Tjiong, EL;
Mechtaev, S;
Dirgantara, HB;
(2022)
Use of General Repair Tool for Fixing Security Vulnerabilities.
In:
2022 International Conference on Information Technology Research and Innovation, ICITRI 2022.
(pp. pp. 135-140).
IEEE: Jakarta, Indonesia.
Preview |
PDF
a24-tjiong paper.pdf - Accepted Version Download (452kB) | Preview |
Abstract
Automated patch generation approaches have been shown to address defects in real-world programs, including security vulnerabilities. On the one hand, general repair tools are designed to fix common bugs. On the other hand, specific repair tools targeted security-related vulnerabilities, such as integer or buffer overflow. However, fewer works focus on assessing general repair tools' capabilities to fix security vulnerabilities. The assessment will be helpful to find out if general repair tools can fix security vulnerabilities without knowing specific characterizing patterns of such vulnerabilities in advance, thus not being subjected to overfitting. In this paper, we present a detailed analysis of a case study using the semantic general repair tool, F1X, to fix security-related vulnerabilities found by the OSS-Fuzz framework. OSS-Fuzz framework is an automated continuous testing platform run on Google's cloud infrastructure, which can pinpoint source code containing security-related vulnerability and generate its failing test case. Using a dataset of 240 security vulnerabilities found in five open source programs from OSS-Fuzz, we compared and analyzed fix patterns generated by F1X with fixing patterns in OSS-Fuzz Github repositories. We believe that the result of this case study will be insightful for developers to strengthen and optimize their repair tools and security analysts to consider integrating automated repair tools into production systems.
| Type: | Proceedings paper |
|---|---|
| Title: | Use of General Repair Tool for Fixing Security Vulnerabilities |
| Event: | ICITRI 2022 |
| Dates: | 10 Nov 2022 - 10 Nov 2022 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1109/ICITRI56423.2022.9970223 |
| Publisher version: | https://doi.org/10.1109/ICITRI56423.2022.9970223 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| Keywords: | Technological innovation , Source coding , Computer bugs , Buffer overflows , Manuals , Maintenance engineering , Software |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10175711 |
Loading...
Loading...Loading...Loading...Archive Staff Only
 |
View Item |
