SoK: Towards Effective Automated Vulnerability Repair

July 2025
Cite Code Dataset Video Source Document

Abstract

The increasing prevalence of software vulnerabilities necessitates automated vulnerability repair (AVR) techniques. This Systematization of Knowledge (SoK) provides a comprehensive overview of the AVR landscape, encompassing both synthetic and real-world vulnerabilities. Through a systematic literature review and quantitative benchmarking across diverse datasets, methods, and strategies, we establish a taxonomy of existing AVR methodologies, categorizing them into template-guided, search-based, constraint-based, and learning-driven approaches. We evaluate the strengths and limitations of these approaches, highlighting common challenges and practical implications. Our comprehensive analysis of existing AVR methods reveals a diverse landscape with no single ``best’’ approach. Learning-based methods excel in specific scenarios but lack complete program understanding, and both learning and non-learning methods face challenges with complex vulnerabilities. Additionally, we identify emerging trends and propose future research directions to advance the field of AVR. This SoK serves as a valuable resource for researchers and practitioners, offering a structured understanding of the current state-of-the-art and guiding future research and development in this critical domain.

Type
Conference paper
Publication
In 34th USENIX Security Symposium (USENIX Security)
Click the Cite button above to demo the feature to enable visitors to import publication metadata into their reference management software.
Create your slides in Markdown - click the Slides button to check out the example.

Add the publication’s full text or supplementary notes here. You can use rich formatting such as including code, math, and images.

Faysal Hossain Shezan
Faysal Hossain Shezan
PhD Student grad in 2023

I am an assistant professor at the University of Texas at Arlington. My research focus on the intersection of security & privacy with cyber-physical systems, medical healthcare, software engineering, and machine learning. I am especially interested in data-driven security and privacy analysis in cross-platform interaction of emerging systems and platforms. The goal of my research is to measure the attack surface of the IoT platforms, analyze privacy leakages among inter-connected home automation applications, privacy leakages in medical healthcare, and investigate the enforcement of privacy policies. My work has been published in several top tier security & privacy and system conferences, including- NDSS, UBICOMP/IMWUT, WWW, PoPETs, SOUPS. My research findings are acknowledged by several well-known companies (such as., Google) and resulted in the publishing of several CVEs. I am fortunate to receive a few awards and recognition during his Ph.D., including- CPS Rising Stars, UVA endowed graduate fellowship award, Link Lab outstanding graduate research award, and several travel grants. I received my PhD at University of Virginia (UVA) under the supervision of Professor Yuan Tian in 2023. I interned at Baidu Research (with Dr. Ping Li and Dr. Yingjie Lao). Before joining UVA, I was a software engineer (in security lab) at Kona Software Lab ltd in Bangladesh. I have completed my bachelor’s degree from the Computer Science and Engineering department of Bangladesh University of Engineering and Technology in 2016.