Finding More Zero Days Through Variant Analysis

Vulnerability research has evolved significantly, becoming more complex as developers implement robust system-level mitigations and write more secure code, requiring researchers to invest considerable time and expertise to discover impactful vulnerabilities. Automated tools like Semgrep aid in analyzing large codebases, but manual triage and context understanding remain crucial to identify true vulnerabilities, as certain unsafe code may be mitigated by checks elsewhere. Researchers often rely on patched code diffs and public vulnerability advisories, such as CVE records, to explore potential vulnerabilities, recognizing that mistakes in code may recur, patches may be insufficient, and vulnerabilities can re-emerge if not thoroughly addressed. A case study involving Expat, a C library for parsing XML files, illustrates this process, where researchers identify integer overflow vulnerabilities and attempt to discover variants using Semgrep rules. Despite challenges like limited information and parsing errors, these methods allow researchers to effectively find and understand vulnerabilities by analyzing code patterns, testing hypotheses, and iteratively refining their detection rules, while balancing the trade-offs between false positives and negatives.