🤖 AI Summary
This work addresses the longstanding challenge in open-source vulnerability datasets—namely, the difficulty of simultaneously achieving reproducibility, scale, and diversity, with reproducibility often compromised to the detriment of automated security research. The authors propose a systematic reproduction framework that integrates version control, automated build and trigger mechanisms, and automatic patch identification. Applying this framework to OSS-Fuzz, they construct ARVO, the first large-scale, reproducible vulnerability dataset comprising over 6,100 real-world vulnerabilities across 311 projects. ARVO enables consistent rebuilds, interactive triggering, and precise patch localization with 89.4% accuracy, achieving an overall reproduction rate of 81%. This significantly enhances the practical utility and research scalability of vulnerability data for security analysis.
📝 Abstract
Achieving reproducibility, quantity, and diversity in vulnerability datasets has long been viewed as an inherent three-way trade-off, where improving one dimension often comes at the cost of the others. In practice, reproducibility has been the dimension most often neglected. This has limited what can be automatically extracted from historical bug datasets, and has reduced their utility for downstream security research.
In this work, we propose a method to produce a new security dataset which ensures reproducibility for diverse vulnerabilities at scale by identifying the key obstacles to large-scale bug reproduction and addressing them with general solutions. Using this method, we introduce full reproducibility to the largest open source software vulnerability dataset (OSS-Fuzz) and construct the ARVO dataset (an Atlas of Reproducible Vulnerabilities in Open-source software). ARVO is a large-scale dataset consisting of over 6,100 real-world vulnerabilities across 311 projects. Focusing on reproducibility, ARVO differs from existing datasets by providing each vulnerability in a form that can be consistently rebuilt, triggered, and analyzed across versions. Reproducibility also enables automatic identification of the corresponding patch for each vulnerability and supports direct interaction with vulnerabilities after code changes, capabilities that existing large-scale datasets do not provide. In our evaluation, ARVO successfully reproduces 81% of vulnerabilities and achieves 89.4% accuracy on the located patches. We also discuss ARVO's influence on both upstream practices and downstream security research.