Senx: Sound Patch Generation for Security Vulnerabilities

Many techniques have been proposed for automatic patch generation and the overwhelming majority of them rely on the quality of test suites to prove the correctness of the patches that they generate. However, the quality of test suites is usually undesirable and hence the quality of the patches is ill-suited for security vulnerabilities. To address this, we propose an approach that generates patches by following the proved working strategy utilized by human developers in fixing security vulnerabilities, which relies on a sound analysis of the nature of a vulnerability rather than the quality of test suites for the correctness of the patches. In this paper, we present the design of our approach to fixing buffer overflow and integer overflow vulnerabilities. It is enabled by the combination of two novel techniques: loop analysis and symbolic expression translation. They mimic the analysis performed by human developers to develop patches for buffer overflows and integer overflows. To ensure the safety of our patches, the two techniques are built on top of sound dataflow analysis, coupled with concolic execution. We have implemented a prototype called Senx using this approach. Our evaluation on Senx shows that the two techniques are effective and applicable to a myriad of different programs. Our evaluation shows that the patches generated by Senx successfully fix 33 of 42 real-world buffer overflows and integer overflows from a variety of 11 applications including various tools or libraries for manipulating graphics/media files, a programming language interpreter, a relational database engine, a collection of programming tools for creating and managing binary programs, and a collection of basic file, shell, and text manipulation tools.