Titulo Estágio
Using Evolutionary Algorithms to Automate the Correction of Software Vulnerabilities
Local do Estágio
SSE-CISUC
Enquadramento
Studies and reports show that, in general, software is deployed with security bugs. There are many reasons for this, but the most common one is that software developers are often not specialized in security, which makes them less capable of avoiding, or finding and fixing vulnerabilities.
There are many approaches to detect vulnerabilities, and although their effectiveness is far from satisfactory, substantial efforts have been made in the last decades. However, techniques that automatically generate patches for the vulnerabilities found are in their early stages.
It is also well known that vulnerable code patterns are frequently repeated by developers. Therefore, automated tools can save them from a lot repetitive activities, reducing the time needed to correct problems and, consequently, the implied costs.
Several techniques are available to automatedly improve software. Evolutionary Algorithms, are nowadays being used for improvement of software. In concrete Genetic Programming been used with success as a tool of finding and fixing bugs in software.
However, there are still many challenges for these techniques, such as scalability and the analysis of the software functional correctness in a trustworthy way.
Objetivo
In this context, the main objective of this project is to propose a new approach for the correction of software vulnerabilities. Obviously, it is not possible to solve all vulnerabilities types with only one approach, and therefore it will be necessary to identify the vulnerabilities to be targeted and the types of systems to be considered.
For this, a key challenge is the definition of new grammar that specifies the validity of solutions, especially designed to not limit the scalability of the overall solution. The second key challenge is the definition of trustworthy fitness functions, that provide guarantees from the functional correctness point of view. For this, we will explore the usage of symbolic execution-based techniques can be used, to complement the results obtained with tests.
Plano de Trabalhos - Semestre 1
[10/09/2020 to 31/10/2020] State of the art analysis.
[15/10/2020 to 30/11/2020] Definition of the proposed approach. Define the scope to the approach in terms of vulnerability and system types.
[15/11/2020 to 15/12/2020] Definition of the grammar to be used.
[15/11/2020 to 21/01/2021] Write the Dissertation Plan.
Plano de Trabalhos - Semestre 2
[01/02/2021 to 15/04/2021] Development of the proposed solution.
[20/03/2021 to 30/04/2021] Experimentation and validation.
[15/04/2020 to 31/05/2021] Write a scientific publication.
[15/05/2021 to 01/07/2021] Write the thesis.
Condições
The work is to be executed at the laboratories of the CISUC’s Software and Systems Engineering Group. A workplace will be provided as well as the required computational resources.
Orientador
Nuno Antunes / Nuno Lourenço
nmsa@dei.uc.pt 📩