Search papers, labs, and topics across Lattice.
This work addresses the longstanding trade-off between reproducibility, quantity, and diversity in vulnerability datasets by introducing ARVO, a new dataset that ensures full reproducibility for over 6,100 vulnerabilities across 311 open-source projects. By identifying and overcoming key obstacles to large-scale bug reproduction, ARVO allows for consistent rebuilding, triggering, and analysis of vulnerabilities, which enhances its utility for security research. The dataset achieves an impressive 81% reproducibility rate and 89.4% accuracy in locating corresponding patches, marking a significant advancement in vulnerability research.
Reproducibility in vulnerability datasets can now be achieved at scale, with ARVO demonstrating 81% success in reproducing real-world vulnerabilities.
Achieving reproducibility, quantity, and diversity in vulnerability datasets has long been viewed as an inherent three-way trade-off, where improving one dimension often comes at the cost of the others. In practice, reproducibility has been the dimension most often neglected. This has limited what can be automatically extracted from historical bug datasets, and has reduced their utility for downstream security research. In this work, we propose a method to produce a new security dataset which ensures reproducibility for diverse vulnerabilities at scale by identifying the key obstacles to large-scale bug reproduction and addressing them with general solutions. Using this method, we introduce full reproducibility to the largest open source software vulnerability dataset (OSS-Fuzz) and construct the ARVO dataset (an Atlas of Reproducible Vulnerabilities in Open-source software). ARVO is a large-scale dataset consisting of over 6,100 real-world vulnerabilities across 311 projects. Focusing on reproducibility, ARVO differs from existing datasets by providing each vulnerability in a form that can be consistently rebuilt, triggered, and analyzed across versions. Reproducibility also enables automatic identification of the corresponding patch for each vulnerability and supports direct interaction with vulnerabilities after code changes, capabilities that existing large-scale datasets do not provide. In our evaluation, ARVO successfully reproduces 81% of vulnerabilities and achieves 89.4% accuracy on the located patches. We also discuss ARVO's influence on both upstream practices and downstream security research.