Search papers, labs, and topics across Lattice.
This study introduces PatchLens, a static analysis technique that identifies configuration-specific security vulnerabilities in C/C++ systems by formalizing the Vulnerability Impact Condition (VIC). By analyzing 1,192 Linux kernel, 289 FFmpeg, and 100 PHP patches, the authors demonstrate that only a small fraction of vulnerabilities are system-wide, revealing that existing CVE texts often lack the necessary configuration details. The results show that VICs are compact and can significantly enhance vulnerability assessment processes in highly configurable software environments, enabling more effective triage and risk scoring.
Only 1% of CVE texts capture the configuration options needed to understand vulnerabilities, highlighting a critical gap in security documentation that PatchLens addresses.
We study how security patches in highly configurable C/C++ systems map onto the space of compile-time variants. We formalize the Vulnerability Impact Condition (VIC) - a Boolean predicate over configuration options that denotes all variants that contained the original flaw - and introduce PatchLens, a purely static technique that recovers VICs by aligning AST-level patch hunks with source-level presence conditions and resolving file inclusion via lightweight build system analysis. Evaluating PatchLens on 1,192 Linux kernel, 289 FFmpeg, and 100 PHP patches, we compute precise, human-readable VICs without the need to compile any system variant. The resulting predicates are compact (avg. 1.84 variables for Linux, 3.23 for FFmpeg, 1.04 for PHP) and show that only a small fraction of vulnerabilities are system-wide, which carry higher CVSS scores; meanwhile, CVE texts almost never encode the required options ($\approx$ 1% average recall), motivating automated enrichment of CVE descriptions with VICs. PatchLens and the accompanying dataset enable immediate applications in CI (variant-aware triage and test selection), targeted sampling and fuzzing, and feature risk scoring, offering a scalable, explainable path to vulnerability assessment in highly configurable software.