Maestro: a platform for benchmarking automatic program repair tools on software vulnerabilities

Pinconschi, Eduard; Bui, Quang-Cuong; Abreu, Rui; Adão, Pedro; Scandariato, Riccardo

doi:10.1145/3533767.3543291

Cited by 4 publications

(3 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Liu et al (2020) have already shown that, at a more careful semantic analysis, several APR outcomes pass all tests but are actually wrong. What we have shown in this paper is that the PoV-based method proposed by Pinconschi et al (2021Pinconschi et al ( , 2022 and by Bui et al (2022) is not enough to guarantee semantic correctness of the fixes, even in the presence of a perfect selection of the bug location.…”

Section: Novelty and Contributionmentioning

confidence: 80%

“…Platforms for automated analysis of test-based APR tools are well developed and, recently, have also been used for security vulnerabilities. For example, Durieux et al (2019) have proposed a toolchain for the automatic analysis of several APR tools in Java, Pinconschi et al (2021) have presented an evaluation of APR tools for C vulnerabilities, and Pinconschi et al (2022) have proposed a toolchain for the automatic execution of APR tools for vulnerabilities in C and Java. The key difference between traditional APR test suites and AVR test suites is that the latter contains a special test case, called Proof of Vulnerability (PoV) test, which reveals the presence of a vulnerability in the program.…”

Section: Novelty and Contributionmentioning

confidence: 99%

See 1 more Smart Citation

APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities

Bui,

Paramitha,

et al. 2023

Empir Software Eng

Self Cite

View full text Add to dashboard Cite

Security vulnerability fixes could be a promising research avenue for Automated Program Repair (APR) techniques. In recent years, APR tools have been thoroughly developed for fixing generic bugs. However, the area is still relatively unexplored when it comes to fixing security bugs or vulnerabilities. In this paper, we evaluate nine state-of-the-art APR tools and one vulnerability-specific repair tool. In particular, we investigate their ability to generate patches for 79 real-world Java vulnerabilities in the Vul4J dataset, as well as the level of trustworthiness of these patches. We evaluate the tools with respect to their ability to generate security patches that are (i) testable, (ii) having the positive effect of closing the vulnerability, and (iii) not having side effects from a functional point of view. Our results show that the evaluated APR tools were able to generate testable patches for around 20% of the considered vulnerabilities. On average, nearly 73% of the testable patches indeed eliminate the vulnerabilities, but only 44% of them could actually fix security bugs while maintaining the functionalities. To understand the root cause of this phenomenon, we conduct a detailed comparative study of the general bug fix patterns in Defect4J and the vulnerability fix patterns in ExtraVul (which we extend from Vul4J). Our investigation shows that, although security patches are short in terms of lines of code, they contain unique characteristics in their fix patterns compared to general bugs. For example, many security fixes require adding method calls. These method calls contain specific input validation-related keywords, such as encode, normalize, and trim. In this regard, our study suggests that additional repair patterns should be implemented for existing APR tools to fix more types of security vulnerabilities.

show abstract

Section: Novelty and Contributionmentioning

confidence: 80%

Section: Novelty and Contributionmentioning

confidence: 99%

APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities

Bui,

Paramitha,

et al. 2023

Empir Software Eng

Self Cite

View full text Add to dashboard Cite

show abstract

“…Design-level security automation is possible with an acceptable precision value, which provides significant approval of the techniques adopted. Pinconschi et al [ 23 ] developed a tool that automatically repairs software vulnerabilities using the decentralized platform with RESTful APIs and has low overheads. Finally, the tool can be an extensible repair tool for container-based service instances to check and repair vulnerabilities.…”

Section: Resultsmentioning

confidence: 99%

Static-Analysis-Based Solutions to Security Challenges in Cloud-Native Systems: Systematic Mapping Study

Rahaman

Islam

Černý

et al. 2023

Sensors

View full text Add to dashboard Cite

Security is a significant priority for cloud-native systems, regardless of the system size and complexity. Therefore, one must utilize a set of defensive mechanisms or controls to protect the system from exploitation by potential adversaries. There is an expanding amount of research on security issues, including attacks against individual microservices or overall systems and their corresponding defense mechanism options. This study intends to provide a comprehensive overview of currently used defense mechanisms involving static analysis that can detect and react against associated attacks and vulnerabilities. We present a systematic literature review that extracts current approaches for the security analysis of microservices and the violation of security principles. We gathered 1049 relevant publications, of which 50 were selected as primary studies. We are providing practitioners and developers with a structured survey of the existing literature of defensive solutions for microservice architectures and cloud-native systems to aid them in identifying applicable solutions for their systems.

show abstract

Cerberus: a Program Repair Framework

Shariffdeen

Mirchev

Noller

et al. 2023

2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)

View full text Add to dashboard Cite

Maestro: a platform for benchmarking automatic program repair tools on software vulnerabilities

Cited by 4 publications

References 16 publications

APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities

APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities

Static-Analysis-Based Solutions to Security Challenges in Cloud-Native Systems: Systematic Mapping Study

Cerberus: a Program Repair Framework

Contact Info

Product

Resources

About