Keeping Secrets: Multi-objective Genetic Improvement for Detecting and Reducing Information Leakage
Information leaks in software can unintentionally reveal private data, yet they are hard to detect and fix. Although several methods have been proposed to detect leakage, such as static verification-based approaches, they require specialist knowledge, and are time-consuming. Recently, HyperGI introduced a dynamic, hypertest-based approach that detects and produces potential fixes for information leakage. Its fitness function tries to balance information leakage and program correctness, but as the authors of that work point out, there may be a tradeoff between keeping program semantics and reducing information leakage.
In this work we ask if it is possible to automatically detect and repair information leakage in more realistic programs without requiring specialist knowledge. Our approach, called LeakReducer explicitly encodes the tradeoff between program correctness and information leakage as a multi-objective optimisation problem. We apply LeakReducer to a set of leaky programs including the well known Heartbleed bug. It is comparable with HyperGI on their toy applications. In addition, we demonstrate it can find and reduce leakage in real applications and we see diverse solutions on our Pareto front. Upon investigation we find that having a Pareto front helps with some types of information leakage, but not all.
Wed 12 OctDisplayed time zone: Eastern Time (US & Canada) change
10:00 - 12:00 | Technical Session 9 - Security and Privacy Research Papers / Industry Showcase at Ballroom C East Chair(s): Wei Yang University of Texas at Dallas | ||
10:00 20mResearch paper | Keeping Secrets: Multi-objective Genetic Improvement for Detecting and Reducing Information Leakage Research Papers Ibrahim Mesecan Iowa State University, Daniel Blackwell University College London, David Clark University College London, Myra Cohen Iowa State University, Justyna Petke University College London | ||
10:20 20mResearch paper | ThirdEye: Attention Maps for Safe Autonomous Driving Systems Research Papers Andrea Stocco Università della Svizzera italiana (USI), Paulo J. Nunes Federal University of Pernambuco, Marcelo d'Amorim Federal University of Pernambuco, Paolo Tonella USI Lugano DOI Pre-print | ||
10:40 20mIndustry talk | Finding Property Violations through Network Falsification: Challenges, Adaptations and Lessons Learned from OpenPilot Industry Showcase | ||
11:00 20mResearch paper | Scrutinizing Privacy Policy Compliance of Virtual Personal Assistant Apps Research Papers Fuman Xie University of Queensland, Yanjun Zhang University of Queensland, Chuan Yan University of Queensland, Suwan Li Nanjing University, Lei Bu Nanjing University, Kai Chen SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, China, Zi Huang University of Queensland, Guangdong Bai University of Queensland | ||
11:20 20mResearch paper | An Empirical Study of Automation in Software Security Patch Management Research Papers Nesara Dissanayake University of Adelaide, Asangi Jayatilaka University of Adelaide, Mansooreh Zahedi The Univeristy of Melbourne, Muhammad Ali Babar University of Adelaide | ||
11:40 20mResearch paper | Are They Toeing the Line? Diagnosing Privacy Compliance Violations among Browser Extensions Research Papers Yuxi Ling National University of Singapore, Kailong Wang National University of Singapore, Guangdong Bai University of Queensland, Haoyu Wang Huazhong University of Science and Technology, China, Jin Song Dong National University of Singapore | ||