Skip to content

Yuuoniy/BugAuditor

Repository files navigation

BugAuditor

BugAuditor is an LLM-driven bug detection framework that uses inconsistent defensive handling as a new oracle for detecting project-specific bugs. Its key insight is that large software systems already contain abundant defensive code, where developers apply defensive operations to prevent bugs in security-sensitive contexts. When similar security-sensitive behaviors are handled defensively in some places but not in others, the inconsistency may indicate a real bug.

BugAuditor first identifies defensive code snippets across the codebase, then infers defensive patterns that capture both the security-sensitive behavior and the required defensive handling. It finally applies these patterns to audit similar code contexts and detect missing or inconsistent handling.

Please refer to our paper for more details.

Artifact evaluation

Please refer to AE.md for instructions.

Intro

The following are key concepts in BugAuditor.

Key Concept Description
defensive operation Defensive operations that developers use to prevent bugs in security-sensitive contexts (e.g., kfree, clk_put, and null-pointer checks).
security-sensitive behaviors Behaviors that are inherently error-prone and require proper handling, as improper or missing handling may lead to security bugs.
defensive pattern Characterizes security-sensitive behaviors and their corresponding defensive operations within a defensive code snippet.
bug auditing Uses mined defensive patterns to detect inconsistent handling of security-sensitive behaviors across similar functions.

Workflow

As shown in the figure, BugAuditor detects potential bugs by finding inconsistent defensive handling in similar security-sensitive contexts.

The process can be summarized as follows:

Stage Core task Output
Defensive code collecting Collect defensive code snippets around seed defensive operations, and expand to related project-specific defensive operations when needed. A curated set of defensive code snippets.
Defensive pattern reasoning Infer defensive patterns that connect security-sensitive behaviors with corresponding defensive operations from collected snippets. Inferred defensive patterns describing.
Bug auditing Apply inferred patterns to comparable functions and detect inconsistent defensive handling. Bug reports with explanations.

Repository layout

BugAuditor
├── scripts/user/      # user-facing wrappers
├── scripts/core/      # core pipeline entry points
├── prompts/           # prompts used by the pipeline
├── config.json        # source paths and LLM settings
├── artifact/          # artifact-evaluation scripts and reference data
├── src/utils/         # internal analysis helpers
├── paper/             # paper PDF
├── INSTALL.md
└── AE.md

Quick start

Install and configure

  1. Build and enter the Docker image:
docker build -t bugauditor .
docker run -it bugauditor
  1. Download or clone your project source code to a local directory.

  2. Edit config.json with the source path and your LLM endpoint.

  3. Check the setup for your repo.

bash scripts/user/check_setup.sh <repo>

Run example in the Linux kernel

Use repo key linux and defensive operation clk_put.

  1. Run defensive pattern reasoning.
# linux: repo key configured in config.json
# clk_put: seed defensive operation to mine
# --workers 8: parallel workers
bash scripts/user/mine_patterns.sh linux clk_put --workers 8

This writes mined patterns to:

artifact/results/user/linux/clk_put/inferred_patterns.json
  1. Run bug auditing with inferred pattern file.

For a fast example, use the packaged clk_put pattern file:

# --pattern-file: inferred defensive patterns
# --pattern-limit n: use at most the first n patterns from the file
# --candidate-limit n: audit at most n comparable functions per pattern
bash scripts/user/audit_bugs.sh linux clk_put \
  --pattern-file artifact/r_bug_auditing/reference/patterns/clk_put.parsed.json \
  --pattern-limit 30 \
  --candidate-limit 10 \
  --workers 8

If you ran Step 1 and want to use the newly mined patterns instead, pass that file explicitly:

bash scripts/user/audit_bugs.sh linux clk_put \
  --pattern-file artifact/results/user/linux/clk_put/inferred_patterns.json \
  --pattern-limit 30 \
  --candidate-limit 10 \
  --workers 8

Main output:

artifact/results/user/linux/clk_put/bug_reports.json

Reference files for checking the example:

More example

OpenSSL example

OpenSSL follows the same workflow.
First make sure config.json:program_paths.openssl points to the OpenSSL source tree:

bash scripts/user/check_setup.sh openssl

To mine patterns:

bash scripts/user/mine_patterns.sh openssl OPENSSL_free --workers 8

To run a quick audit with a packaged pattern file:

bash scripts/user/audit_bugs.sh openssl OPENSSL_free \
  --pattern-file artifact/cross_project/reference/patterns/openssl_OPENSSL_free_patterns.json \
  --pattern-limit 30 \
  --candidate-limit 10 \
  --workers 8

Packaged pattern file: openssl_OPENSSL_free_patterns.json

Your own project

  1. Add your project path to config.json.
{
  "program_paths": {
    "my_project": "/workspace/BugAuditor/source/my_project"
  }
}
  1. Check the setup:
bash scripts/user/check_setup.sh my_project
  1. Mine patterns for the defensive operation you want to audit:
bash scripts/user/mine_patterns.sh my_project <defensive_operation> --workers 8
  1. Audit with an explicit pattern file:
bash scripts/user/audit_bugs.sh my_project <defensive_operation> \
  --pattern-file artifact/results/user/my_project/<defensive_operation>/inferred_patterns.json \
  --pattern-limit 30 \
  --candidate-limit 10 \
  --workers 8

Contact

If you encounter any issues or have suggestions, we would be grateful for your feedback. Please feel free to contact the authors. Email: linmq006@gmail.com

About

BugAuditor: Detecting Bugs via Inconsistent Defensive Code Auditing (USENIX Security 2026)

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages