An End-to-End Framework for Repairing Potentially Vulnerable Source Code

Abstract

Nowadays, program development is getting easier and easier as the various IDE tools provide advice on what to write in the program. But it is not enough to implement a solution to a problem; it is also important that the non-functional properties, like the quality or security of the code, are appropriate in all aspects. One of the most widely used techniques to ensure quality is testing. If the tests fail, one can fix the code immediately. However, security issues are unexpected cases when implementing the program, which is why we do not write tests for them in advance. In many cases, security-relevant bugs can not only cause financial loss but also put human lives at risk, so detecting and fixing them is an important step for the reliability and quality of the program. The tool presented in this paper aims to generate automatic code repairs to potential vulnerabilities in the program. By integrating the recommended fixes, one can easily harden the security of their program early in the development process. A case study on six open-source Java subject systems showed that we were able to generate viable repair patches for 57 out of the 81 detected security issues (70%). For certain types (e.g., revealing private references of mutable objects), our tool reached close to perfect performance.