VulnArrow: Data-Driven Vulnerability Root-Cause Analysis with Differential Sample Generation
摘要
Fuzzing is a widely used technique for software vulnerability discovery, as it can efficiently generate proof-of-concept (PoC) inputs that trigger crashes. However, it usually cannot explain the root causes of vulnerabilities, still requiring time-consuming manual analysis by security experts and thus slowing down vulnerability remediation. Therefore, efficiently inferring vulnerability root causes from crash-inducing inputs has become a key challenge for improving software security. To overcome the low accuracy and efficiency of existing automated root-cause analysis (RCA) methods—caused by insufficient sample quality and limited predicate expressiveness—we propose VulnArrow, the first accurate and efficient method for root-cause analysis of complex vulnerabilities. VulnArrow first adopts a dual-distribution sample generation strategy with differentiated mutation magnitudes to produce high-quality samples tailored for RCA. It then applies lightweight backward slicing to identify vulnerability-related variables. Finally, VulnArrow reformulates RCA as a data analysis problem, automatically constructing interpretable rule-based features and leveraging clustering to infer vulnerability causes. This approach removes the need for manually defined predicates and effectively handles complex, composite vulnerabilities. We implemented a prototype of VulnArrow and evaluated it on 40 real-world vulnerabilities from 19 open-source projects. Compared with the state-of-the-art method RaCing, VulnArrow improves root cause localization effectiveness by 86% and average ranking accuracy by 83%, while reducing analysis time by 90%. These results demonstrate that VulnArrow achieves both high accuracy and efficiency, making it practical for real-world use.