Automatic Software Repair: a Bibliography

This article presents a survey on automatic software repair. Automatic software repair consists of automatically finding a solution to software bugs without human intervention. This article considers all kinds of repairs. First, it discusses behavioral repair where test suites, contracts, models, and crashing inputs are taken as oracle. Second, it discusses state repair, also known as runtime repair or runtime recovery, with techniques such as checkpoint and restart, reconfiguration, and invariant restoration. The uniqueness of this article is that it spans the research communities that contribute to this body of knowledge: software engineering, dependability, operating systems, programming languages, and security. It provides a novel and structured overview of the diversity of bug oracles and repair operators used in the literature

Automated Repair of Resource Leaks in Android Applications

Resource leaks -- a program does not release resources it previously acquired -- are a common kind of bug in Android applications. Even with the help of existing techniques to automatically detect leaks, writing a leak-free program remains tricky. One of the reasons is Android's event-driven programming model, which complicates the understanding of an application's overall control flow. In this paper, we present PlumbDroid: a technique to automatically detect and fix resource leaks in Android applications. PlumbDroid uses static analysis to find execution traces that may leak a resource. The information built for detection also undergirds automatically building a fix -- consisting of release operations performed at appropriate locations -- that removes the leak and does not otherwise affect the application's usage of the resource. An empirical evaluation on resource leaks from the DroidLeaks curated collection demonstrates that PlumbDroid's approach is scalable and produces correct fixes for a variety of resource leak bugs. This indicates it can provide valuable support to enhance the quality of Android applications in practice

Automatic Removal of Flaws in Embedded System Software

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2022Currently, embedded systems are present in a myriad of devices, such as Internet of Things, drones, and Cyber-physical Systems. The security of these devices can be critical, depending on the context they are integrated and the role they play (e.g., water plant, car). C is the core language used to develop the software for these devices and is known for missing the bounds of its data types, which leads to vulnerabilities such as buffer overflows. These vulnerabilities, when exploited, cause severe damage and can put human life in danger. Therefore, the software of these devices must be secure. One of the concerns with vulnerable C programs is to correct the code automatically, employing secure code that can remove the existing vulnerabilities and avoid attacks. However, such task faces some challenges after finding the vulnerabilities, namely determining what code is needed to remove them and where to insert that code, maintaining the correct behavior of the application after applying the code correction, and verifying that the generated code correction is secure and effectively removes the vulnerabilities. Another challenge is to accomplish all these elements automatically. This work aims to study diverse types of buffer overflow vulnerabilities in the C programming lan guage, forms to build secure code for invalidating such vulnerabilities, including functions from the C language that can be used to remove flaws. Based on this knowledge, we propose an approach that automatically, after discovering and confirming potential vulnerabilities of an application, applies code correction to fix the vulnerable code of those vulnerabilities verified and validate the new code with fuzzing/attack injection. We implemented our approach and evaluated it with a set of test cases and with real applications. The experimental results showed that the tool detected the intended vulnerabilities and generated corrections capable of removing the vulnerabilities found

Технології автоматичного виправлення помилок безпеки в програмному забезпеченні

Обсяг роботи 96 сторінок, 24 ілюстрації, 23 таблиці, 88 джерел літератури. Об'єктом дослідження є вразливе програмне забезпечення, що містить помилки безпеки. Предметом дослідження є методи аналізу проміжного представлення коду, методи глибинного навчання для пошуку вразливостей та методи автоматичного виправлення помилок безпеки в коді програмного забезпечення. Методи дослідження - представлення початкового коду у вигляді абстрактного синтаксичного дерева, методи глибинного навчання, що дозволяють генерувати виправлення для помилок безпеки. Наукова новизна полягає в тому, що отримав подальший розвиток метод виправлення помилок безпеки в програмному забезпеченні написаному мовою програмування С/С++ на основі детермінованих правил шляхом додавання специфічних шаблонів, що автоматично трансформують абстрактне синтаксичне дерево виправляючи відповідну помилку безпеки. Також отримав подальший розвиток метод виправлення помилок безпеки на основі глибинного навчання шляхом попередньої обробки коду для підвищення точності завдяки видобуванню найбільш істотних ознак для помилки безпеки. Результати роботи викладені у третьому розділі, що демонструють роботу систем виправлення помилок безпеки на основі детермінованих шаблонів та на основі глибинного навчання. Результати роботи можуть бути використані виправлення специфічних помилок безпеки в початковому коді програмного забезпечення.The volume of work is 96 pages, 24 illustrations, 23 tables, 88 sources of literature. The object of the study is vulnerable software that contains security issues. The subject of the study is methods of analysis of the intermediate code representation, methods of deep learning to find vulnerabilities and methods of automatic patch generation for security issues in software. Research methods - presenting the source code in the form of an abstract syntax tree, deep learning methods that allow you to generate patches for security issues. The scientific novelty is that the method of correcting security errors in software written in C / C ++ programming language based on deterministic rules has been further developed by adding specific templates that automatically transform the abstract syntax tree by correcting the corresponding security error. A method of correcting security errors based on deep learning has also been further developed by pre-processing code to improve accuracy by extracting the most essential features for a security error. The results of the work are presented in Section 3, which demonstrates the performance of security-based path generation systems based on deterministic patterns and deep learning. The results of the work can be used to generate patches for specific security issues in the source code of the software

Automated Software Transplantation

Automated program repair has excited researchers for more than a decade, yet it has yet to find full scale deployment in industry. We report our experience with SAPFIX: the first deployment of automated end-to-end fault fixing, from test case design through to deployed repairs in production code. We have used SAPFIX at Facebook to repair 6 production systems, each consisting of tens of millions of lines of code, and which are collectively used by hundreds of millions of people worldwide. In its first three months of operation, SAPFIX produced 55 repair candidates for 57 crashes reported to SAPFIX, of which 27 have been deem as correct by developers and 14 have been landed into production automatically by SAPFIX. SAPFIX has thus demonstrated the potential of the search-based repair research agenda by deploying, to hundreds of millions of users worldwide, software systems that have been automatically tested and repaired. Automated software transplantation (autotransplantation) is a form of automated software engineering, where we use search based software engineering to be able to automatically move a functionality of interest from a ‘donor‘ program that implements it into a ‘host‘ program that lacks it. Autotransplantation is a kind of automated program repair where we repair the ‘host‘ program by augmenting it with the missing functionality. Automated software transplantation would open many exciting avenues for software development: suppose we could autotransplant code from one system into another, entirely unrelated, system, potentially written in a different programming language. Being able to do so might greatly enhance the software engineering practice, while reducing the costs. Automated software transplantation manifests in two different flavors: monolingual, when the languages of the host and donor programs is the same, or multilingual when the languages differ. This thesis introduces a theory of automated software transplantation, and two algorithms implemented in two tools that achieve this: µSCALPEL for monolingual software transplantation and τSCALPEL for multilingual software transplantation. Leveraging lightweight annotation, program analysis identifies an organ (interesting behavior to transplant); testing validates that the organ exhibits the desired behavior during its extraction and after its implantation into a host. We report encouraging results: in 14 of 17 monolingual transplantation experiments involving 6 donors and 4 hosts, popular real-world systems, we successfully autotransplanted 6 new functionalities; and in 10 out of 10 multlingual transplantation experiments involving 10 donors and 10 hosts, popular real-world systems written in 4 different programming languages, we successfully autotransplanted 10 new functionalities. That is, we have passed all the test suites that validates the new functionalities behaviour and the fact that the initial program behaviour is preserved. Additionally, we have manually checked the behaviour exercised by the organ. Autotransplantation is also very useful: in just 26 hours computation time we successfully autotransplanted the H.264 video encoding functionality from the x264 system to the VLC media player, a task that is currently done manually by the developers of VLC, since 12 years ago. We autotransplanted call graph generation and indentation for C programs into Kate, (a popular KDE based test editor used as an IDE by a lot of C developers) two features currently missing from Kate, but requested by the users of Kate. Autotransplantation is also efficient: the total runtime across 15 monolingual transplants is 5 hours and a half; the total runtime across 10 multilingual transplants is 33 hours

Systematic Metaphor Analysis as a Method of Qualitative Research

George Lakoff and Mark Johnsons theory of metaphor (1980, 1999) provides a basis for describing everyday cognitive structures using linguistic models and thus, making it possible to uncover both individual and collective patterns of thought and action. Lakoff and Johnson have not, however, developed a workable system for carrying out qualitative research. This paper outlines the fundamentals of this approach and proposes a procedure for the reconstruction of metaphorical concepts. As is normally the case in qualitative research, such guidelines can only ever represent the interplay between the ability of the researcher to understand the sense of things and the rules of the methodology. An overview of the typical interpretations that a metaphor analysis allows is also given

Religious and Spiritual Implications in Functional Anger

The topic of spirituality has been of interest for many years in the helping professions (Matise et al., 2018; Pargament, 2011). Another level of interest is how spirituality may be connected to anger that is culturally informed (Subarimaniam et al., 2020). This writing approaches the topic of functional anger as impacted by the religious and spiritual beliefs with case vignettes pertinent to students, pastoral counselors, nurses, social workers, psychologists, psychotherapists, and other helping professionals. The topic of spirituality has been of interest for many years in the mental health profession yet is pertinent to all helping professions (Matise et al., 2018; Pargament, 2011). This writing seeks to close the gap between current practices for pastoral helpers, psychologists, clergy, nurses, social workers, and psychotherapists when a client presents with anger that is connected to religious or spiritual beliefs. The context for these topics will be from a spiritually integrated framework that recognizes religious and spirituality as a uniquely held perspective of the client (ACPE, 2019; Jones, 2019; Pargament, 2011). There is no expectation of expertise for any one specific faith tradition and no disrespect intended for religious or spiritual research that has been included in the examples