Helix Automatic Software Repair with Evolutionary Computation Stephanie Forrest Westley Weimer.

Slides:

Advertisements

Similar presentations

1 An Adaptive GA for Multi Objective Flexible Manufacturing Systems A. Younes, H. Ghenniwa, S. Areibi uoguelph.ca.

Advertisements

CHAPTER 2 GC101 Program’s algorithm 1. COMMUNICATING WITH A COMPUTER  Programming languages bridge the gap between human thought processes and computer.

A SYSTEMATIC STUDY OF AUTOMATED PROGRAM REPAIR: FIXING 55 OUT OF 105 BUGS FOR $8 EACH Claire Le Goues Michael Dewey-Vogt Stephanie Forrest Westley Weimer.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

On the Genetic Evolution of a Perfect Tic-Tac-Toe Strategy

Automatic Software Repair Using GenProg 张汉生 ZHANG Hansheng 2013/12/3.

Automatic Program Correction Anton Akhi Friday, July 08, 2011.

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

Random Testing of Interrupt-Driven Software John Regehr University of Utah.

Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.

Genetic Algorithms Nehaya Tayseer 1.Introduction What is a Genetic algorithm? A search technique used in computer science to find approximate solutions.

PRE-PROGRAMMING PHASE

Zichao Qi, Fan Long, Sara Achour, and Martin Rinard MIT CSAIL

Genetic Programming.

Dr. Pedro Mejia Alvarez Software Testing Slide 1 Software Testing: Building Test Cases.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

Automatic Program Repair With Evolutionary Computation Westley Weimer Computer Science Dept. University of Virginia Charlottesville, VA 22904

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

Genetic Algorithm.

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Department of Computer Science & Engineering College of Engineering.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Problems Premature Convergence Lack of genetic diversity Selection noise or variance Destructive effects of genetic operators Cloning Introns and Bloat.

Simple Program Design Third Edition A Step-by-Step Approach

Adapting Convergent Scheduling Using Machine Learning Diego Puppin*, Mark Stephenson †, Una-May O’Reilly †, Martin Martin †, and Saman Amarasinghe † *

` Research 2: Information Diversity through Information Flow Subgoal: Systematically and precisely measure program diversity by measuring the information.

Algorithms and Programming

Computer Security and Penetration Testing

Using Execution Paths to Evolve Software Patches ThanhVu Nguyen*, Westley Weimer**, Claires Le Gouges**, Stephanie Forrest* * University of New Mexico.

Programming Lifecycle

Zorica Stanimirović Faculty of Mathematics, University of Belgrade

What is Genetic Programming? Genetic programming is a model of programming which uses the ideas (and some of the terminology) of biological evolution to.

AUTOMATIC PROGRAM REPAIR USING GENETIC PROGRAMMING CLAIRE LE GOUES APRIL 22,

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 15: Automated Patch Generation.

Evolving Virtual Creatures & Evolving 3D Morphology and Behavior by Competition Papers by Karl Sims Presented by Sarah Waziruddin.

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

AUTOMATIC PROGRAM REPAIR USING GENETIC PROGRAMMING 1 CLAIRE LE GOUES APRIL 22, 2013

G ENETIC P ROGRAMMING Ranga Rodrigo March 17,

Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012 Boolean Program Repair Reverse Conversion Tool via SMT.

Introduction to Compilers. Related Area Programming languages Machine architecture Language theory Algorithms Data structures Operating systems Software.

Automated Patch Generation Adapted from Tevfik Bultan’s Lecture.

REPRESENTATIONS AND OPERATORS FOR IMPROVING EVOLUTIONARY SOFTWARE REPAIR Claire Le Goues Westley Weimer Stephanie Forrest

Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

ECE 103 Engineering Programming Chapter 52 Generic Algorithm Herbert G. Mayer, PSU CS Status 6/4/2014 Initial content copied verbatim from ECE 103 material.

Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.

Coevolutionary Automated Software Correction Josh Wilkerson PhD Candidate in Computer Science Missouri S&T.

Automated discovery in math Machine learning techniques (GP, ILP, etc.) have been successfully applied in science Machine learning techniques (GP, ILP,

Computer and Programming. Computer Basics: Outline Hardware and Memory Programs Programming Languages and Compilers.

D Nagesh Kumar, IIScOptimization Methods: M8L5 1 Advanced Topics in Optimization Evolutionary Algorithms for Optimization and Search.

GAIA (Genetic Algorithm Interface Architecture) Requirements Analysis Document (RAD) Version 1.0 Created By: Charles Hall Héctor Aybar William Grim Simone.

1 Autonomic Computer Systems Evolutionary Computation Pascal Paysan.

Dr. Mohamed Ramadan Saady 314ALL CH1.1 Chapter 1: Introduction to Compiling.

Genetic Algorithm Dr. Md. Al-amin Bhuiyan Professor, Dept. of CSE Jahangirnagar University.

Genetic Programming Using Simulated Natural Selection to Automatically Write Programs.

Artificial Intelligence By Mr. Ejaz CIIT Sahiwal Evolutionary Computation.

1 Comparative Study of two Genetic Algorithms Based Task Allocation Models in Distributed Computing System Oğuzhan TAŞ 2005.

Genetic Algorithm. Outline Motivation Genetic algorithms An illustrative example Hypothesis space search.

Evolutionary Computation Evolving Neural Network Topologies.

Haploid-Diploid Evolutionary Algorithms

Introduction to Genetic Algorithms

Anti-patterns in Search-based Program Repair

An Evolutionary Approach

Database Management System

Haploid-Diploid Evolutionary Algorithms

High Coverage Detection of Input-Related Security Faults

Automated Patch Generation

Examining Variables on Flow Paths

Automatically Diagnosing and Repairing Error Handling Bugs in C

Coevolutionary Automated Software Correction

Presentation transcript:

Helix Automatic Software Repair with Evolutionary Computation Stephanie Forrest Westley Weimer

Helix Introduction Automatic bug repair is an important unsolved problem in software engineering Automated repair is needed for self-healing systems “The problem of security is the problem of software” We combine state-of-the-art methods from programming languages with innovations in evolutionary computation To repair bugs in publicly released software

Helix Summary of Method Assume: Access to C source code Negative test case (input = ; output = infinite loop) Positive test cases (encode required program functionality) Construct Abstract Syntax Tree using CIL Evolve repair that avoids negative test case and passes positive test case Minimize repair using structural differencing and delta debugging

Helix What is evolutionary computation? 4 Evolution in a computer: Individuals (genotypes) stored in the computer’s memory Evaluation of individuals (artificial selection) Differential reproduction by copying and deleting Variation introduced by analogy with mutation and crossover

Helix Example: Microsoft Zune Dec. 31, Microsoft Zune players mysteriously freeze up. Bug: Infinite loop when input is last day of a leap year. Negative test case: 10593, which corresponds to Dec 31, Repair is not trivial. Microsoft’s recommendation was to let Zune drain its battery and then reset. Downloaded from (Jan. 2009).

Helix Evolutionary Computation Innovations Start with a working program Focus on execution path through AST Restrict mutation and crossover to execution path Represent AST at level of statements Leaves out expressions, variable declarations Genetic operators Don’t invent any new code, crossback, macromutation operators Minimize repair size using structural differencing

Helix AST Representation

Helix Weighted Path Nodes visited by negative test case have weight 1.0 Nodes visited by negative and positive test cases have weight 0.01 All other nodes have weight 0.0

Helix The Final Evolved Repair

Helix Summary of Repairs to Date Twenty distinct defects in 7 classes: Segfault: 7 Buffer overflows: 3 Infinite loops: 4 Incorrect output: 2 Integer overflow: 2 Non-overflow DOS: 1 Format string attack: 1 Twenty distinct programs totaling 186,603 LOC (180k LOC) Scientific Computing: 1 Scripting Languages: 3 Games, Graphics, Sound: 4 Servers (web, ftp, authentication): 4 Operating system utilities: 8

Helix Benchmark programs Program Lines of Code (LOC) FunctionalityFault Time to Repair zune28media playerinfinite loop42s gcd22handcrafted exampleinfinite loop153s uniq1146duplicate text processingsegfault34s look-u1169dictionary lookupsegfault45s look-s1363dictionary lookupinfinite loop55s units1504metric conversionsegfault109s deroff2236document processingsegfault131s nullhttp5575webserverheap overflow578s indent9906source code processinginfinite loop546s flex18775lexical analyzer generatorsegfault230s atris21553graphical tetris gamestack overflow80s openldap io.c6519directory protocolnonoverflow DOS665s lighttp fastcgi.c 13984webserverheap overflow49s php string.c26044scripting languageinteger overflow6s wu-ftpd35109FTP serverformat string2256s GECCO 2009, ICSE 2009, ACSAC (submitted)

Helix Time to Discover Repair Time to repair: minutes Time includes: GP algorithm (selection, mutation, calculating fitness, etc.) Running test cases Pretty printing and memoizing ASTs gcc (compiling ASTs into executable code) No special hardware

Helix Research Questions Does it really work? Why does it work? How can we break it? How does the representation affect size of search space? Order-of-magnitude reductions What is the role of evolution? Variable. Random search often performs as well How does the number of test cases affect results? Can improve results and reduce variability, but increases search time How does the method scale with problem size? Search time scales more than linearly but less than a quadratic

Helix Search Time Scaling m = 1.26

Helix Why it Works Generic approach Powerful intermediate representation Weighted path greatly reduces search space Minimization eliminates unnecessary fixes Most bugs can be fixed with a few local modifications 667 average atomic genetic operations to discover a repair; Repair discovered on average in 3.6 generations; 2.9 genetic operations per fitness evaluation At least 1/2 the time, Random Search does as well as GP

Helix Quality of Repair Manual checks for repair correctness. Microsoft requires that security-critical changes be subjected to 100,000 fuzz inputs (randomly generated structured input strings). Used SPIKE black-box fuzzer (immunitysec.com) to generate 100,000 held-out fuzz requests for web server examples. In no case did GP repairs introduce errors that were detected by the fuzz tests, and in every case the GP repairs defeated variant attacks based on the same exploit. Thus, the GP repairs are not fragile memorizations of the input. GP repairs also correctly handled all subsequent requests from indicative workload.

Helix Papers and Awards W. Weimer, T. Nguyen, C. Le Goues, and S. Forrest ``Automatically finding patches using genetic programming.'’ ICSE (2009) Best Paper Award. S. Forrest, W. Weimer, T. Nguyen, and C. Le Goues ``A Genetic Programming Approach to Automated Software Repair.'’ GECCO (2009) Best Paper Award. C. Le Goues, T. Nguyen, W. Weimer, and S. Forrest ``Closed-Loop Repair of Security Vulnerabilities.'’ (ACSAC 25) (Submitted June 2009). AWARD: Human-Competitive Results Produced by Genetic and Evolutionary Computation (Humie Award). $5000 IFIP TC2 Manfred Paul Award for Excellence in Software: Theory and Practice.1024 Euros 2nd International Workshop on Search-Based Software Testing. Best paper and best presentation. 17

Helix The Future Self-healing systems for security (next talk) Integrating anomaly detection to find negative test cases Runtime repair using software dynamic translation, e.g., Strata Repair templates, other search methods Repair quality carefully Consistency in distributed applications? N-version diversity? Systematic study of large software code bases Hypothesis: Most bugs are small A small step for GP, a large step for software?

Helix Evolutionary computation details Fitness: Weighted sum of test cases that the program passes: F(Programs that don’t compile) = 0 5 positive test cases (weight = 1), 1 or 2 negative test cases (weight = 10) Mutation operations: Delete a statement, Insert a statement, Swap a stmt along the weighted path with a stmt from another part of the program, Crossover: Crosses back to original parent Population size is 40. Standard run is 10 gens + 10 gens

Helix Minimizing the final repair Use tree-structured differencing (Al-Ekram et al. 2005) View primary repair as a set of tree-structured operations Consider the One-minimal subset of repairs Let C p = {c 1, c 2,... c n } be the set of changes in a primary repair One-minimal subset is the minimal subset of C p that passes all test cases Delta debugging: Search for one-minimal subset using binary search n 2 time in worst case often linear