Automatic Repair of Java Code with Timing Side-Channel Vulnerabilities

Rui Lima, João F. Ferreira, Alexandra Mendes
November 2021
PDF

Abstract

Vulnerability detection and repair is a demanding and expensive part of the software development process. As such, there has been an effort to develop new and better ways to automatically detect and repair vulnerabilities. DifFuzz is a state-of-the-art tool for automatic detection of timing side-channel vulnerabilities, a type of vulnerability that is particularly difficult to detect and correct. Despite recent progress made with tools such as DifFuzz, work on tools capable of automatically repairing timing side-channel vulnerabilities is scarce. In this paper, we propose DifFuzzAR, a new tool for automatic repair of timing side-channel vulnerabilities in Java code. The tool works in conjunction with DifFuzz and it is able to repair 56% of thevulnerabilities identified in DifFuzz’s dataset. The results show that the tool can indeed automatically correct timing side-channel vulnerabilities, being more effective with those that are control-flow based.

Type
Conference paper
Publication
In the 5th International Workshop on Refactoring (co-located with the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE’21))
Awards/Honors
Invited to ASE 2021 workshop best papers special issue published by the Springer Journal on Automated Software Engineering (see JASE 2024 extended paper)
Avatar
Computer Scientist

My research interests include software reliability, software verification, and formal methods applied to software engineering. I am also interested in interactive storytelling. For more details, see some of my projects or my selected (or recent) publications. More posts are available in my blog. Follow me on Twitter or add me on LinkedIn.