DOCTORAL SEMINAR

Software Vulnerability Repair

Speaker
Mr Ridwan Salihin Shariffdeen
Advisor
Dr Abhik Roychoudhury, Provost'S Chair Professor, School of Computing


17 Dec 2021 Friday, 02:00 PM to 03:30 PM

Zoom presentation

Abstract:

A zero-day patch is a patch for a security vulnerability that is released on the same day as the disclosure of the vulnerability. Such patches provide protection against exploitation of known vulnerabilities by malicious users. The problem of zero-day patching is a long-standing requirement in practice, which is not limited to generating a fix for the identified software security vulnerability but may also require generalizing the fix to the extent that it can be ported to other similar variants of the vulnerability that exist in different software systems.

This thesis introduces a series of cohesive techniques tightly coupled towards the goal of generating zero-day patches for identified software security vulnerabilities. First, we study the impeding challenges in trusted program repair, specifically addressing the trustworthiness of auto-generated patches. Considering the insights gained from our study, next we propose a novel program repair technique ``concolic program repair'' that integrates a user-provided program-specification to guide program repair to find the correct patch while efficiently navigating a large search-space. In doing so, we also provide additional guarantees for the correctness of the generated patches by generating additional test-cases. Third, inspired by program synthesis technique, we propose a novel transformation rule synthesis algorithm that can produce properly generalized transformation rules to automatically backport trusted patches to older versions of the same software. Last, we propose a code transplantation technique to repair semantically equivalent programs that exhibit potential for a similar variant of the identified vulnerability.

We perform a comprehensive set of experiments on reported software security vulnerabilities in real-world applications inclusive of the Linux kernel project, subjects from Google's Open-source-systems (OSS) Fuzz framework and other popular large-scale software applications. Our experiments showed that the proposed techniques advance the state of the art program repair to address the challenges in generating zero-day patches for software security vulnerabilities. Our proposed techniques should serve a long-standing need in practice.