Kun Sun, Professor, Information Sciences and Technology, received funding from the Office of Naval Research for a project focused on reference-based automatic security patch generation.
Sun holds that existing automatic program repair (APR) solutions face two challenges when fixing vulnerable programs. First, the fault localization stage may mark too many potential faulty statements and assign low priority for the true vulnerable ones. Second, it is hard to guarantee the correctness of the generated patches even if they may have passed the given tests (i.e., the overfitting problem). Moreover, previous APR approaches focus more on integrating the invariant to the original condition when the target location is an if, for, or while statement or generating an if-guard, but they cannot fix other types of vulnerabilities such as the double-free or use-after-free that are due to mismatching allocation and deallocation functions.
In this work, Sun proposes to use reference implementations, including both a vulnerable reference code and a patched reference code, for automatically patching a target vulnerable code that semantically implements an equivalent functionality (e.g., quick search vs. linear search).
This work is concentrating on solving three challenging problems: (i) recognizing the types of vulnerabilities; (ii) deciding on the set of components for specific type of vulnerability; and (iii) determining how to synthesize patches for different types of vulnerabilities.
Sun holds that this project will lead to three major benefits, namely, more accurately locating the vulnerable statements in the target program, generating the input-condition for the symbolic execution on target program, and synthesizing/prioritizing the patch templates for the target program. If successful, the developed software system could be used by the Navy to better protect its computer systems against the “0-day” and “N-days” attacks and dramatically increase the security of Navy combat systems by reducing their attack surfaces that are caused by the unknown or unfixed vulnerabilities.
Sun had received an initial amount of $20,000 from the Office of Naval Research for this project.
Funding began in Jan. 2023 and will end in late Dec. 2025, with a total funding amount of $750,000.
About George Mason University
George Mason University is Virginia's largest public research university. Located near Washington, D.C., Mason enrolls 38,000 students from 130 countries and all 50 states. Mason has grown rapidly over the last half-century and is recognized for its innovation and entrepreneurship, remarkable diversity and commitment to accessibility. Learn more at http://www.gmu.edu.