🤖 AI Summary
Traditional CVE descriptions often fail to accurately capture security vulnerabilities in highly configurable C/C++ systems that affect only specific compilation variants. This work proposes a formal model of Vulnerability Impact Conditions (VIC) and PatchLens, a static analysis technique that automatically generates concise, human-readable configuration-level impact predicates without requiring compilation. By aligning patches at the AST level, matching source-code configuration conditions, and performing lightweight build analysis, the approach precisely identifies the minimal set of configuration options governing vulnerability presence. Evaluation on 1,581 patches from the Linux kernel, FFmpeg, and PHP shows that generated VICs typically involve only one to three configuration variables, revealing that most vulnerabilities are not globally present. In contrast, existing CVE records exhibit less than 1% recall in capturing such configuration dependencies. The method readily supports CI integration, targeted fuzzing, and feature-specific risk assessment.
📝 Abstract
We study how security patches in highly configurable C/C++ systems map onto the space of compile-time variants. We formalize the Vulnerability Impact Condition (VIC) - a Boolean predicate over configuration options that denotes all variants that contained the original flaw - and introduce PatchLens, a purely static technique that recovers VICs by aligning AST-level patch hunks with source-level presence conditions and resolving file inclusion via lightweight build system analysis. Evaluating PatchLens on 1,192 Linux kernel, 289 FFmpeg, and 100 PHP patches, we compute precise, human-readable VICs without the need to compile any system variant. The resulting predicates are compact (avg. 1.84 variables for Linux, 3.23 for FFmpeg, 1.04 for PHP) and show that only a small fraction of vulnerabilities are system-wide, which carry higher CVSS scores; meanwhile, CVE texts almost never encode the required options ($\approx$ 1% average recall), motivating automated enrichment of CVE descriptions with VICs. PatchLens and the accompanying dataset enable immediate applications in CI (variant-aware triage and test selection), targeted sampling and fuzzing, and feature risk scoring, offering a scalable, explainable path to vulnerability assessment in highly configurable software.