dynamic Logic on Finite Traces.. In Ijcai. 13, 854\u2013860.","journal-title":"Ijcai."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ic.2006.09.006"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-13188-2_9"},{"key":"e_1_2_1_15_1","volume-title":"International Conference on Computer Aided Verification. 174\u2013187","author":"Duret-Lutz Alexandre","year":"2022","unstructured":"Alexandre Duret-Lutz, Etienne Renault, Maximilien Colange, Florian Renkin, Alexandre Gbaguidi Aisse, Philipp Schlehuber-Caissier, Thomas Medioni, Antoine Martin, J\u00e9r\u00f4me Dubois, and Cl\u00e9ment Gillard. 2022. From spot 2.0 to spot 2.10: what\u2019s new? In International Conference on Computer Aided Verification. 174\u2013187."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 1416\u20131426","author":"Emmi Michael","year":"2021","unstructured":"Michael Emmi, Liana Hadarean, Ranjit Jhala, Lee Pike, Nicol\u00e1s Rosner, Martin Sch\u00e4f, Aritra Sengupta, and Willem Visser. 2021. RAPID: checking API usage for the cloud in the cloud. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 1416\u20131426."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1348250.1348255"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00027"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238213"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/512529.512539"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598041"},{"key":"e_1_2_1_22_1","volume-title":"2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 267\u2013279","author":"He Dongjie","year":"2019","unstructured":"Dongjie He, Haofeng Li, Lei Wang, Haining Meng, Hengjie Zheng, Jie Liu, Shuangwei Hu, Lian Li, and Jingling Xue. 2019. Performance-boosting sparsification of the ifds algorithm with applications to taint analysis. In 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 267\u2013279."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238185"},{"key":"e_1_2_1_24_1","unstructured":"Heros. 2023. soot-oss\/heros: IFDS\/IDE Solver for Soot and other frameworks. https:\/\/github.com\/soot-oss\/heros"},{"key":"e_1_2_1_25_1","volume-title":"The SPIN model checker: Primer and reference manual. 1003","author":"Holzmann Gerard J","unstructured":"Gerard J Holzmann. 2004. The SPIN model checker: Primer and reference manual. 1003, Addison-Wesley Reading."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690227"},{"key":"e_1_2_1_27_1","volume-title":"Logic in Computer Science: Modelling and reasoning about systems","author":"Huth Michael","unstructured":"Michael Huth and Mark Ryan. 2004. Logic in Computer Science: Modelling and reasoning about systems. Cambridge university press."},{"key":"e_1_2_1_28_1","volume-title":"Coccinelle: A Program Matching and Transformation Tool for Systems Code. https:\/\/coccinelle.gitlabpages.inria.fr\/website\/","author":"INRIA.","year":"2024","unstructured":"INRIA. 2024. Coccinelle: A Program Matching and Transformation Tool for Systems Code. https:\/\/coccinelle.gitlabpages.inria.fr\/website\/"},{"key":"e_1_2_1_29_1","volume-title":"2012 IEEE Symposium on Security and Privacy. 48\u201362","author":"Jang Jiyong","year":"2012","unstructured":"Jiyong Jang, Abeer Agrawal, and David Brumley. 2012. ReDeBug: finding unpatched code clones in entire os distributions. In 2012 IEEE Symposium on Security and Privacy. 48\u201362."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1449814.1449899"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560664"},{"key":"e_1_2_1_32_1","volume-title":"36th European Conference on Object-Oriented Programming (ECOOP","author":"Kellogg Martin","year":"2022","unstructured":"Martin Kellogg, Narges Shadab, Manu Sridharan, and Michael D Ernst. 2022. Accumulation analysis. In 36th European Conference on Object-Oriented Programming (ECOOP 2022)."},{"key":"e_1_2_1_33_1","volume-title":"International Symposium on Leveraging Applications of Formal Methods. 356\u2013362","author":"Khoury Rapha\u00ebl","year":"2016","unstructured":"Rapha\u00ebl Khoury, Sylvain Hall\u00e9, and Omar Waldmann. 2016. Execution trace analysis using ltl-fo. In International Symposium on Leveraging Applications of Formal Methods. 356\u2013362."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.02.007"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.62"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115707"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1023\/B:LISP.0000029444.99264.c0"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO57630.2024.10444884"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO51591.2021.9370311"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3689804"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.48"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507770"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380923"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560589"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-013-0366-0"},{"key":"e_1_2_1_46_1","volume-title":"OOPSLA\u201908: Proceedings of Object-Oriented Programming, Systems, Languages and Applications.","author":"Naeem Nomair A","year":"2008","unstructured":"Nomair A Naeem and Ondrej Lhot\u00e1k. 2008. Extending typestate analysis to multiple interacting objects. OOPSLA\u201908: Proceedings of Object-Oriented Programming, Systems, Languages and Applications."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/1449955.1449792"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11970-5_8"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.entcs.2006.07.022"},{"key":"e_1_2_1_50_1","volume-title":"Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201312","author":"Pan Zhiyuan","year":"2024","unstructured":"Zhiyuan Pan, Xing Hu, Xin Xia, Xian Zhan, David Lo, and Xiaohu Yang. 2024. PPT4J: Patch Presence Test for Java Binaries. In Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201312."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1858996.1859089"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227127"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345659"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1016\/0304-3975(96)00072-2"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884877"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/268946.268950"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3589334.3645530"},{"key":"e_1_2_1_59_1","volume-title":"Proceedings of the 21st Annual Conference on Information Technology Education. 403\u2013408","author":"Singleton Larry","year":"2020","unstructured":"Larry Singleton, Rui Zhao, Myoungkyu Song, and Harvey Siy. 2020. Cryptotutor: Teaching secure coding practices through misuse pattern detection. In Proceedings of the 21st Annual Conference on Information Technology Education. 403\u2013408."},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2048066.2048146"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10009-013-0290-1"},{"key":"e_1_2_1_62_1","unstructured":"Soot. 2024. soot-oss\/soot: Soot - A Java optimization framewor. https:\/\/github.com\/soot-oss\/soot"},{"key":"e_1_2_1_63_1","volume-title":"Proceedings of the ACM on Programming Languages, 1, OOPSLA","author":"Sp\u00e4th Johannes","year":"2017","unstructured":"Johannes Sp\u00e4th, Karim Ali, and Eric Bodden. 2017. Ide al: Efficient and precise alias-aware dataflow analysis. Proceedings of the ACM on Programming Languages, 1, OOPSLA (2017), 1\u201327."},{"key":"e_1_2_1_64_1","volume-title":"30th European Conference on Object-Oriented Programming (ECOOP","author":"Sp\u00e4th Johannes","year":"2016","unstructured":"Johannes Sp\u00e4th, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. 2016. Boomerang: Demand-driven flow-and context-sensitive pointer analysis for java. In 30th European Conference on Object-Oriented Programming (ECOOP 2016)."},{"key":"e_1_2_1_65_1","unstructured":"Topl. 2024. Topl | Infer. https:\/\/fbinfer.com\/docs\/1.1.0\/checker-topl"},{"key":"e_1_2_1_66_1","volume-title":"1st Symposium in Logic in Computer Science (LICS).","author":"Vardi Moshe Y","year":"1986","unstructured":"Moshe Y Vardi and Pierre Wolper. 1986. An automata-theoretic approach to automatic program verification. In 1st Symposium in Logic in Computer Science (LICS)."},{"key":"e_1_2_1_67_1","unstructured":"WALA. 2024. wala\/WALA: T.J. Watson Libraries for Analysis with frontends for Java Android and JavaScript and may common static program analyses. https:\/\/github.com\/wala\/WALA"},{"key":"e_1_2_1_68_1","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). 932\u2013944","author":"Wang Chao","year":"2023","unstructured":"Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taintmini: Detecting flow of sensitive data in mini-programs with static taint analysis. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). 932\u2013944."},{"key":"e_1_2_1_69_1","volume-title":"Temporal logic can be more expressive. Information and control, 56, 1-2","author":"Wolper Pierre","year":"1983","unstructured":"Pierre Wolper. 1983. Temporal logic can be more expressive. Information and control, 56, 1-2 (1983), 72\u201399."},{"key":"e_1_2_1_70_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Xiao Yang","year":"2020","unstructured":"Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, and Wei Zou. 2020. $MVP$: Detecting vulnerabilities using $Patch-Enhanced$ vulnerability signatures. In 29th USENIX Security Symposium (USENIX Security 20). 1165\u20131182."},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598061"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3549125"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134620"},{"key":"e_1_2_1_74_1","doi-asserted-by":"publisher","unstructured":"Hua Yan Yulei Sui Shiping Chen and Jingling Xue. 2018. Spatio-Temporal Context Reduction: A Pointer-Analysis-Based Static Approach for Detecting Use-After-Free Vulnerabilities. In 2018 IEEE\/ACM 40th International Conference on Software Engineering (ICSE). 327\u2013337. https:\/\/doi.org\/10.1145\/3180155.3180178 10.1145\/3180155.3180178","DOI":"10.1145\/3180155.3180178"},{"key":"e_1_2_1_75_1","unstructured":"Project Zero. 2021. D\u00e9j\u00e0 vu-lnerability. https:\/\/googleprojectzero.blogspot.com\/2021\/02\/deja-vu-lnerability.html"},{"key":"e_1_2_1_76_1","volume-title":"Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201312","author":"Zhan Qi","year":"2024","unstructured":"Qi Zhan, Xing Hu, Zhiyang Li, Xin Xia, David Lo, and Shanping Li. 2024. PS3: Precise Patch Presence Test based on Semantic Symbolic Signature. In Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201312."},{"key":"e_1_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/3524610.3527895"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729378","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:19:48Z","timestamp":1750346388000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3729378"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,19]]},"references-count":77,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2025,6,19]]}},"alternative-id":["10.1145\/3729378"],"URL":"https:\/\/doi.org\/10.1145\/3729378","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,19]]}}}