VulPA: Detecting Semantically Recurring Vulnerabilities with Multi-object Typestate Analysis

Detecting semantically recurring vulnerabilities with similar root causes remains a challenge due to the complex interactions between multiple variables. This paper introduces VulPA, a novel approach for precisely identifying such vulnerabilities through complex inter-procedural data and control flows across multiple objects. VulPA tackles this challenge in two steps: 1) Defining root causes with a Vulnerability Pattern Description Language (VPDL) that specifies variable relations and bug-triggering operations, and 2) Detecting these patterns using an inter-procedural multi-object analysis that tracks dataflows and variable interactions. Built on the Heros IFDS framework, VulPA was evaluated on 26 Java applications using rules from 34 CVEs. It identified 90 new vulnerabilities (23.7% false positive rate), outperforming existing tools (ReDeBug, VUDDY, SourcererCC, PHunter, PPT4J, FlowDroid, and IDE𝑎𝑙), which collectively found only 13. VulPA effectively uncovers complex vulnerabilities missed by state-of-the-art tools.