国家自然科学基金(62172214); 江苏省自然科学基金(BK20210279); 数学工程与先进计算国家重点实验室开放基金(2020A06)
软件漏洞是计算机软件系统安全方面的缺陷, 给现代软件及其应用数据的完整性、安全性和可靠性带来巨大威胁. 人工治理漏洞费时且易错, 为了更好应对漏洞治理挑战, 研究者提出多种自动化漏洞治理方案, 其中漏洞自动修复方法近来得到研究者广泛关注. 漏洞自动修复技术旨在辅助开发人员修复漏洞, 涵盖漏洞根因定位、补丁生成、补丁验证等功能. 现有工作缺乏对漏洞修复技术系统性的分类与讨论, 为了促进漏洞修复技术发展, 加深研究人员对漏洞修复问题的认知理解, 对现有漏洞修复方法技术的理论、实践、适用场景和优缺点进行全面洞察, 并撰写了漏洞自动修复技术的研究综述. 主要内容包括: (1)按照修复漏洞类型不同整理归纳特定类型漏洞的修复方法以及通用类型漏洞的修复方法; (2)按照所采用的技术原理将不同修复方法进行分类与总结; (3)归纳漏洞修复主要挑战; (4)展望漏洞修复未来发展方向.
Software vulnerabilities are known as security defects of computer software systems, and they threaten the completeness, security, and reliability of modern software and application data. Artificial vulnerability management is time-consuming and error-prone. Therefore, in order to better deal with the challenges of vulnerability management, researchers have proposed a variety of automated vulnerability management schemes, among which automated vulnerability repair has attracted wide attention from researchers recently. Automated vulnerability repair consists of three main functions: vulnerability cause localization, patch generation, and patch validation, and it aims to assist developers to repair vulnerabilities. The existing work lacks systematic classification and discussion of vulnerability repair technology. To this end, this study gives a comprehensive insight into the theory, practice, applicable scenarios, advantages, and disadvantages of existing vulnerability repair methods and technologies and writes a research review of automated vulnerability repair technologies, so as to promote the development of vulnerability repair technologies and deepen researchers’ cognition and understanding of vulnerability repair problems. The main contents of the study include: (1) sorting out and summarizing the repair methods of specific and general vulnerabilities according to different vulnerability types; (2) classifying and summarizing different repair methods based on technical principles; (3) summarizing the main challenges of vulnerability repair; (4) looking into future development direction of vulnerability repair.