Automatic computer bug repair
By Larry Hardesty on Monday, August 3rd, 2015
Features in QESP NewsletterVolume 27 , Issue 7 - ISSN 1325-2070
System fixes bugs by importing functionality from other programs, without access to source code
By Massachusetts Institute of Technology, The original item was written by Larry Hardesty.
Date: June 29, 2015
(QESP Editor’s Note: The following is an extract of a June 29, 2015 ScienceDaily article. The original, with source materials, is available at www.sciencedaily.com/releases/2015/06/150629132423.htm .)
Researchers have developed a new system that repairs dangerous software bugs by automatically importing functionality from other, more secure applications.
At the Association for Computing Machinery’s Programming Language Design and Implementation this month, MIT researchers presented a new system that repairs dangerous software bugs by automatically importing functionality from other, more secure applications.
Remarkably, the system, dubbed CodePhage, doesn’t require access to the source code of the applications whose functionality it’s borrowing. Instead, it analyzes the applications’ execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it’s repairing was written.
Once it’s imported code into a vulnerable application, CodePhage can provide a further layer of analysis that guarantees that the bug has been repaired.
“We have tons of source code available in open-source repositories, millions of projects, and a lot of these projects implement similar specifications,” says Stelios Sidiroglou-Douskos, a research scientist at CSAIL who led the development of CodePhage. “Even though that might not be the core functionality of the program, they frequently have subcomponents that share functionality across a large number of projects.”
With CodePhage, he says, “over time, what you’d be doing is building this hybrid system that takes the best components from all these implementations.”
(QESP Editor’s Note: In the original, the researchers give details of how CodePhage performs its analysis, using “a bug-locating program that the same group reported in March, dubbed DIODE”)
The researchers tested CodePhage on seven common open-source programs in which DIODE had found bugs, importing repairs from between two and four donors for each. In all instances, CodePhage was able to patch up the vulnerable code, and it generally took between two and 10 minutes per repair.
As the researchers explain, in modern commercial software, security checks can take up 80 percent of the code — or even more. One of their hopes is that future versions of CodePhage could drastically reduce the time that software developers spend on grunt work, by automating those checks’ insertion.
“The longer-term vision is that you never have to write a piece of code that somebody else has written before,” Rinard says. “The system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work.”
Massachusetts Institute of Technology. “Automatic computer bug repair: System fixes bugs by importing functionality from other programs, without access to source code.” ScienceDaily. ScienceDaily, 29 June 2015. www.sciencedaily.com/releases/2015/06/150629132423.htm