Using Safety Properties to Generate Vulnerability Patches

Security vulnerabilities are among the most critical software defects in existence. When identified, programmers aim to produce patches that prevent the vulnerability as quickly as possible, motivating the need for automatic program repair (APR) methods to generate patches automatically. Unfortunately, most current APR methods fall short because they approximate the properties necessary to prevent the vulnerability using examples. Approximations result in patches that either do not fix the vulnerability comprehensively, or may even introduce new bugs. Instead, we propose property-based APR, which uses human-specified, program-independent and vulnerability-specific safety properties to derive source code patches for security vulnerabilities. Unlike properties that are approximated by observing the execution of test cases, such safety properties are precise and complete. The primary challenge lies in mapping such safety properties into source code patches that can be instantiated into an existing program. To address these challenges, we propose Senx, which, given a set of safety properties and a single input that triggers the vulnerability, detects the safety property violated by the vulnerability input and generates a corresponding patch that enforces the safety property and thus, removes the vulnerability. Senx solves several challenges with property-based APR: it identifies the program expressions and variables that must be evaluated to check safety properties and identifies the program scopes where they can be evaluated, it generates new code to selectively compute the values it needs if calling existing program code would cause unwanted side effects, and it uses a novel access range analysis technique to avoid placing patches inside loops where it could incur performance overhead. Our evaluation shows that the patches generated by Senx successfully fix 32 of 42 real-world vulnerabilities from 11 applications including various tools or libraries for manipulating graphics/media files, a programming language interpreter, a relational database engine, a collection of programming tools for creating and managing binary programs, and a collection of basic file, shell, and text manipulation tools.

[1]  Abhik Roychoudhury,et al.  DirectFix: Looking for Simple Program Repairs , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[2]  Lu Zhang,et al.  Safe Memory-Leak Fixing for C Programs , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[3]  Christof Fetzer,et al.  Robustness and Security Hardening of COTS Software Libraries , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[4]  Abhik Roychoudhury,et al.  Angelix: Scalable Multiline Program Patch Synthesis via Symbolic Analysis , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[5]  Xiangyu Zhang,et al.  Self Destructing Exploit Executions via Input Perturbation , 2017, Network and Distributed System Security Symposium.

[6]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Michael D. Ernst,et al.  Automatically patching errors in deployed software , 2009, SOSP '09.

[8]  Claire Le Goues,et al.  A systematic study of automated program repair: Fixing 55 out of 105 bugs for $8 each , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[9]  Changzhen Hu,et al.  Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring , 2012, NDSS.

[10]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[11]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[12]  Fan Long,et al.  Staged program repair with condition synthesis , 2015, ESEC/SIGSOFT FSE.

[13]  Xuxian Jiang,et al.  AutoPaG: towards automated software patch generation with source code root cause identification and repair , 2007, ASIACCS '07.

[14]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[15]  Christoph Cullmann,et al.  Data-Flow Based Detection of Loop Bounds , 2007, WCET.

[16]  Manuel Costa,et al.  Bouncer: securing software by blocking bad input , 2008, WRAITS '08.

[17]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[18]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[19]  Zhen Huang,et al.  LMP: light-weighted memory protection with hardware assistance , 2016, ACSAC.

[20]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[21]  Westley Weimer,et al.  Leveraging program equivalence for adaptive program repair: Models and first results , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[22]  Zhisheng Hu,et al.  What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[23]  Yuhua Qi,et al.  The strength of random search on automated program repair , 2014, ICSE.

[24]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[25]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[26]  Fan Long,et al.  An analysis of patch plausibility and correctness for generate-and-validate patch generation systems , 2015, ISSTA.

[27]  Xiangyu Zhang,et al.  A2C: Self Destructing Exploit Executions via Input Perturbation , 2017, NDSS 2017.

[28]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[29]  Dawei Qi,et al.  SemFix: Program repair via semantic analysis , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[30]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[31]  Fan Long,et al.  Sound input filter generation for integer overflow errors , 2014, POPL.

[32]  Jaechang Nam,et al.  Automatic patch generation learned from human-written patches , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[33]  Thomas W. Reps,et al.  Low-Level Library Analysis and Summarization , 2007, CAV.

[34]  Fan Long,et al.  Automatic patch generation by learning correct code , 2016, POPL.

[35]  Fan Long,et al.  Automatic input rectification , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[36]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[37]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[38]  Name M. Lastname Automatically Finding Patches Using Genetic Programming , 2013 .