微信服务号

微信订阅号

2025-3-29- 18
Home > Online First
PDF HTML XML Export Cite reminder
A Survey on Automated Vulnerability Repair
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [80]
    • | |
  • Cited by [0]
    • | |
  • Comments
    Abstract:

    Software vulnerabilities are known as a special kind of defects that threat the completeness, security and reliability of computer systems. To date, developers deal with software vulnerabilities in a manual way, which is a tedious, time-consuming, error-prone, and challenging task. To boost the automation of solving vulnerabilities, automated vulnerability repair has been becoming a popular research topic in academia. The automated vulnerability repair work consists of three main process: vulnerability localization, patch generation, and patch validation, which aims at releasing developers from the huge burden of addressing vulnerabilities. To this end, researchers have explored various research work on vulnerability repair. To build a comprehensive knowledge on vulneraibility repair for practitioners, we conducted a systematic survey to illustrate the theory, design and implementation of different vulnerability repair approaches. Eventually, this survey makes the following contributions: (1) vulnerability repair taxonomy of specific and general vulnerability types; (2) classification and summarization of different repair approaches based on the technical principles; discussions on (3) challenges of vulnerability repair; (4) future research topics of vulnerability repair.

    Reference
    [1] CVE, https://www.cvedetails.com/vulnerabilities-by-types.php
    [2] JNDI, https://docs.oracle.com/javase/jndi/tutorial/getStarted/overview/index.html
    [3] Symatech: Symatech internet security threat report (2006), http://www.symantec.com
    [4] Gu Z, Barr E T, Hamilton D J, et al. Has the bug really been fixed? [C]//2010 ACM/IEEE 32nd International Conference on Software Engineering. IEEE, 2010, 1: 55-64.
    [5] Monperrus M. Automatic software repair: a bibliography [J]. ACM Computing Surveys (CSUR), 2018, 51(1): 1-24.
    [6] Fortify, Welcome https://www.joinfortify.com
    [7] KLEE, https://klee.github.io/
    [8] Ye T, Zhang L, Wang L, et al. An empirical study on detecting and fixing buffer overflow bugs [C]//2016 IEEE International Conference on Software Testing, Verification and Validation (ICST). IEEE, 2016: 91-101.
    [9] Marchand-Melsom A, Nguyen Mai D B. Automatic repair of OWASP Top 10 security vulnerabilities: A survey [C]//Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops. 2020: 23-30.
    [10] Canfora G, Di Sorbo A, Forootani S, et al. Patchworking: Exploring the code changes induced by vulnerability fixing activities [J]. Information and Software Technology, 2022, 142: 106745.
    [11] Yang J, Tan L, Peyton J, et al. Towards better utilizing static application security testing [C]//2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 2019: 51-60.
    [12] Shariffdeen R S, Tan S H, Gao M, et al. Automated patch transplantation [J]. ACM Transactions on Software Engineering and Methodology (TOSEM), 2020, 30(1): 1-36.
    [13] CWE, https://cwe.mitre.org/
    [14] Hindle A, Barr E T, Gabel M, et al. On the naturalness of software [J]. Communications of the ACM, 2016, 59(5): 122-131.
    [15] Zhu Q, Sun Z, Xiao Y, et al. A Syntax-Guided Edit Decoder for Neural Program Repair [J]. ICSE, 2021.
    [16] Just R, Jalali D, Ernst M D. Defects4J: A database of existing faults to enable controlled testing studies for Java programs [C]//Proceedings of the 2014 International Symposium on Software Testing and Analysis. 2014: 437-440.
    [17] Xu Z, Zhang Y, Zheng L, et al. Automatic hot patch generation for android kernels [C]//29th {USENIX} Security Symposium ({USENIX} Security 20). 2020: 2397-2414.
    [18] Zhang X, Zhu C, Li Y, et al. Precfix: large-scale patch recommendation by mining defect-patch pairs [C]//Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice. 2020: 41-50.
    [19] Saha S. Harnessing evolution for multi-hunk program repair [C]//2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 2019: 13-24.
    [20] Yuan Y, Banzhaf W. Arja: Automated repair of java programs via multi-objective genetic programming [J]. IEEE Transactions on Software Engineering, 2018, 46(10): 1040-1067.
    [21] Wong C P, Santiesteban P, K?stner C, et al. VarFix: balancing edit expressiveness and search effectiveness in automated program repair [C]//Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2021: 354-366.
    [22] Xu T, Chen L, Pei Y, et al. Restore: Retrospective fault localization enhancing automated program repair [J]. IEEE Transactions on Software Engineering, 2020.
    [23] Jiang J, Xiong Y, Zhang H, et al. Shaping program repair space with existing patches and similar code [C]//Proceedings of the 27th ACM SIGSOFT international symposium on software testing and analysis. 2018: 298-309.
    [24] Vaswani A, Shazeer N, Parmar N, et al. Attention is all you need [C]//Advances in neural information processing systems. 2017: 5998-6008.
    [25] CWE-77, https://cwe.mitre.org/data/definitions/77.html
    [26] Sidiroglou-Douskos S, Lahtinen E, Rinard M. Automatic discovery and patching of buffer and integer overflow errors [J]. 2015.
    [27] Sidiroglou-Douskos S, Lahtinen E, Long F, et al. Automatic error elimination by horizontal code transfer across multiple applications [C]//Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation. 2015: 43-54.
    [28] Shaw A, Doggett D, Hafiz M. Automatically fixing c buffer overflows using program transformations [C]//2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 2014: 124-135.
    [29] Gao F J, Wang Y, Wang L Z, et al. Automatic Buffer Overflow Warning Validation [J]. Journal of Computer Science and Technology, 2020, 35(6): 1406-1427.
    [30] Viega J, Bloch J T, Kohno Y, et al. A static vulnerability scanner for C and C++ code [C]//Proceedings of the 16th Annual Computer Security Applications Conference. 2001: 257-269.
    [31] Wagner D A, Foster J S, Brewer E A, et al. A first step towards automated detection of buffer overrun vulnerabilities [C]//NDSS. 2000, 20(0): 0.
    [32] Evans D, Larochelle D. Improving security using extensible lightweight static analysis [J]. IEEE software, 2002, 19(1): 42-51.
    [33] Xie Y, Chou A, Engler D. Archer: using symbolic, path-sensitive analysis to detect memory access errors [C]//Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering. 2003: 327-336.
    [34] Le W, Soffa M L. Marple: a demand-driven path-sensitive buffer overflow detector [C]//Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering. 2008: 272-282.
    [35] Avgerinos T, Cha S K, Rebert A, et al. Automatic exploit generation [J]. Communications of the ACM, 2014, 57(2): 74-84.
    [36] Yamaguchi F, Golde N, Arp D, et al. Modeling and discovering vulnerabilities with code property graphs [C]//2014 IEEE Symposium on Security and Privacy. IEEE, 2014: 590-604.
    [37] Cowan C, Pu C, Maier D, et al. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks [C]//USENIX security symposium. 1998, 98: 63-78.
    [38] Jones R W M, Kelly P H J. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs [C]//AADEBUG. 1997: 13-26.
    [39] Wagner D, Dean R. Intrusion detection via static analysis [C]//Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001. IEEE, 2000: 156-168.
    [40] Haugh E, Bishop M. Testing C Programs for Buffer Overflow Vulnerabilities [C]//NDSS. 2003: 8.
    [41] Xu R G, Godefroid P, Majumdar R. Testing for buffer overflows with length abstraction [C]//Proceedings of the 2008 international symposium on Software testing and analysis. 2008: 27-38.
    [42] Condit J, Harren M, McPeak S, et al. CCured in the real world [J]. ACM SIGPLAN Notices, 2003, 38(5): 232-244.
    [43] Jim T, Morrisett J G, Grossman D, et al. Cyclone: a safe dialect of C [C]//USENIX Annual Technical Conference, General Track. 2002: 275-288.
    [44] Cheng X, Zhou M, Song X, et al. Automatic fix for C integer errors by precision improvement [C]//2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC). IEEE, 2016, 1: 2-11.
    [45] Coker Z, Hafiz M. Program transformations to fix C integers [C]//2013 35th International Conference on Software Engineering (ICSE). IEEE, 2013: 792-801.
    [46] Long F, Sidiroglou-Douskos S, Kim D, et al. Sound input filter generation for integer overflow errors [C]//Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 2014: 439-452.
    [47] Wang T, Song C, Lee W. Diagnosis and emergency patch generation for integer overflow exploits [C]//International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Cham, 2014: 255-275.
    [48] Muntean P, Monperrus M, Sun H, et al. Intrepair: Informed repairing of integer overflows [J]. IEEE Transactions on Software Engineering, 2019.
    [49] Ma S, Lo D, Li T, et al. Cdrep: Automatic repair of cryptographic misuses in android applications [C]//Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 2016: 711-722.
    [50] Zhang Y, Kabir M, Xiao Y, et al. Data-Driven Vulnerability Detection and Repair in Java Code [J]. arXiv preprint arXiv:2102.06994, 2021.
    [51] Kechagia M, Mechtaev S, Sarro F, et al. Evaluating Automatic Program Repair Capabilities to Repair API Misuses [J]. IEEE Transactions on Software Engineering, 2021.
    [52] Mohammadi M, Chu B, Lipford H R. Automated Repair of Cross-Site Scripting Vulnerabilities through Unit Testing [C]//2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). IEEE, 2019: 370-377.
    [53] https://owasp.org/
    [54] IBM, “Appscan source,” 2017, https://www.ibm.com/usen/ marketplace/ibm-appscan-source.
    [55] Lee J, Hong S, Oh H. Memfix: static analysis-based repair of memory deallocation errors for c [C]//Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2018: 95-106.
    [56] Exact Cover. 2018. Exact Cover — Wikipedia, The Free Encyclopedia. (2018). https://en.wikipedia.org/wiki/Exact_cover Accessed: 2018-03-01.
    [57] Nguyen T D, Pham L H, Sun J. sGUARD: Towards Fixing Vulnerable Smart Contracts Automatically [J]. arXiv preprint arXiv:2101.1917, 2021.
    [58] Ma S, Thung F, Lo D, et al. Vurle: Automatic vulnerability detection and repair by learning from examples [C]//European Symposium on Research in Computer Security. Springer, Cham, 2017: 229-246.
    [59] Harer J, Ozdemir O, Lazovich T, et al. Learning to repair software vulnerabilities with generative adversarial networks [J]. arXiv preprint arXiv:1805.07475, 2018.
    [60] Chi J, Qu Y, Liu T, et al. SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning [J]. arXiv preprint arXiv:2010.0805, 2020.
    [61] Chen Z, Kommrusch S, Monperrus M. Neural Transfer Learning for Repairing Security Vulnerabilities in C Code [J]. arXiv preprint arXiv:2104.08308, 2021.
    [62] Goodfellow I, Pouget-Abadie J, Mirza M, et al. Generative adversarial nets [J]. Advances in neural information processing systems, 2014, 27.
    [63] Vaswani A, Shazeer N, Parmar N, et al. Attention is all you need [C]//Advances in neural information processing systems. 2017: 5998-6008.
    [64] Ponta S E, Plate H, Sabetta A, et al. A manually-curated dataset of fixes to vulnerabilities of open-source software [C]//2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, 2019: 383-387.
    [65] Falleri J R, Morandat F, Blanc X, et al. Fine-grained and accurate source code differencing [C]//Proceedings of the 29th ACM/IEEE international conference on Automated software engineering. 2014: 313-324.
    [66] Barbosa J F C M. Automated Repair of Security Vulnerabilities using Coverage-guided Fuzzing [J]. 2021.
    [67] Huang Z, Lie D, Tan G, et al. Using safety properties to generate vulnerability patches [C]//2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019: 539-554.
    [68] Gao X, Wang B, Duck G J, et al. Beyond Tests: Program Vulnerability Repair via Crash Constraint Extraction [J]. ACM Transactions on Software Engineering and Methodology (TOSEM), 2021, 30(2): 1-27.
    [69] Serebryany K, Bruening D, Potapenko A, et al. Addresssanitizer: A fast address sanity checker [C]//2012 {USENIX} Annual Technical Conference ({USENIX}{ATC} 12). 2012: 309-318.
    [70] Li J, Zhao B, Zhang C. Fuzzing: a survey [J]. Cybersecurity, 2018, 1(1): 1-13.
    [71] Tripp O, Guarnieri S, Pistoia M, et al. Aletheia: Improving the usability of static security analysis [C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 762-774.
    [72] Hanam Q, Tan L, Holmes R, et al. Finding patterns in static analysis alerts: improving actionable alert ranking [C]//Proceedings of the 11th working conference on mining software repositories. 2014: 152-161.
    [73] Ruthruff J, Penix J, Morgenthaler J, et al. Predicting accurate and actionable static analysis warnings [C]//2008 ACM/IEEE 30th International Conference on Software Engineering. IEEE, 2008: 341-350.
    [74] Avgerinos T, Cha S K, Rebert A, et al. Automatic exploit generation [J]. Communications of the ACM, 2014, 57(2): 74-84.
    [75] Serebryany K, Bruening D, Potapenko A, et al. Addresssanitizer: A fast address sanity checker [C]//2012 {USENIX} Annual Technical Conference ({USENIX}{ATC} 12). 2012: 309-318.
    [76] Google AFL, https://github.com/google/AFL
    [77] Yaqing Wang, Quanming Yao, James T. Kwok, and Lionel M. Ni. 2020. Generalizing from a Few Examples: A Survey on Few-Shot Learning. ACM Comput. Surv. 1, 1, Article 1 (March 2020), 34 pages. https://doi.org/10. 1145/3386252
    [78] CNNVD漏洞分级规范,http://www.cnnvd.org.cn/web/wz/bzxqById.tag?id=2&mkid=2
    [79] 玄跻峰, 任志磊, 王子元, 等. 自动程序修复方法研究进展[J]. Journal of Software, 2016, 27(4).
    [80] 姜佳君, 陈俊洁, 熊英飞. 软件缺陷自动修复技术综述[J]. Journal of Software, 2021, 32(9): 2665-2690
    Related
    Cited by
    您输入的地址无效!
    没有找到您想要的资源,您输入的路径无效!

    Comments
    Comments
    分享到微博
    Submit
Get Citation

Copy
Share
Article Metrics
  • Abstract:450
  • PDF: 0
  • HTML: 0
  • Cited by: 0
History
  • Received:January 17,2022
  • Revised:October 12,2022
  • Adopted:November 15,2022
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2029023Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063