My coauthors and I will be presenting the paper "VerDiff: Vulnerability Presence Verification for Comprehensive Reporting Using Constraint Programming" at the Annual Computer Security Applications Conference (ACSAC) in December. Below is a preview of the abstract:

Security practitioners often rely on a collaborative ecosystem of analysts and authorities to publicly disclose and track program vulnerabilities. Vital to these disclosures is the list of affected program versions, which stakeholders depend on to assess their security posture and plan appropriate responses. It is vital that these lists be accurate and exhaustive because 81.5% of industry systems rely on outdated dependencies and the average time to develop a patch is 256 days. Unfortunately, existing solutions for determining affected program versions do not scale to analyzing the entire release history. This paper presents VerDiff, a framework that leverages a novel payload-guided, semantically enriched signature isomorphism matching specifically designed for swift, comprehensive vulnerability detection across all versions of a software program. Utilizing the initial vulnerable version found by an analyst and their crafted triggering input, VerDiff formulates a distinct multi-level signature that is grounded in a strong correlation between dynamic binary analysis and source code signature matching, enabling a rapid high-level triage while accounting for nuanced low-level behaviors. Evaluating 27 CVEs spanning 11 programs, VerDiff correctly pinpoints 265 misclassifications contained in official advisories.