Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

Qi Zhan,Xing Hu,Zhiyang Li,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639134

2024-01-01

Abstract:During software development, vulnerabilities have posed a significant threat to users. Patches are the most effective way to combat vulnerabilities. In a large-scale software system, testing the presence of a security patch in every affected binary is crucial to ensure system security. Identifying whether a binary has been patched for a known vulnerability is challenging, as there may only be small differences between patched and vulnerable versions. Existing approaches mainly focus on detecting patches that are compiled in the same compiler options. However, it is common for developers to compile programs with very different compiler options in different situations, which causes inaccuracy for existing methods. In this paper, we propose a new approach named $PS^{3}$ , referring to precise patch presence test based on semantic-level symbolic signature. $PS^{3}$ exploits symbolic emulation to extract signatures that are stable under different compiler options. Then $PS^{3}$ can precisely test the presence of the patch by comparing the signatures between the reference and the target at semantic level. To evaluate the effectiveness of our approach, we constructed a dataset consisting of 3,631 (CVE, binary) pairs of 62 recent CVEs in four C/C++ projects. The experimental results show that $PS^{3}$ achieves scores of 0.82, 0.97, and 0.89 in terms of precision, recall, and F1 score, respectively. $PS^{3}$ outperforms the state-of-the-art baselines by improving 33% in terms of F1 score and remains stable in different compiler options.

Xiaoye Zheng,Zhiyuan Wan,Yun Zhang,Rui Chang,David Lo

DOI: https://doi.org/10.1145/3624738

IF: 3.685

2023-09-16

ACM Transactions on Software Engineering and Methodology

Abstract:Rust is an emerging programming language designed for the development of systems software. To facilitate the reuse of Rust code, crates.io , as a central package registry of the Rust ecosystem, hosts thousands of third-party Rust packages. The openness of crates.io enables the growth of the Rust ecosystem but comes with security risks by severe security advisories. Although Rust guarantees a software program to be safe via programming language features and strict compile-time checking, the unsafe keyword in Rust allows developers to bypass compiler safety checks for certain regions of code. Prior studies empirically investigate the memory safety and concurrency bugs in the Rust ecosystem, as well as the usage of unsafe keywords in practice. Nonetheless, the literature lacks a systematic investigation of the security risks in the Rust ecosystem. In this paper, we perform a comprehensive investigation into the security risks present in the Rust ecosystem, asking “what are the characteristics of the vulnerabilities, what are the characteristics of the vulnerable packages, and how are the vulnerabilities fixed in practice?”. To facilitate the study, we first compile a dataset of 433 vulnerabilities, 300 vulnerable code repositories, and 218 vulnerability fix commits in the Rust ecosystem, spanning over 7 years. With the dataset, we characterize the types, life spans, and evolution of the disclosed vulnerabilities. We then characterize the popularity, categorization, and vulnerability density of the vulnerable Rust packages, as well as their versions and code regions affected by the disclosed vulnerabilities. Finally, we characterize the complexity of vulnerability fixes and localities of corresponding code changes, and inspect how practitioners fix vulnerabilities in Rust packages with various localities. We find that memory safety and concurrency issues account for nearly two thirds of the vulnerabilities in the Rust ecosystem. It takes over 2 years for the vulnerabilities to become publicly disclosed, and one third of the vulnerabilities have no fixes committed before their disclosure. In terms of vulnerability density, we observe a continuous upward trend at the package level over time, but a decreasing trend at the code level since August 2020. In the vulnerable Rust packages, the vulnerable code tends to be localized at the file level, and contains statistically significantly more unsafe functions and blocks than the rest of the code. More popular packages tend to have more vulnerabilities, while the less popular packages suffer from vulnerabilities for more versions. The vulnerability fix commits tend to be localized to a limited number of lines of code. Developers tend to address vulnerable safe functions by adding safe functions or lines to them, vulnerable unsafe blocks by removing them, and vulnerable unsafe functions by modifying unsafe trait implementations. Based on our findings, we discuss implications, provide recommendations for software practitioners, and outline directions for future research.

computer science, software engineering

Qi Zhan,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3691620.3695012

2024-01-01

Abstract:Patch presence test is critical in software security to ensure that binary files have been patched for known vulnerabilities. It is challenging due to the semantic gap between the source code and the binary, and the small and subtle nature of patches. In this paper, we propose React, the first patch presence test approach on IR-level. Based on the IR code compiled from the source code and the IR code lifted from the binary, we first extract four types of feature (return value, condition, function call, and memory store) by executing the program symbolically. Then, we refine the features from the source code and rank them. Finally, we match the features to determine the presence of a patch with an SMT solver to check the equivalence of features at the semantic level. To evaluate our approach, we compare it with state-of-the-art approaches, BinXray and PS3, on a dataset containing binaries compiled from different compilers and optimization levels. Our experimental results show that React achieves scores of 0.88, 0.98, and 0.93, in terms of precision, recall, and F1 score, respectively. React outperforms the baselines by 39% and 12% in terms of the F1 score, while the testing speed of our approach is 2x faster than BinXray and 100x faster than PS3. Furthermore, we conduct an ablation study to evaluate the effectiveness of each component in React, which shows that SMT solver and refinement can contribute to 16% and 10% improvement in terms of the F1 score, respectively.

Yi He,Zhenhua Zou,Kun Sun,Zhuotao Liu,Ke Xu,Qian Wang,Chao Shen,Zhi Wang,Qi Li

2022-01-01

Abstract:Nowadays real-time embedded devices are becoming one main target of cyber attacks. A huge number of embedded devices equipped with outdated firmware are subject to various vulnerabilities, but they cannot be timely patched due to two main reasons. First, it is difficult for vendors who have various types of fragmented devices to generate patches for each type of device. Second, it is challenging to deploy patches on many embedded devices without restarting or halting real-time tasks, hindering the patch installation on devices (e.g., industrial control devices) that have high availability requirements. In this paper, we present RapidPatch, a new hotpatching framework to facilitate patch propagation by installing generic patches without disrupting other tasks running on heterogeneous embedded devices. RapidPatch allows RTOS developers to directly release common patches for all downstream devices so that device maintainers can easily generate device-specific patches for different firmware. We utilize eBPF virtual machines to execute patches on resource-constrained embedded devices and develop three hotpatching strategies to support hotpatching for all major microcontroller (MCU) architectures. In particular, we propose two types of eBPF patches for different types of vulnerabilities and develop an eBPF patch verifier to ensure patch safety. We evaluate RapidPatch with major CVEs on four major RTOSes running on different embedded devices. We find that over 90% vulnerabilities can be hotpatched via RapidPatch. Our system can work on devices with 64 KB or more memory and 64 MHz MCU frequency. The average patch delay is less than 8 mu s and the overall latency overhead is less than 0.6%.

Boqin Qin,Yilun Chen,Haopeng Liu,Hua Zhang,Qiaoyan Wen,Linhai Song,Yiying Zhang

DOI: https://doi.org/10.1109/tse.2024.3380393

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Rust is a relatively new programming language designed for systems software development. Its objective is to combine the safety guarantees typically associated with high-level languages with the performance efficiency often found in executable programs implemented in low-level languages. The core design of Rust is a set of strict safety rules enforced through compile-time checks. However, to support more low-level controls, Rust also allows programmers to bypass its compiler checks by writing unsafe code. As the adoption of Rust grows in the development of safety-critical software, it becomes increasingly important to understand what safety issues may elude Rust’s compiler checks and manifest in real Rust programs.In this paper, we conduct a comprehensive, empirical study of Rust safety issues by close, manual inspection of 70 memory bugs, 100 concurrency bugs, and 110 programming errors leading to unexpected execution panics from five open-source Rust projects, five widely-used Rust libraries, and two online security databases. Our study answers three important questions: what memory-safety issues real Rust programs have, what concurrency bugs Rust programmers make, and how unexpected panics in Rust programs are caused. Our study reveals interesting real-world Rust program behaviors and highlights new issues made by Rust programmers. Building upon the findings of our study, we design and implement five static detectors. After being applied to the studied Rust programs and another 12 selected Rust projects, our checkers pinpoint 96 previously unknown bugs and report a negligible number of false positives, confirming their effectiveness and the value of our empirical study.

Zhen Huang,David Lie

DOI: https://doi.org/10.48550/arXiv.1711.11136

2018-06-12

Abstract:Security vulnerabilities are among the most critical software defects in existence. As such, they require patches that are correct and quickly deployed. This motivates an automatic patch generation method that emphasizes both soundness and wide applicability. To address this challenge, we propose Senx, which uses three novel patch generation techniques to create patches for out-of-bounds read/write vulnerabilities. Senx uses symbolic execution to extract expressions from the source code of a target application to synthesize patches. To reduce the runtime overhead of patches, it uses loop cloning and access range analysis to analyze loops involved in these vulnerabilities and elevate patches outside of loops. For vulnerabilities that span multiple functions, Senx uses expression translation to translate expressions and place them in a function scope where all values are available to create the patch. This enables Senx to patch vulnerabilities with complex loops and interprocedural dependencies that previous semantics-based patch generation systems cannot handle. We have implemented a prototype using this approach. Our evaluation shows that the patches generated by Senx successfully fix 76% of 42 real-world vulnerabilities from 11 applications including various tools or libraries for manipulating graphics/media files, a programming language interpreter, a relational database engine, a collection of programming tools for creating and managing binary programs, and a collection of basic file, shell, and text manipulation tools. All patches that Senx produces are sound, and Senx correctly aborts patch generations in cases where its analysis will fall short.

Cryptography and Security

Kaixuan Li,Jian Zhang,Sen Chen,Han Liu,Yang Liu,Yixiang Chen

DOI: https://doi.org/10.1145/3650212.3680305

2024-07-24

Abstract:Open-source software (OSS) vulnerabilities are increasingly prevalent, emphasizing the importance of security patches. However, in widely used security platforms like NVD, a substantial number of CVE records still lack trace links to patches. Although rank-based approaches have been proposed for security patch tracing, they heavily rely on handcrafted features in a single-step framework, which limits their effectiveness. In this paper, we propose PatchFinder, a two-phase framework with end-to-end correlation learning for better-tracing security patches. In the **initial retrieval** phase, we employ a hybrid patch retriever to account for both lexical and semantic matching based on the code changes and the description of a CVE, to narrow down the search space by extracting those commits as candidates that are similar to the CVE descriptions. Afterwards, in the **re-ranking** phase, we design an end-to-end architecture under the supervised fine-tuning paradigm for learning the semantic correlations between CVE descriptions and commits. In this way, we can automatically rank the candidates based on their correlation scores while maintaining low computation overhead. We evaluated our system against 4,789 CVEs from 532 OSS projects. The results are highly promising: PatchFinder achieves a Recall@10 of 80.63% and a Mean Reciprocal Rank (MRR) of 0.7951. Moreover, the Manual Effort@10 required is curtailed to 2.77, marking a 1.94 times improvement over current leading methods. When applying PatchFinder in practice, we initially identified 533 patch commits and submitted them to the official, 482 of which have been confirmed by CVE Numbering Authorities.

Software Engineering,Artificial Intelligence

Chengquan Zhang,Yang Feng,Yaokun Zhang,Yuxuan Dai,Baowen Xu

DOI: https://doi.org/10.1109/qrs62785.2024.00035

2024-01-01

Abstract:Rust is a nascent programming language designed to improve memory safety for system programming while maintaining high performance. The Rust language ensures memory safety through its ownership mechanism and by performing compile-time checks on safe code. However, for low-level controls, developers are allowed to bypass these checks by marking their code as unsafe, which in turn introduces memory vulnerabilities. Beyond these memory-related concerns, the existence and nature of other common bugs such as run-time panics have not been thoroughly explored. In this paper, we conduct a comprehensive empirical study to characterize bugs and their fixes beyond memory safety concerns by manually inspecting bug patches in Rust programs. We identify 790 bug fixes from 1100 commits in six widely-used Rust projects and the Rust standard library, and then investigate their root causes and symptoms. Furthermore, we analyze the relationships between these bugs and unsafe code (i.e., whether they are caused by the use of unsafe code and to what extent it impacts them). Our bug study introduces a classification of 15 root causes and 6 symptoms, and categorizes bugs into different groups according to their relationships with safe/unsafe code. We identify 19 major findings and draw broader lessons from them to guide the research community towards future directions in program testing, analysis, fault localization, and repair for Rust language.

Zhiqiang Lin,Xuxian Jiang,Dongyan Xu,Bing Mao,Li Xie

DOI: https://doi.org/10.1145/1229285.1267001

2007-01-01

Abstract:ABSTRACTSoftware patch generation is a critical phase in the life-cycle of a software vulnerability. The longer it takes to generate a patch, the higher the risk a vulnerable system needs to take to avoid from being compromised. However, in practice, it is a rather lengthy process to generate and release software patches. For example, the analysis on 10 recent Microsoft patches (MS06-045 to MS06-054) shows that, for an identified vulnerability, it took 75 days on average to generate and release the patch. In this paper, we present the design, implementation, and evaluation of AutoPaG, a system that aims at reducing the time needed for software patch generation. In our current work, we mainly focus on a common and serious type of software vulnerability: the out-of-bound vulnerability which includes buffer overflows and general boundary condition errors. Given a working out-of-bound exploit which may be previously unknown, AutoPaG is able to catch on the fly the out-of-bound violation, and then, based on data flow analysis, automatically analyzes the program source code and identifies the root cause - vulnerable source-level program statements. Furthermore, within seconds, AutoPaG generates a fine-grained source code patch to temporarily fix it without any human intervention. We have built a proof-of-concept system in Linux and the preliminary results are promising: AutoPaG is able to successfully identify the root cause and generate a source code patch within seconds for every vulnerability test in the Wilander's buffer overflow benchmark test-suite. In addition, the evaluation with a number of real-world out-of-bound exploits also demonstrates its effectiveness and practicality in automatically identifying (vulnerable) source code root causes and generating corresponding patches.

Yuntong Zhang,Andreea Costea,Ridwan Shariffdeen,Davin McCall,Abhik Roychoudhury

2023-08-01

Abstract:Automated Program Repair (APR) techniques typically rely on a given test-suite to guide the repair process. Apart from the need to provide test oracles, this makes the produced patches prone to test data over-fitting. In this work, instead of relying on test cases, we show how to automatically repair memory safety issues, by leveraging static analysis (specifically Incorrectness Separation Logic) to guide repair. Our proposed approach learns what a desirable patch is by inspecting how close a patch is to fixing the bug based on the feedback from incorrectness separation logic based static analysis (specifically the Pulse analyser), and turning this information into a distribution of probabilities over context free grammars. Furthermore, instead of focusing on heuristics for reducing the search space of patches, we make repair scalable by creating classes of equivalent patches according to the effect they have on the symbolic heap, and then invoking the validation oracle only once per class of patch equivalence. This allows us to efficiently discover repairs even in the presence of a large pool of patch candidates offered by our generic patch synthesis mechanism. Experimental evaluation of our approach was conducted by repairing real world memory errors in OpenSSL, swoole and other subjects. The evaluation results show the scalability and efficacy of our approach in automatically producing high quality patches.

Software Engineering

Yuntong Zhang,Ridwan Shariffdeen,Gregory J. Duck,Jiaqi Tan,Abhik Roychoudhury

2023-08-02

Abstract:Fuzz testing (fuzzing) is a well-known method for exposing bugs/vulnerabilities in software systems. Popular fuzzers, such as AFL, use a biased random search over the domain of program inputs, where 100s or 1000s of inputs (test cases) are executed per second in order to expose bugs. If a bug is discovered, it can either be fixed manually by the developer or fixed automatically using an Automated Program Repair (APR) tool. Like fuzzing, many existing APR tools are search-based, but over the domain of patches rather than inputs. In this paper, we propose search-based program repair as patch-level fuzzing. The basic idea is to adapt a fuzzer (AFL) to fuzz over the patch space rather than the input space. Thus we use a patch-space fuzzer to explore a patch space, while using a traditional input level fuzzer to rule out patch candidates and help in patch selection. To improve the throughput, we propose a compilation-free patch validation methodology, where we execute the original (unpatched) program natively, then selectively interpret only the specific patched statements and expressions. Since this avoids (re)compilation, we show that compilation-free patch validation can achieve a similar throughput as input-level fuzzing (100s or 1000s of execs/sec). We show that patch-level fuzzing and input-level fuzzing can be combined, for a co-exploration of both spaces in order to find better quality patches. Such a collaboration between input-level fuzzing and patch-level fuzzing is then employed to search over candidate fix locations, as well as patch candidates in each fix location.

Software Engineering

Mohsen Salehi,Karthik Pattabiraman

DOI: https://doi.org/10.1145/3658644.3690255

2024-08-28

Abstract:Real-time embedded devices like medical or industrial devices are increasingly targeted by cyber-attacks. Prompt patching is crucial to mitigate the serious consequences of such attacks on these devices. Hotpatching is an approach to apply a patch to mission-critical embedded devices without rebooting them. However, existing hotpatching approaches require developers to manually write the hotpatch for target systems, which is time-consuming and error-prone. To address these issues, we propose AutoPatch, a new hotpatching technique that automatically generates functionally equivalent hotpatches via static analysis of the official patches. AutoPatch introduces a new software triggering approach that supports diverse embedded devices, and preserves the functionality of the official patch. In contrast to prior work, AutoPatch does not rely on hardware support for triggering patches, or on executing patches in specialized virtual machines. We implemented AutoPatch using the LLVM compiler, and evaluated its efficiency, effectiveness and generality using 62 real CVEs on four embedded devices with different specifications and architectures running popular RTOSes. We found that AutoPatch can fix more than 90% of CVEs, and resolve the vulnerability successfully. The results revealed an average total delay of less than 12.7 $\mu s$ for fixing the vulnerabilities, representing a performance improvement of 50% over RapidPatch, a state-of-the-art approach. Further, our memory overhead, on average, was slightly lower than theirs (23%). Finally, AutoPatch was able to generate hotpatches for all four devices without any modifications.

Cryptography and Security

Ayushi Sharma,Shashank Sharma,Santiago Torres-Arias,Aravind Machiry

2024-09-06

Abstract:Embedded software is used in safety-critical systems such as medical devices and autonomous vehicles, where software defects, including security vulnerabilities, have severe consequences. Most embedded codebases are developed in unsafe languages, specifically C/C++, and are riddled with memory safety vulnerabilities. To prevent such vulnerabilities, RUST, a performant memory-safe systems language, provides an optimal choice for developing embedded software. RUST interoperability enables developing RUST applications on top of existing C codebases. Despite this, even the most resourceful organizations continue to develop embedded software in C/C++. This paper performs the first systematic study to holistically understand the current state and challenges of using RUST for embedded systems. Our study is organized across three research questions. We collected a dataset of 2,836 RUST embedded software spanning various categories and 5 Static Application Security Testing ( SAST) tools. We performed a systematic analysis of our dataset and surveys with 225 developers to investigate our research questions. We found that existing RUST software support is inadequate, SAST tools cannot handle certain features of RUST embedded software, resulting in failures, and the prevalence of advanced types in existing RUST software makes it challenging to engineer interoperable code. In addition, we found various challenges faced by developers in using RUST for embedded systems development.

Cryptography and Security,Software Engineering

Ayushi Sharma,Shashank Sharma,Santiago Torres-Arias,Aravind Machiry

DOI: https://doi.org/10.48550/arXiv.2311.05063

2023-11-08

Cryptography and Security

Abstract:Embedded software is used in safety-critical systems such as medical devices and autonomous vehicles, where software defects, including security vulnerabilities, have severe consequences. Most embedded codebases are developed in unsafe languages, specifically C/C++, and are riddled with memory safety vulnerabilities. To prevent such vulnerabilities, RUST, a performant memory-safe systems language, provides an optimal choice for developing embedded software. RUST interoperability enables developing RUST applications on top of existing C codebases. Despite this, even the most resourceful organizations continue to develop embedded software in C/C++. This paper performs the first systematic study to holistically understand the current state and challenges of using RUST for embedded systems. Our study is organized across three research questions. We collected a dataset of 2,836 RUST embedded software spanning various categories and 5 Static Application Security Testing ( SAST) tools. We performed a systematic analysis of our dataset and surveys with 225 developers to investigate our research questions. We found that existing RUST software support is inadequate, SAST tools cannot handle certain features of RUST embedded software, resulting in failures, and the prevalence of advanced types in existing RUST software makes it challenging to engineer interoperable code. In addition, we found various challenges faced by developers in using RUST for embedded systems development.

Yunbo Ni,Yang Feng,Zixi Liu,Runtao Chen,Baowen Xu

2024-11-04

Abstract:The Rust programming language has garnered significant attention due to its robust safety features and memory management capabilities. Despite its guaranteed memory safety, Rust programs suffer from runtime errors that are unmanageable, i.e., panic errors. Notably, traditional memory issues such as null pointer dereferences, which are prevalent in other languages, are less likely to be triggered in Rust due to its strict ownership rules. However, the unique nature of Rust's panic bugs, which arise from the language's stringent safety and ownership paradigms, presents a distinct challenge. Over half of the bugs in rustc, Rust's own compiler, are attributable to crash stemming from panic errors. However, addressing Rust panic bugs is challenging and requires significant effort, as existing fix patterns are not directly applicable due to the design and feature of Rust <a class="link-external link-http" href="http://language.Therefore" rel="external noopener nofollow">this http URL</a>, developing foundational infrastructure, including datasets, fixing patterns, and automated repair tools, is both critical and urgent. This paper introduces a comprehensive infrastructure, namely PanicFI, aimed at providing supports for understanding Rust panic bugs and developing automated techniques. In PanicFI, we construct a dataset, Panic4R, comprising 102 real panic bugs and their fixes from the top 500 most-downloaded open-source <a class="link-external link-http" href="http://crates.Then" rel="external noopener nofollow">this http URL</a>, through an analysis of the Rust compiler implementation , we identify Rust-specific patterns for fixing panic bugs, providing insights and guidance for generating patches. Moreover, we develop PanicKiller, the first automated tool for fixing Rust panic bugs, which has already contributed to the resolution of 28 panic bugs in open-source <a class="link-external link-http" href="http://projects.The" rel="external noopener nofollow">this http URL</a> practicality and efficiency of PanicKiller confirm the effectiveness of the patterns mined within PanicFI.

Software Engineering

Xizhe Yin,Yang Feng,Qingkai Shi,Zixi Liu,Hongwang Liu,Baowen Xu

DOI: https://doi.org/10.1145/3650212.3680348

2024-01-01

Abstract:Rust has been extensively used in software development in the past decades due to its memory safety mechanisms and gradually matured ecosystems. Enhancing the quality of Rust libraries is critical to Rust ecosystems as the libraries are often the core component of software systems. Nevertheless, we observe that existing approaches fall short in testing Rust API interactions - they either lack a Rust ownership-compliant API testing method, fail to handle the large search space of function dependencies, or are limited by pre-selected codebases, resulting in inefficiencies in finding errors. To address these issues, we propose a fuzzing technique, namely FRIES, that efficiently synthesizes and tests complex API interactions to identify defects in Rust libraries, and therefore promises to significantly improve the quality of Rust libraries. Behind our approach, a key technique is to traverse a weighted API dependency graph, which encodes not only syntactic dependency between functions but also the common usage patterns mined from the Rust ecosystem that reflect the programmer’s thinking. Combined with our efficient generation algorithm, such a graph structure significantly reduces the search space and lets us focus on finding hidden bugs in common application scenarios. Meanwhile, an ownership assurance algorithm is specially designed to ensure the validity of the generated Rust programs, notably improving the success rate of compiling fuzz targets. Experimental results demonstrate that this technique can indeed generate high-quality fuzz targets with minimal computational resources, while more efficiently discovering errors that have a greater impact on actual development, thereby mitigating the impact on the robustness of programs in the Rust ecosystem. So far, FRIES has identified 130 bugs, including 84 previously unknown bugs, in 20 well-known latest versions of Rust libraries, of which 54 have been confirmed.

Hui Xu,Zhuangbin Chen,Mingshen Sun,Yangfan Zhou,Michael R. Lyu

DOI: https://doi.org/10.1145/3466642

IF: 3.685

2022-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Rust is an emerging programming language that aims at preventing memory-safety bugs without sacrificing much efficiency. The claimed property is very attractive to developers, and many projects start using the language. However, can Rust achieve the memory-safety promise? This article studies the question by surveying 186 real-world bug reports collected from several origins, which contain all existing Rust common vulnerability and exposures (CVEs) of memory-safety issues by 2020-12-31. We manually analyze each bug and extract their culprit patterns. Our analysis result shows that Rust can keep its promise that all memory-safety bugs require unsafe code, and many memory-safety bugs in our dataset are mild soundness issues that only leave a possibility to write memory-safety bugs without unsafe code. Furthermore, we summarize three typical categories of memory-safety bugs, including automatic memory reclaim, unsound function, and unsound generic or trait. While automatic memory claim bugs are related to the side effect of Rust newly-adopted ownership-based resource management scheme, unsound function reveals the essential challenge of Rust development for avoiding unsound code, and unsound generic or trait intensifies the risk of introducing unsoundness. Based on these findings, we propose two promising directions toward improving the security of Rust development, including several best practices of using specific APIs and methods to detect particular bugs involving unsafe code. Our work intends to raise more discussions regarding the memory-safety issues of Rust and facilitate the maturity of the language.

computer science, software engineering

Ziyou Jiang,Lin Shi,Guowei Yang,Qing Wang

2024-08-16

Abstract:Security patches are essential for enhancing the stability and robustness of projects in the software community. While vulnerabilities are officially expected to be patched before being disclosed, patching vulnerabilities is complicated and remains a struggle for many organizations. To patch vulnerabilities, security practitioners typically track vulnerable issue reports (IRs), and analyze their relevant insecure code to generate potential patches. However, the relevant insecure code may not be explicitly specified and practitioners cannot track the insecure code in the repositories, thus limiting their ability to generate patches. In such cases, providing examples of insecure code and the corresponding patches would benefit the security developers to better locate and fix the insecure code. In this paper, we propose PatUntrack to automatically generating patch examples from IRs without tracked insecure code. It auto-prompts Large Language Models (LLMs) to make them applicable to analyze the vulnerabilities. It first generates the completed description of the Vulnerability-Triggering Path (VTP) from vulnerable IRs. Then, it corrects hallucinations in the VTP description with external golden knowledge. Finally, it generates Top-K pairs of Insecure Code and Patch Example based on the corrected VTP description. To evaluate the performance, we conducted experiments on 5,465 vulnerable IRs. The experimental results show that PatUntrack can obtain the highest performance and improve the traditional LLM baselines by +14.6% (Fix@10) on average in patch example generation. Furthermore, PatUntrack was applied to generate patch examples for 76 newly disclosed vulnerable IRs. 27 out of 37 replies from the authors of these IRs confirmed the usefulness of the patch examples generated by PatUntrack, indicating that they can benefit from these examples for patching the vulnerabilities.

Cryptography and Security,Artificial Intelligence,Software Engineering

Youkun Shi,Yuan Zhang,Tianhan Luo,Xiangyu Mao,Yinzhi Cao,Ziwen Wang,Yudi Zhao,Zongan Huang,Min Yang

2022-01-01

Abstract:Web vulnerabilities, especially injection-related ones, are popular among web application frameworks (such as Word-Press and Piwigo), which can lead to severe consequences like user information leak and server-side maiware execution. One major practice of fixing web vulnerabilities on real-world websites is to apply security patches from the official developers of web frameworks. However, such a practice is challenging because security patches are developed for the latest version of a web framework, but real-world websites often run an old version due to legacy reasons. A direct application of security patches on the old version often fails because web frameworks, especially the code around the vulnerable location, may change between versions. In this paper, we design a security patch backporting framework and implement a prototype on injection vulnerability patches, called SKYPORT. SKYPORT first identifies safely-backportable patches of injection vulnerabilities and web framework versions in theory and then backports patches to corresponding old versions. In the evaluation, SKYPORT identifies 98 out of 155 security patches targeting legacy injection vulnerabilities, which can be backported to 750 old versions of web application frameworks. Then, SKYPORT successfully backported all of the aforementioned backportable patches to corresponding old versions to correctly fix vulnerabilities. We believe that this is a first-step towards this important research problem and hope our research can draw further attention from the research community in backporting security patches to fix unpatched vulnerabilities in general beyond injection-related ones.