微信服务号

微信订阅号

2025-4-1- 11
Home > Archive>Volume 35, Issue 1, 2024 >136-158. DOI:10.13328/j.cnki.jos.006828
PDF HTML XML Export Cite reminder
Survey on Automated Vulnerability Repair
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [87]
    • |
  • Related [20]
    • |
  • Cited by
    • | |
  • Comments
    Abstract:

    Software vulnerabilities are known as security defects of computer software systems, and they threaten the completeness, security, and reliability of modern software and application data. Artificial vulnerability management is time-consuming and error-prone. Therefore, in order to better deal with the challenges of vulnerability management, researchers have proposed a variety of automated vulnerability management schemes, among which automated vulnerability repair has attracted wide attention from researchers recently. Automated vulnerability repair consists of three main functions: vulnerability cause localization, patch generation, and patch validation, and it aims to assist developers to repair vulnerabilities. The existing work lacks systematic classification and discussion of vulnerability repair technology. To this end, this study gives a comprehensive insight into the theory, practice, applicable scenarios, advantages, and disadvantages of existing vulnerability repair methods and technologies and writes a research review of automated vulnerability repair technologies, so as to promote the development of vulnerability repair technologies and deepen researchers’ cognition and understanding of vulnerability repair problems. The main contents of the study include: (1) sorting out and summarizing the repair methods of specific and general vulnerabilities according to different vulnerability types; (2) classifying and summarizing different repair methods based on technical principles; (3) summarizing the main challenges of vulnerability repair; (4) looking into future development direction of vulnerability repair.

    Reference
    [1] CVE. 2022. https://www.cvedetails.com/vulnerabilities-by-types.php
    [2] JNDI. 2022. https://docs.oracle.com/javase/jndi/tutorial/getStarted/overview/index.html
    [3] Symatech: Symatech Internet security threat report. 2006. http://www.symantec.com
    [4] Gu ZX, Barr ET, Hamilton DJ, Su ZD. Has the bug really been fixed? In: Proc. of the 32nd ACM/IEEE Int’l Conf. on Software Engineering. Cape Town: IEEE, 2010. 55–64.
    [5] CWE. 2022. https://cwe.mitre.org/
    [6] Chen ZM, Kommrusch S, Monperrus M. Neural transfer learning for repairing security vulnerabilities in C code. IEEE Transactions on Software Engineering, 2023, 49(1): 147–165. [doi: 10.1109/TSE.2022.3147265]
    [7] Ye T, Zhang LM, Wang LZ, Li XD. An empirical study on detecting and fixing buffer overflow bugs. In: Proc. of the 2016 IEEE Int’l Conf. on Software Testing, Verification and Validation. Chicago: IEEE, 2016. 91–101.
    [8] Marchand-Melsom A, Nguyen Mai DB. Automatic repair of OWASP Top 10 security vulnerabilities: A survey. In: Proc. of the 42nd IEEE/ACM Int’l Conf. on Software Engineering Workshops. Seoul: ACM, 2020. 23–30.
    [9] Owasp. 2022. https://owasp.org/
    [10] Kechagia M, Mechtaev S, Sarro F, Harman M. Evaluating automatic program repair capabilities to repair API misuses. IEEE Transactions on Software Engineering, 2022, 48(7): 2658–2679. [doi: 10.1109/TSE.2021.3067156]
    [11] Canfora G, Di Sorbo A, Forootani S, Martinez M, Visaggio CA. Patchworking: Exploring the code changes induced by vulnerability fixing activities. Information and Software Technology, 2022, 142: 106745. [doi: 10.1016/j.infsof.2021.106745]
    [12] CNNVD漏洞分级规范. 2022. https://www.cnnvd.org.cn/home/childHome
    CNNVD. 2022 (in Chinese). https://www.cnnvd.org.cn/home/childHome
    [13] 玄跻峰, 任志磊, 王子元, 谢晓园, 江贺. 自动程序修复方法研究进展. 软件学报, 2016, 27(4): 771–784. http://www.jos.org.cn/1000-9825/4972.htm
    Xuan JF, Ren ZL, Wang ZY, Xie XY, Jiang H. Progress on approaches to automatic program repair. Ruan Jian Xue Bao/Journal of Software, 2016, 27(4): 771-784 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4972.htm
    [14] 姜佳君, 陈俊洁, 熊英飞. 软件缺陷自动修复技术综述. 软件学报, 2021, 32(9): 2665–2690. http://www.jos.org.cn/1000-9825/6274.htm
    Jiang JJ, Chen JJ, Xiong YF. Survey of automatic program repair techniques. Ruan Jian Xue Bao/Journal of Software, 2021, 32(9): 2665-2690 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6274.htm
    [15] Yang JQ, Tan L, Peyton J, Duer KA. Towards better utilizing static application security testing. In: Proc. of the 41st IEEE/ACM Int’l Conf. on Software Engineering: Software Engineering in Practice. Montreal: IEEE, 2019. 51–60.
    [16] Shariffdeen RS, Tan SH, Gao MY, Roychoudhury A. Automated patch transplantation. ACM Transactions on Software Engineering and Methodology, 2021, 30(1): 6. [doi: 10.1145/3412376]
    [17] Avgerinos T, Cha SK, Rebert A, Schwartz EJ, Woo M, Brumley D. Automatic exploit generation. Communications of the ACM, 2014, 57(2): 74–84. [doi: 10.1145/2560217.2560219]
    [18] Huang Z, Lie D, Tan G, Jaeger T. Using safety properties to generate vulnerability patches. In: Proc. of the 2019 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2019. 539–554.
    [19] Gao X, Wang B, Duck GJ, Ji RY, Xiong YF, Roychoudhury A. Beyond tests: Program vulnerability repair via crash constraint extraction. ACM Transactions on Software Engineering and Methodology, 2021, 30(2): 14. [doi: 10.1145/3418461]
    [20] Shaw A, Doggett D, Hafiz M. Automatically fixing C buffer overflows using program transformations. In: Proc. of the 44th Annual IEEE/IFIP Int’l Conf. on Dependable Systems and Networks. Washington: IEEE, 2014. 124–135.
    [21] Long F, Sidiroglou-Douskos S, Kim D, Rinard M. Sound input filter generation for integer overflow errors. In: Proc. of the 41st ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages. San Diego: ACM, 2014. 439–452.
    [22] Zhang Y, Kabir M, Xiao Y, Yao DF, Meng N. Data-driven vulnerability detection and repair in java code. arXiv:2102.06994, 2021.
    [23] Sidiroglou-Douskos S, Lahtinen E, Rinard M. Automatic discovery and patching of buffer and integer overflow errors. Technical Report, MIT-CSAIL-TR-2015-018, MIT, 2015.
    [24] Sidiroglou-Douskos S, Lahtinen E, Long F, Rinard M. Automatic error elimination by horizontal code transfer across multiple applications. In: Proc. of the 36th ACM SIGPLAN Conf. on Programming Language Design and Implementation. Portland: ACM, 2015. 43–54.
    [25] Ma SQ, Thung F, Lo D, Sun C, Deng RH. VuRLE: Automatic vulnerability detection and repair by learning from examples. In: Proc. of the 22nd European Symp. on Research in Computer Security. Oslo: Springer, 2017. 229–246.
    [26] Harer JA, Ozdemir O, Lazovich T, Reale CP, Russell RL, Kim LY, Chin P. Learning to repair software vulnerabilities with generative adversarial networks. In: Proc. of the 32nd Int’l Conf. on Neural Information Processing Systems. Montréal: Curran Associates Inc., 2018. 7944–7954.
    [27] Chi JL, Qu Y, Liu T, Zheng QH, Yin H. SeqTrans: Automatic vulnerability fix via sequence to sequence learning. IEEE Transactions on Software Engineering, 2023, 49(2): 564–585. [doi: 10.1109/TSE.2022.3156637]
    [28] Cheng X, Zhou M, Song XY, Gu M, Sun JG. Automatic fix for C integer errors by precision improvement. In: Proc. of the 40th IEEE Annual Computer Software and Applications Conf. Atlanta: IEEE, 2016. 2–11.
    [29] Coker Z, Hafiz M. Program transformations to fix C integers. In: Proc. of the 35th Int’l Conf. on Software Engineering. San Francisco: IEEE, 2013. 792–801.
    [30] Serebryany K, Bruening D, Potapenko A, Vyukov. AddressSanitizer: A fast address sanity checker. In: Proc. of the 2012 USENIX Conf. on Annual Technical Conf. Boston: USENIX Association, 2012. 28.
    [31] Jha S, Gulwani S, Seshia SA, Tiwari A. Oracle-guided component-based program synthesis. In: Proc. of the 32nd ACM/IEEE Int’l Conf. on Software Engineering. Cape Town: IEEE, 2010. 215–224.
    [32] Lee J, Hong S, Oh H. MemFix: Static analysis-based repair of memory deallocation errors for C. In: Proc. of the 26th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering. Lake Buena Vista: ACM, 2018. 95–106.
    [33] Exact Cover. Exact cover—Wikipedia, the free encyclopedia. 2018. https://en.wikipedia.org/wiki/Exact_cover
    [34] Monperrus M. Automatic software repair: A bibliography. ACM Computing Surveys, 2019, 51(1): 17. [doi: 10.1145/3105906]
    [35] Zhu QH, Sun ZY, Xiao YA, Zhang WJ, Yuan K, Xiong YF, Zhang L. A syntax-guided edit decoder for neural program repair. In: Proc. of the 29th ACM Joint Meeting on European Software Engineering Conf. and the Symp. on the Foundations of Software Engineering. Athens: ACM, 2021. 341–353.
    [36] Just R, Jalali D, Ernst MD. Defects4J: A database of existing faults to enable controlled testing studies for Java programs. In: Proc. of the 2014 Int’l Symp. on Software Testing and Analysis. San Jose: ACM, 2014. 437–440.
    [37] Xu ZZ, Zhang YL, Zheng LR, Xia LZ, Bao CF, Wang Z, Liu Y. Automatic hot patch generation for android kernels. In: Proc. of the 29th USENIX Conf. on Security Symp. Berkeley: USENIX Association, 2020. 135.
    [38] Zhang XD, Zhu CG, Li Y, Guo JM, Liu LH, Gu HB. Precfix: Large-scale patch recommendation by mining defect-patch pairs. In: Proc. of the 42nd IEEE/ACM Int’l Conf. on Software Engineering: Software Engineering in Practice. Seoul: IEEE, 2020. 41–50.
    [39] Saha S, Saha RK, Prasad MR. Harnessing evolution for multi-hunk program repair. In: Proc. of the 41st IEEE/ACM Int’l Conf. on Software Engineering. Montreal: IEEE, 2019. 13–24.
    [40] Yuan Y, Banzhaf W. ARJA: Automated repair of java programs via multi-objective genetic programming. IEEE Transactions on Software Engineering, 2020, 46(10): 1040–1067. [doi: 10.1109/TSE.2018.2874648]
    [41] Wong CP, Santiesteban P, Kästner C, Le Goues C. VarFix: Balancing edit expressiveness and search effectiveness in automated program repair. In: Proc. of the 29th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering. Athens: ACM, 2021. 354–366.
    [42] Xu TT, Chen LS, Pei Y, Zhang T, Pan MX, Furia CA. Restore: Retrospective fault localization enhancing automated program repair. IEEE Transactions on Software Engineering, 2022, 48(1): 309–326. [doi: 10.1109/TSE.2020.2987862]
    [43] Jiang JJ, Xiong YF, Zhang HY, Gao Q, Chen XQ. Shaping program repair space with existing patches and similar code. In: Proc. of the 27th ACM SIGSOFT Int’l Symp. on Software Testing and Analysis. Amsterdam: ACM, 2018. 298–309.
    [44] Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, Gomez AN, Kaiser Ł, Polosukhin I. Attention is all you need. In: Proc. of the 31st Int’l Conf. on Neural Information Processing Systems. Long Beach: Curran Associates Inc., 2017. 6000–6010.
    [45] da Costa Meireles Barbosa JF. Automated repair of security vulnerabilities using coverage-guided fuzzing [MS. Thesis]. Porto: University of Porto, 2021.
    [46] Hindle A, Barr ET, Gabel M, Su ZD, Devanbu P. On the naturalness of software. Communications of the ACM, 2016, 59(5): 122–131.
    [47] Gao FJ, Wang Y, Wang LZ, Yang ZJ, Li XD. Automatic buffer overflow warning validation. Journal of Computer Science and Technology, 2020, 35(6): 1406–1427. [doi: 10.1007/s11390-020-0525-z]
    [48] KLEE. 2022. https://klee.github.io/
    [49] Mohammadi M, Chu B, Lipford HR. Automated repair of cross-site scripting vulnerabilities through unit testing. In: Proc. of the 2019 IEEE Int’l Symp. on Software Reliability Engineering Workshops. Berlin: IEEE, 2019. 370–377.
    [50] Ma SQ, Lo D, Li T, Deng RH. CDRep: Automatic repair of cryptographic misuses in android applications. In: Proc. of the 11th ACM on Asia Conf. on Computer and Communications Security. Xi’an: ACM, 2016. 711–722.
    [51] Wang TL, Song CY, Lee W. Diagnosis and emergency patch generation for integer overflow exploits. In: Proc. of the 2014 Int’l Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment. Egham: Springer, 2014. 255–275.
    [52] Muntean P, Monperrus M, Sun H, Grossklags J, Eckert C. IntRepair: Informed repairing of integer overflows. IEEE Transactions on Software Engineering, 2021, 47(10): 2225–2241. [doi: 10.1109/TSE.2019.2946148]
    [53] Condit J, Harren M, McPeak S, Necula GC, Weimer W. CCured in the real world. ACM SIGPLAN Notices, 2003, 38(5): 232–244. [doi: 10.1145/780822.781157]
    [54] Jim T, Morrisett JG, Grossman D, Hicks MW, Cheney J, Wang YL. Cyclone: A safe dialect of C. In: Proc. of the 2002 General Track: USENIX Annual Technical Conf. Monterey: USENIX. 2002. 275–288.
    [55] Viega J, Bloch JT, Kohno Y, McGraw G. ITS4: A static vulnerability scanner for C and C++ code. In: Proc. of the 16th Annual Computer Security Applications Conf. New Orleans: IEEE, 2000. 257–269.
    [56] Wagner DA, Foster JS, Brewer EA, Aiken A. A first step towards automated detection of buffer overrun vulnerabilities. In: Proc. of the 2000 Network and Distributed System Security Symp. San Diego, 2000. 1–15.
    [57] Evans D, Larochelle D. Improving security using extensible lightweight static analysis. IEEE Software, 2002, 19(1): 42–51. [doi: 10.1109/52.976940]
    [58] Xie YC, Chou A, Engler D. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In: Proc. of the 9th European Software Engineering Conf. Held Jointly with the 11th ACM SIGSOFT Int’l Symp. on Foundations of Software Engineering. Helsinki: ACM, 2003. 327–336.
    [59] Le W, Soffa ML. Marple: A demand-driven path-sensitive buffer overflow detector. In: Proc. of the 16th ACM SIGSOFT Int’l Symp. on Foundations of Software Engineering. Atlanta: ACM, 2008. 272–282.
    [60] Infer. 2022. https://fbinfer.com/
    [61] Yamaguchi F, Golde N, Arp D, Rieck K. Modeling and discovering vulnerabilities with code property graphs. In: Proc. of the 2014 IEEE Symp. on Security and Privacy. Berkeley: IEEE, 2014. 590–604.
    [62] Cowan C. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. of the 7th USENIX Security Symp. San Antonio: USENIX Association, 1998. 63–78.
    [63] Jones RWM, Kelly PHJ. Backwards-compatible bounds checking for arrays and pointers in C programs. In: Proc. of the 3rd Int’l Workshop on Automated Debugging. Linköping: Linköping University Electronic Press, 1997. 13–26.
    [64] Wagner D, Dean R. Intrusion detection via static analysis. In: Proc. of the 2001 IEEE Symp. on Security and Privacy. Oakland: IEEE, 2000. 156–168.
    [65] Haugh E, Bishop M. Testing C programs for buffer overflow vulnerabilities. In: Proc. of the 2003 Network and Distributed System Security Symp. San Diego, 2003. 1–8.
    [66] Xu RG, Godefroid P, Majumdar R. Testing for buffer overflows with length abstraction. In: Proc. of the 2008 Int’l Symp. on Software Testing and Analysis. Seattle: ACM, 2008. 27–38.
    [67] Li J, Zhao BD, Zhang C. Fuzzing: A survey. Cybersecurity, 2018, 1(1): 6. [doi: 10.1186/s42400-018-0002-y]
    [68] CWE-77: Improper neutralization of special elements used in a command (Command Injection). 2022. https://cwe.mitre.org/data/definitions/77.html
    [69] Nguyen TD, Pham LH, Sun J. SGUARD: Towards fixing vulnerable smart contracts automatically. In: Proc. of the 2021 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2021. 1215–1229.
    [70] IBM. AppScan source. 2017. https://www.ibm.com/usen/marketplace/ibm-appscan-source
    [71] UndefinedBehaviorSanitizer. 2022. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
    [72] Hu H, Chua ZL, Adrian S, Saxena P, Liang ZK. Automatic generation of data-oriented exploits. In: Proc. of the 24th USENIX Conf. on Security Symp. Washington: USENIX Association, 2015. 177–192.
    [73] Falleri JR, Morandat F, Blanc X, Martinez M, Monperrus M. Fine-grained and accurate source code differencing. In: Proc. of the 29th ACM/IEEE Int’l Conf. on Automated Software Engineering. Vasteras: ACM, 2014. 313–324.
    [74] Goodfellow IJ, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D. Generative adversarial nets. In: Proc. of the 27th Int’l Conf. on Neural Information Processing Systems. Montreal: MIT Press, 2014. 2672–2680.
    [75] Cho K, van Merriënboer B, Bahdanau D, Bengio Y. On the properties of neural machine translation: Encoder-decoder approaches. In: Proc. of the 8th Workshop on Syntax, Semantics and Structure in Statistical Translation. Doha: ACL, 2014. 103–111.
    [76] Ponta SE, Plate H, Sabetta A, Bezzi M, Dangremont C. A manually-curated dataset of fixes to vulnerabilities of open-source software. In: Proc. of the 16th IEEE/ACM Int’l Conf. on Mining Software Repositories. Montreal: IEEE, 2019. 383–387.
    [77] Fortify. 2022. https://www.joinfortify.com
    [78] Tripp O, Guarnieri S, Pistoia M, Aravkin A. ALETHEIA: Improving the usability of static security analysis. In: Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security. Scottsdale: ACM, 2014. 762–774.
    [79] Hanam Q, Tan L, Holmes R, Lam P. Finding patterns in static analysis alerts: Improving actionable alert ranking. In: Proc. of the 11th Working Conf. on Mining Software Repositories. Hyderabad: ACM, 2014. 152–161.
    [80] Ruthruff JR, Penix J, Morgenthaler JD, Elbaum S, Rothermel G. Predicting accurate and actionable static analysis warnings: An experimental approach. In: Proc. of the 30th Int’l Conf. on Software Engineering. Leipzig: ACM, 2008. 341–350.
    [81] Google AFL. 2022. https://github.com/google/AFL
    [82] Blazytko T, Schlögel M, Aschermann C, Abbasi A, Frank J, Wörner S, Holz T. AURORA: Statistical crash analysis for automated root cause explanation. In: Proc. of the 29th USENIX Conf. on Security Symp. Berkeley: USENIX Association, 2020. 14.
    [83] Liang JJ, Ji RY, Jiang JJ, Zhou SR, Lou YL, Xiong YF, Huang G. Interactive patch filtering as debugging aid. In: Proc. of the 2021 IEEE Int’l Conf. on Software Maintenance and Evolution. Luxembourg: IEEE, 2021. 239–250.
    [84] Wang YQ, Yao QM, Kwok JT, Ni LM. Generalizing from a few examples: A survey on few-shot learning. ACM Computing Surveys, 2021, 53(3): 63. [doi: 10.1145/3386252]
    Cited by
Get Citation

徐同同,刘逵,夏鑫.漏洞自动修复研究综述.软件学报,2024,35(1):136-158

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:January 17,2022
  • Revised:May 15,2022
  • Online: June 14,2023
  • Published: January 06,2024
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063