Mining for Mutation Operators for Reduction of Information Flow Control Violations (ASE 2024 - The New Ideas and Emerging Results (NIER) Track)

Who

Ilya Kosorukov, Daniel Blackwell, David Clark, Myra Cohen, Justyna Petke

Track

ASE 2024 NIER Track

Time Zone

The program is currently displayed in (GMT-07:00) Pacific Time (US & Canada).

Use conference time zone: (GMT-07:00) Pacific Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 31 Oct 2024 11:50 - 12:00 at Magnoila - Vulnerability and security2 Chair(s): Yiming Tang

Abstract

The unintentional flow of confidential data to unauthorised users is a serious software security vulnerability. Detection and repair of such errors is a non-trivial task that has been worked on by the security community for many years. More recently, dynamic approaches, such as HyperGI, have been introduced that use hypertesting and genetic improvement to not only detect, but also provide a patch that reduces such information flow control violations. However, empirical studies done so far have used mostly generic mutation operators, potentially limiting the strength of this approach. In this new ideas paper we mine the National Vulnerabilities Database to find repairs of information leaks. Of 636 issues initially identified, we found 73 fixes that relate to information leaks and come with open source patches to the code. From these, we identified 10 types of mutation operators with potential to fix such issues. Six of these have so far never been used to fix information leaks via automated mutation to the code. We propose that these could help improve effectiveness of tools using the HyperGI approach.

Ilya Kosorukov

University College London

Daniel Blackwell

University College London

David Clark

University College London

United Kingdom

Myra Cohen

Iowa State University

United States

Justyna Petke

University College London

United Kingdom

Time Zone

The program is currently displayed in (GMT-07:00) Pacific Time (US & Canada).

Use conference time zone: (GMT-07:00) Pacific Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 31 Oct
Displayed time zone: Pacific Time (US & Canada) change

10:30 - 12:00	Vulnerability and security2NIER Track / Research Papers / Tool Demonstrations at Magnoila Chair(s): Yiming Tang Rochester Institute of Technology

10:30 15m Talk		Coding-PTMs: How to Find Optimal Code Pre-trained Models for Code Embedding in Vulnerability Detection? Research Papers Yu Zhao , Lina Gong Nanjing University of Aeronautics and Astronautic, Zhiqiu Huang Nanjing University of Aeronautics and Astronautics, Yongwei Wang Shanghai Institute for Advanced Study and College of Computer Science, Zhejiang University, Mingqiang Wei School of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Fei Wu College of Computer Science and Technology in Zhejiang University
10:45 15m Talk		STASE: Static Analysis Guided Symbolic Execution for UEFI Vulnerability Signature Generation Research Papers Md Shafiuzzaman University of California at Santa Barbara, Achintya Desai University of California Santa Barbara, Laboni Sarker University of California at Santa Barbara, Tevfik Bultan University of California at Santa Barbara
11:00 15m Talk		Effective Vulnerable Function Identification based on CVE Description Empowered by Large Language Models Research Papers Yulun Wu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Zeliang Yu Huazhong University of Science and Technology, Xiaochen Guo Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
11:15 15m Talk		COBRA: Interaction-Aware Bytecode-Level Vulnerability Detector for Smart Contracts Research Papers Wenkai Li Hainan University, Xiaoqi Li Hainan University, Zongwei Li Hainan University, Yuqing Zhang University of Chinese Academy of Sciences; Zhongguancun Laboratory Link to publication DOI Pre-print Media Attached
11:30 10m Talk		MADE-WIC: Multiple Annotated Datasets for Exploring Weaknesses In Code Tool Demonstrations Moritz Mock Free University of Bozen-Bolzano, Jorge Melegati Free University of Bozen-Bolzano, Max Kretschmann Hamburg University of Technology, Nicolás E. Díaz Ferreyra Hamburg University of Technology, Barbara Russo Free University of Bozen/Bolzano, Italy DOI Pre-print
11:40 10m Talk		The Software Genome Project: Unraveling Software Through Genetic Principles NIER Track Yueming Wu Nanyang Technological University, Chengwei Liu Nanyang Technological University, Zhengzi Xu Nanyang Technological University; Imperial Global Singapore, Lyuye Zhang Nanyang Technological University, Yiran Zhang , Zhu Zhiling Zhejiang University of Technology, Yang Liu Nanyang Technological University
11:50 10m Talk		Mining for Mutation Operators for Reduction of Information Flow Control Violations NIER Track Ilya Kosorukov University College London, Daniel Blackwell University College London, David Clark University College London, Myra Cohen Iowa State University, Justyna Petke University College London