Abstract
Vulnerability root cause analysis (RCA) is a crucial step following the discovery of vulnerabilities. When faced with a multitude of crashes resulting from fuzzing, effective RCA results can assist developers in swiftly identifying and rectifying the root causes of vulnerabilities. Recently, some methods that rely on statistical behavioral differences to analyze the root causes of vulnerabilities have been introduced. However, they suffer from issues such as high time costs, strong randomness, and imprecise results, rendering them impractical for real-world applications. In this paper, we propose an efficient and accurate statistical analysis-based vulnerability RCA approach named RCLocator. We introduce an enhanced crash information tuple extraction tool based on sanitizer to ensure crash consistency during the mutation process of original files. This approach reduces the time cost of the data augmentation stage and enhances the accuracy of RCA. Furthermore, it provides developers with effective explanations for root cause predicates. We evaluate our approach on RCABench and real-world vulnerabilities. The results indicate that RCLocator significantly outperforms state-of-the-art methods, the probability of obtaining correct root cause analysis results increased by 46.7%, and 9.0 times faster in terms of time.