BugAuditor is an LLM-driven bug detection framework that uses inconsistent defensive handling as a new oracle for detecting project-specific bugs. Its key insight is that large software systems already contain abundant defensive code, where developers apply defensive operations to prevent bugs in security-sensitive contexts. When similar security-sensitive behaviors are handled defensively in some places but not in others, the inconsistency may indicate a real bug.
BugAuditor first identifies defensive code snippets across the codebase, then infers defensive patterns that capture both the security-sensitive behavior and the required defensive handling. It finally applies these patterns to audit similar code contexts and detect missing or inconsistent handling.
Please refer to our paper for more details.
Please refer to AE.md for instructions.
The following are key concepts in BugAuditor.
| Key Concept | Description |
|---|---|
| defensive operation | Defensive operations that developers use to prevent bugs in security-sensitive contexts (e.g., kfree, clk_put, and null-pointer checks). |
| security-sensitive behaviors | Behaviors that are inherently error-prone and require proper handling, as improper or missing handling may lead to security bugs. |
| defensive pattern | Characterizes security-sensitive behaviors and their corresponding defensive operations within a defensive code snippet. |
| bug auditing | Uses mined defensive patterns to detect inconsistent handling of security-sensitive behaviors across similar functions. |
As shown in the figure, BugAuditor detects potential bugs by finding inconsistent defensive handling in similar security-sensitive contexts.
The process can be summarized as follows:
| Stage | Core task | Output |
|---|---|---|
| Defensive code collecting | Collect defensive code snippets around seed defensive operations, and expand to related project-specific defensive operations when needed. | A curated set of defensive code snippets. |
| Defensive pattern reasoning | Infer defensive patterns that connect security-sensitive behaviors with corresponding defensive operations from collected snippets. | Inferred defensive patterns describing. |
| Bug auditing | Apply inferred patterns to comparable functions and detect inconsistent defensive handling. | Bug reports with explanations. |
BugAuditor
├── scripts/user/ # user-facing wrappers
├── scripts/core/ # core pipeline entry points
├── prompts/ # prompts used by the pipeline
├── config.json # source paths and LLM settings
├── artifact/ # artifact-evaluation scripts and reference data
├── src/utils/ # internal analysis helpers
├── paper/ # paper PDF
├── INSTALL.md
└── AE.md
- Build and enter the Docker image:
docker build -t bugauditor .
docker run -it bugauditor-
Download or clone your project source code to a local directory.
-
Edit config.json with the source path and your LLM endpoint.
-
Check the setup for your repo.
bash scripts/user/check_setup.sh <repo>Use repo key linux and defensive operation clk_put.
- Run defensive pattern reasoning.
# linux: repo key configured in config.json
# clk_put: seed defensive operation to mine
# --workers 8: parallel workers
bash scripts/user/mine_patterns.sh linux clk_put --workers 8This writes mined patterns to:
artifact/results/user/linux/clk_put/inferred_patterns.json- Run bug auditing with inferred pattern file.
For a fast example, use the packaged clk_put pattern file:
# --pattern-file: inferred defensive patterns
# --pattern-limit n: use at most the first n patterns from the file
# --candidate-limit n: audit at most n comparable functions per pattern
bash scripts/user/audit_bugs.sh linux clk_put \
--pattern-file artifact/r_bug_auditing/reference/patterns/clk_put.parsed.json \
--pattern-limit 30 \
--candidate-limit 10 \
--workers 8If you ran Step 1 and want to use the newly mined patterns instead, pass that file explicitly:
bash scripts/user/audit_bugs.sh linux clk_put \
--pattern-file artifact/results/user/linux/clk_put/inferred_patterns.json \
--pattern-limit 30 \
--candidate-limit 10 \
--workers 8Main output:
artifact/results/user/linux/clk_put/bug_reports.json
Reference files for checking the example:
- Mined patterns: inferred_defensive_patterns.json
- Example bug reports: bug_reports_clk_put.json
OpenSSL follows the same workflow.
First make sure config.json:program_paths.openssl points to the OpenSSL source tree:
bash scripts/user/check_setup.sh opensslTo mine patterns:
bash scripts/user/mine_patterns.sh openssl OPENSSL_free --workers 8To run a quick audit with a packaged pattern file:
bash scripts/user/audit_bugs.sh openssl OPENSSL_free \
--pattern-file artifact/cross_project/reference/patterns/openssl_OPENSSL_free_patterns.json \
--pattern-limit 30 \
--candidate-limit 10 \
--workers 8Packaged pattern file: openssl_OPENSSL_free_patterns.json
- Add your project path to config.json.
{
"program_paths": {
"my_project": "/workspace/BugAuditor/source/my_project"
}
}- Check the setup:
bash scripts/user/check_setup.sh my_project- Mine patterns for the defensive operation you want to audit:
bash scripts/user/mine_patterns.sh my_project <defensive_operation> --workers 8- Audit with an explicit pattern file:
bash scripts/user/audit_bugs.sh my_project <defensive_operation> \
--pattern-file artifact/results/user/my_project/<defensive_operation>/inferred_patterns.json \
--pattern-limit 30 \
--candidate-limit 10 \
--workers 8If you encounter any issues or have suggestions, we would be grateful for your feedback. Please feel free to contact the authors. Email: linmq006@gmail.com
