Sound Patch Generation for Vulnerabilities

TL;DR

Senx is an automated patch generation system that uses symbolic execution, loop analysis, and expression translation to produce sound patches for complex out-of-bounds vulnerabilities across diverse applications.

Contribution

This paper introduces Senx, a novel system that generates sound patches for out-of-bounds vulnerabilities using advanced symbolic execution and interprocedural analysis techniques.

Findings

Successfully patched 76% of real-world vulnerabilities

Handles complex loops and interprocedural dependencies

Produces sound patches with correct aborts when analysis is insufficient

Abstract

Security vulnerabilities are among the most critical software defects in existence. As such, they require patches that are correct and quickly deployed. This motivates an automatic patch generation method that emphasizes both soundness and wide applicability. To address this challenge, we propose Senx, which uses three novel patch generation techniques to create patches for out-of-bounds read/write vulnerabilities. Senx uses symbolic execution to extract expressions from the source code of a target application to synthesize patches. To reduce the runtime overhead of patches, it uses loop cloning and access range analysis to analyze loops involved in these vulnerabilities and elevate patches outside of loops. For vulnerabilities that span multiple functions, Senx uses expression translation to translate expressions and place them in a function scope where all values are available to create the patch. This enables Senx to patch vulnerabilities with complex loops and interprocedural dependencies that previous semantics-based patch generation systems cannot handle. We have implemented a prototype using this approach. Our evaluation shows that the patches generated by Senx successfully fix 76% of 42 real-world vulnerabilities from 11 applications including various tools or libraries for manipulating graphics/media files, a programming language interpreter, a relational database engine, a collection of programming tools for creating and managing binary programs, and a collection of basic file, shell, and text manipulation tools. All patches that Senx produces are sound, and Senx correctly aborts patch generations in cases where its analysis will fall short.