skip to main content
10.1145/3533767.3534387acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Program vulnerability repair via inductive inference

Published: 18 July 2022 Publication History

Abstract

Program vulnerabilities, even when detected and reported, are not fixed immediately. The time lag between the reporting and fixing of a vulnerability causes open-source software systems to suffer from significant exposure to possible attacks. In this paper, we propose a counter-example guided inductive inference procedure over program states to define likely invariants at possible fix locations. The likely invariants are constructed via mutation over states at the fix location, which turns out to be more effective for inductive property inference, as compared to the usual greybox fuzzing over program inputs. Once such likely invariants, which we call patch invariants, are identified, we can use them to construct patches via simple patch templates. Our work assumes that only one failing input (representing the exploit) is available to start the repair process. Experiments on the VulnLoc data-set of 39 vulnerabilities, which has been curated in previous works on vulnerability repair, show the effectiveness of our repair procedure. As compared to proposed approaches for vulnerability repair such as CPR or SenX which are based on concolic and symbolic execution respectively, we can repair significantly more vulnerabilities. Our results show the potential for program repair via inductive constraint inference, as opposed to generating repair constraints via deductive/symbolic analysis of a given test-suite.

References

[1]
2022. LibFuzzer. https://llvm.org/docs/LibFuzzer.html
[2]
2022. UndefinedBehaviorSanitizer. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
[3]
Clark Barrett, Cesare Tinelli, and et al. 2022. CVC5. https://cvc5.github.io
[4]
Marcel Böhme, Valentin J. M. Manès, and Sang Kil Cha. 2020. Boosting Fuzzer Efficiency: An Information Theoretic Perspective. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. New York, NY, USA. 678–689. https://doi.org/10.1145/3368089.3409748
[5]
Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2329–2344. https://doi.org/10.1145/3133956.3134020
[6]
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. 337–340. https://doi.org/10.1007/978-3-540-78800-3_24
[7]
Gregory J Duck, Xiang Gao, and Abhik Roychoudhury. 2020. Binary rewriting without control flow recovery. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 151–163. https://doi.org/10.1145/3385412.3385972
[8]
Michael D Ernst, Jeff H Perkins, Philip J Guo, Stephen McCamant, Carlos Pacheco, Matthew S Tschantz, and Chen Xiao. 2007. The Daikon system for dynamic detection of likely invariants. Science of computer programming, 69, 1-3 (2007), 35–45. https://doi.org/10.1016/j.scico.2007.01.015
[9]
Xiang Gao, Sergey Mechtaev, and Abhik Roychoudhury. 2019. Crash-avoiding program repair. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. 8–18. https://doi.org/10.1145/3293882.3330558
[10]
Xiang Gao, Bo Wang, Gregory J Duck, Ruyi Ji, Yingfei Xiong, and Abhik Roychoudhury. 2021. Beyond Tests: Program Vulnerability Repair via Crash Constraint Extraction. ACM Transactions on Software Engineering and Methodology (TOSEM), 30, 2 (2021), 1–27. https://doi.org/10.1145/3418461
[11]
Pranav Garg, Daniel Neider, Parthasarathy Madhusudan, and Dan Roth. 2016. Learning invariants using decision trees and implication counterexamples. ACM Sigplan Notices, 51, 1 (2016), 499–512. https://doi.org/10.1145/2914770.2837664
[12]
Zhen Huang, David Lie, Gang Tan, and Trent Jaeger. 2019. Using safety properties to generate vulnerability patches. In 2019 IEEE Symposium on Security and Privacy (SP). 539–554. https://doi.org/10.1109/SP.2019.00071
[13]
Guoliang Jin, Wei Zhang, and Dongdong Deng. 2012. Automated concurrency-bug fixing. In 10th $USENIX$ Symposium on Operating Systems Design and Implementation ($OSDI$ 12). 221–236.
[14]
Xuan Bach D Le, David Lo, and Claire Le Goues. 2016. History driven program repair. In 2016 IEEE 23rd international conference on software analysis, evolution, and reengineering (SANER). 1, 213–224. https://doi.org/10.1109/SANER.2016.76
[15]
Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, and Westley Weimer. 2011. Genprog: A generic method for automatic software repair. Ieee transactions on software engineering, 38, 1 (2011), 54–72. https://doi.org/10.1109/TSE.2011.104
[16]
Claire Le Goues, Michael Pradel, and Abhik Roychoudhury. 2019. Automated Program Repair. Commun. ACM, 62 (2019), https://doi.org/10.1145/3318162
[17]
Junhee Lee, Seongjoon Hong, and Hakjoo Oh. 2018. Memfix: static analysis-based repair of memory deallocation errors for c. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 95–106. https://doi.org/10.1145/3236024.3236079
[18]
Fan Long and Martin Rinard. 2016. Automatic patch generation by learning correct code. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 298–312. https://doi.org/10.1145/2837614.2837617
[19]
Sergey Mechtaev, Xiang Gao, Shin Hwei Tan, and Abhik Roychoudhury. 2018. Test-Equivalence Analysis for Automatic Patch Generation. ACM Trans. Softw. Eng. Methodol., 27, 4 (2018), issn:1049-331X https://doi.org/10.1145/3241980
[20]
Sergey Mechtaev, Manh-Dung Nguyen, Yannic Noller, Lars Grunske, and Abhik Roychoudhury. 2018. Semantic program repair using a reference implementation. In Proceedings of the 40th International Conference on Software Engineering. 129–139. https://doi.org/10.1145/3180155.3180247
[21]
Hoang D.T. Nguyen, Dawei Qi, Abhik Roychoudhury, and Satish Chandra. 2013. SemFix: Program Repair via Semantic Analysis. In ACM/IEEE International Conference on Software Engineering (ICSE). https://doi.org/10.1109/ICSE.2013.6606623
[22]
ThanhVu Nguyen, Timos Antonopoulos, Andrew Ruef, and Michael Hicks. 2017. Counterexample-guided approach to finding numerical invariants. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. 605–615. https://doi.org/10.1145/3106237.3106281
[23]
ThanhVu Huy Nguyen. 2014. Automating program verification and repair using invariant analysis and test input generation. The University of New Mexico.
[24]
Saswat Padhi, Rahul Sharma, and Todd Millstein. 2016. Data-driven precondition inference with learned features. ACM SIGPLAN Notices, 51, 6 (2016), 42–56. https://doi.org/10.1145/2980983.2908099
[25]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. Addresssanitizer: A fast address sanity checker. In 2012 $USENIX$ Annual Technical Conference ($USENIX$$ATC$ 12). 309–318.
[26]
Ridwan Shariffdeen, Yannic Noller, Lars Grunske, and Abhik Roychoudhury. 2021. Concolic program repair. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 390–405. https://doi.org/10.1145/3453483.3454051
[27]
Shiqi Shen, Aashish Kolluri, Zhen Dong, Prateek Saxena, and Abhik Roychoudhury. 2021. Localizing Vulnerabilities Statistically From One Exploit. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 537–549. https://doi.org/10.1145/3433210.3437528
[28]
Shin Hwei Tan, Hiroaki Yoshida, Mukul R Prasad, and Abhik Roychoudhury. 2016. Anti-patterns in search-based program repair. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 727–738. https://doi.org/10.1145/2950290.2950295
[29]
W. Eric Wong, Ruizhi Gao, Yihao Li, Rui Abreu, and Franz Wotawa. 2016. A survey on software fault localization. IEEE Transactions on Software Engineering, 42, 8 (2016), 707–740. https://doi.org/10.1109/TSE.2016.2521368
[30]
Qi Xin and Steven P Reiss. 2017. Identifying test-suite-overfitted patches through test case generation. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. 226–236. https://doi.org/10.1145/3092703.3092718
[31]
J Xuan, M Martinez, F Demarco, M Clement, SL Marcote, T Durieux, D Le Berre, and M Monperrus. 2016. Nopol: Automatic repair of conditional statement bugs in java programs. IEEE Transactions on Software Engineering, 43 (2016), https://doi.org/10.1109/TSE.2016.2560811
[32]
Michał Zalewski. 2022. American fuzzy lop. https://lcamtuf.coredump.cx/afl/
[33]
Lingming Zhang, Guowei Yang, Neha Rungta, Suzette Person, and Sarfraz Khurshid. 2014. Feedback-driven dynamic invariant discovery. In Proceedings of the 2014 International Symposium on Software Testing and Analysis. 362–372. https://doi.org/10.1145/2610384.2610389

Cited By

View all
  • (2025)LineJLocRepair: A line-level method for Automated Vulnerability Repair based on joint trainingFuture Generation Computer Systems10.1016/j.future.2024.107671166(107671)Online publication date: May-2025
  • (2024)Security Analysis of Large Language Models on API Misuse Programming RepairInternational Journal of Intelligent Systems10.1155/2024/71357652024Online publication date: 1-Jan-2024
  • (2024)EffFix: Efficient and Effective Repair of Pointer Manipulating ProgramsACM Transactions on Software Engineering and Methodology10.1145/370531034:3(1-27)Online publication date: 21-Nov-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis
July 2022
808 pages
ISBN:9781450393799
DOI:10.1145/3533767
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2022

Permissions

Request permissions for this article.

Check for updates

Badges

Author Tags

  1. Automated program repair
  2. Inductive inference
  3. Snapshot fuzzing

Qualifiers

  • Research-article

Conference

ISSTA '22
Sponsor:

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)181
  • Downloads (Last 6 weeks)15
Reflects downloads up to 22 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)LineJLocRepair: A line-level method for Automated Vulnerability Repair based on joint trainingFuture Generation Computer Systems10.1016/j.future.2024.107671166(107671)Online publication date: May-2025
  • (2024)Security Analysis of Large Language Models on API Misuse Programming RepairInternational Journal of Intelligent Systems10.1155/2024/71357652024Online publication date: 1-Jan-2024
  • (2024)EffFix: Efficient and Effective Repair of Pointer Manipulating ProgramsACM Transactions on Software Engineering and Methodology10.1145/370531034:3(1-27)Online publication date: 21-Nov-2024
  • (2024)Evolving Paradigms in Automated Program Repair: Taxonomy, Challenges, and OpportunitiesACM Computing Surveys10.1145/369645057:2(1-43)Online publication date: 10-Oct-2024
  • (2024)VulAdvisor: Natural Language Suggestion Generation for Software Vulnerability RepairProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695555(1932-1944)Online publication date: 27-Oct-2024
  • (2024)iSMELL: Assembling LLMs with Expert Toolsets for Code Smell Detection and RefactoringProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695508(1345-1357)Online publication date: 27-Oct-2024
  • (2024)A Case Study of LLM for Automated Vulnerability Repair: Assessing Impact of Reasoning and Patch Validation FeedbackProceedings of the 1st ACM International Conference on AI-Powered Software10.1145/3664646.3664770(103-111)Online publication date: 10-Jul-2024
  • (2024)Out of Sight, Out of Mind: Better Automatic Vulnerability Repair by Broadening Input Ranges and SourcesProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639222(1-13)Online publication date: 20-May-2024
  • (2024)Pre-Trained Model-Based Automated Software Vulnerability Repair: How Far are We?IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330889721:4(2507-2525)Online publication date: Jul-2024
  • (2023)A Survey of Learning-based Automated Program RepairACM Transactions on Software Engineering and Methodology10.1145/363197433:2(1-69)Online publication date: 23-Dec-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media