PRF: A Framework for Building Automatic Program Repair Prototypes for JVM-Based Languages

PRF is a Java-based framework that allows researchers to build prototypes of test-based generate-and-validate automatic program repair techniques for JVM languages by simply extending it with their patch generation plugins. The framework also provides other useful components for constructing automatic program repair tools, e.g., a fault localization component that provides spectrum-based fault localization information at different levels of granularity, a configurable and safe patch validation component that is 11+X faster than vanilla testing, and a customizable post-processing component to generate fix reports. A demo video of PRF is available at https://bit.ly/3ehduSS.Comment: Proceedings of the 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE '20

Towards securing software of embedded Linux devices

Thesis (MEng)--Stellenbosch University, 2014.ENGLISH ABSTRACT: As Embedded devices continue to proliferate, there is a rising concern surrounding the security that these increasingly complex and capable devices provide. Software development processes are successfully employed to address security in desktop operating systems and applications, yet there is no widely accepted security process for embedded systems. In this thesis, we demonstrate how security of embedded Linux devices may be improved by considering 12 well-chosen case studies that exemplify methods advocated by established secure software development processes. Specifically, we derive highlevel methods from a comparative study of two well-known security processes: The Microsoft Security Development Lifecycle (SDL) and the OWASP Comprehensive Lightweight Application Security Process (CLASP), and use these to evaluate embedded Linux devices. These methods, namely, attack surface analysis, threat modeling, and security testing, drive the assessment techniques that enable vulnerability discovery and analysis covered in our case studies. We apply and investigate these techniques in terms of attacks that pertain to three common elements of a typical embedded Linux device, that is, operating system, network, and Universal Serial Bus (USB) attacks. During assessment, a number of new security vulnerabilities are discovered in these attack surfaces, demonstrating the effectiveness of our approach. Moreover, we develop a novel, publicly available USB fuzz testing framework for discovering USB vulnerabilities. Our final contribution culminates in six concrete, actionable recommendations based on our case studies for improving embedded security. Interestingly, our recommendations correlate with those advocated by security expert Gary McGraw, but with the added benefit of being substantiated by concrete case study analyses in the embedded space.AFRIKAANSE OPSOMMING: Soos toegewyde toestelle voortgaan om te vermenigvuldig, is daar ’n toenemende kommer rondom die sekuriteit wat hulle bied. Al word sagtewareontwikkeling prosesse suksesvol toegepas op gewone rekenaars en programme, bestaan daar nie ’n aanvaarde sekuriteitsproses vir toegewyde stelsels nie. In hierdie tesis wys ons hoe die sekuriteits aspekte van toegewyde Linux stelsels verbeter kan word deur middel van 12 gevallestudies, waarin ons gevestigde sagteware-ontwikkeling proses metodes toepas. Ons begin deur twee bekende sekuriteit prosesse te vergelyk: die Microsoft Security Development Lifecycle (SDL) en die OWASP Comprehensive Lightweight Application Security Process (CLASP). Hiermee kies ons metodes wat van toepassing is om die sekuriteit van toegewyde Linux toestelle te evalueer. Die metodes, naamlik aanval oppervlak analise, bedreigingsmodellering, en toegepaste veiligheidsevalueering word gebruik om sekuriteits foute te ontdek en te analiseer in ons gevallestudies. Verder neem ons drie elemente in ag van toegewyde Linux toestalle wat tipies aangeval word, naamlik, die bedryfstelsel, netwerk, en USB oppervlaktes. Gedurende assessering is ’n aantal nuwe sekuriteit probleme ontdek in hierdie aanval oppervlaktes, wat die doeltreffendheid toon van ons benadering. Verder ontwikkel ons ’n nuwe USB toetsraamwerk om sekuriteits foute te ontdek, wat boonop aan die publiek beskikbaar gemaak is. Ons finale bydrae is ses konkrete aanbevelings vir die verbetering van sekuriteit in toegewyde stelsels, wat ontwikkel is op grond van ons gevallestudies. Interessant genoeg, ons aanbevelings stem ooreen met dié bepleit deur sekuriteit deskundige Gary McGraw, maar met die addisionele voordeel dat dit gebaseer is op konkrete gevallestudies in die veld van toegewyde stelsels

rvantonder/CryptOSS: v0.1.0

v0.1.0 release

Automated Program Transformation for Improving Software Quality

Software bugs are not going away. Millions of dollars and thousands of developer-hours are spent finding bugs, debugging the root cause, writing a patch, and reviewing fixes. Automated techniques like static analysis and dynamic fuzz testing have a proven track record for cutting costs and improving software quality. More recently, advances in automated program repair have maturedand see nascent adoption in industry. Despite the value of these approaches, automated techniques do not come for free: they must approximate, both theoretically and in the interest of practicality. For example, static analyzerssuffer false positives, and automatically produced patches may be insufficiently precise to fix a bug. Such limitations continue to impose substantial human effort amid the benefits of automation. Software development activities revolve around changing code. Thus, performing and reasoning about program change has extensive bearing on the effectiveness of automated techniques. From this perspective, we develop new automated techniques for changing programs to improve analysis behavior, and,correspondingly, use automated reasoning and analysis to specialize program changes for automated program repair. We present the first evidence that automated program transformation, program analysis, and program repair areinterrelated and cooperative. We first show that automated program transformation leads to higher quality static analysis (by reducing false positives) and dynamic fuzz testing (by reducing duplicate bug reports). We then show how high-quality static analyses can feed into and enable automated program repair, and how automated repair can circle back to further improve static analysis(e.g., by revealing more true positive bugs). The thesis is that automated syntactic and semantic search and application of program transformations enables efficient, scalable, and unassisted techniques for improving the effectiveness of existing program analyses and end-to-end repair of real-world programs. We show that these techniques are effective compared to current approachesin the respective domains of static analysis, dynamic fuzz testing, and program repair. We demonstrate relevance and real-world applicability by evaluating on large, popular, and active projects across multiple languages. Our visionfor this work is that new capabilities and techniques for automated program transformation foster effective ways to automate burdensome human effort and reasoning incurred by limitations in program analysis and repair

Artifact for Syntax Is All You Need: A Universal-Language Approach to Mutant Generation

This is the artifact for the paper "Syntax Is All You Need: A Universal-Language Approach to Mutant Generation".</p