Beyond Tests
Autor: | Gregory J. Duck, Bo Wang, Abhik Roychoudhury, Yingfei Xiong, Ruyi Ji, Xiang Gao |
---|---|
Rok vydání: | 2021 |
Předmět: |
Correctness
Exploit Computer science business.industry 020207 software engineering Crash 02 engineering and technology Overfitting Machine learning computer.software_genre Symbolic execution Constraint (information theory) 020204 information systems 0202 electrical engineering electronic engineering information engineering Test suite Benchmark (computing) Artificial intelligence business computer Software |
Zdroj: | ACM Transactions on Software Engineering and Methodology. 30:1-27 |
ISSN: | 1557-7392 1049-331X |
DOI: | 10.1145/3418461 |
Popis: | Automated program repair is an emerging technology that seeks to automatically rectify program errors and vulnerabilities. Repair techniques are driven by a correctness criterion that is often in the form of a test suite. Such test-based repair may produce overfitting patches, where the patches produced fail on tests outside the test suite driving the repair. In this work, we present a repair method that fixes program vulnerabilities without the need for a voluminous test suite. Given a vulnerability as evidenced by an exploit, the technique extracts a constraint representing the vulnerability with the help of sanitizers. The extracted constraint serves as a proof obligation that our synthesized patch should satisfy. The proof obligation is met by propagating the extracted constraint to locations that are deemed to be “suitable” fix locations. An implementation of our approach (E xtract F ix ) on top of the KLEE symbolic execution engine shows its efficacy in fixing a wide range of vulnerabilities taken from the ManyBugs benchmark, real-world CVEs and Google’s OSS-Fuzz framework. We believe that our work presents a way forward for the overfitting problem in program repair by generalizing observable hazards/vulnerabilities (as constraint) from a single failing test or exploit. |
Databáze: | OpenAIRE |
Externí odkaz: |