Software Vulnerability Repair
COM2 Level 4
Executive Classroom, COM2-04-02
Abstract:
A software security patch is a developer fix for a special type of bug that exists in software known as a security vulnerability, which provides protection against exploitation by malicious users. The problem of automatically generating software security patches is a long-standing requirement in practice, which is not limited to generating a fix for the identified software security vulnerability itself but may also require generalizing the fix to the extent that it can be ported to other similar variants of the vulnerability that exist in different software systems.
This work introduces a series of cohesive techniques tightly coupled towards the goal of generating zero-day patches for identified software security vulnerabilities. First, we study the impeding challenges in trusted program repair, specifically addressing the trustworthiness of auto-generated patches. Considering the insights gained from our study, next we propose "compilation-free repair" to boost the performance of existing state-of-the-art generate and validate repair techniques. Third, we propose a novel program repair technique named `concolic program repair` that integrates a user-provided program-specification to guide program repair to find the correct patch while efficiently navigating a large search-space. In doing so, we also provide additional guarantees for the correctness of the generated patches by generating additional test-cases. Fourth, inspired by program synthesis technique, we propose a novel transformation rule synthesis algorithm that can produce properly generalized transformation rules to automatically backport trusted patches to older versions of the same software. Last, we propose a code transplantation technique to repair semantically equivalent programs that exhibit potential for a similar variant of the identified vulnerability.
We perform a comprehensive set of experiments on reported software security vulnerabilities in real-world applications inclusive of the Linux kernel project, subjects from Google's Open-source-systems (OSS) Fuzz framework and other popular large-scale software applications. Our experiments showed that the proposed techniques advance the state of the art program repair to address the challenges in generating zero-day patches for software security vulnerabilities. The proposed techniques should serve a long-standing need in practice.