Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201564193
HistoryJul 01, 2015 - 12:00 a.m.

Massachusetts Institute of Technology(MIT)invention vulnerabilities automatically repair system-vulnerability warning-the black bar safety net

2015-07-0100:00:00
佚名
www.myhack58.com
7
JSON

! [](/Article/UploadPic/2015-7/2 0 1 5 7 1 1 4 4 7 5 7 7 9 1. png)
In this month’s Computer Society programming languages design and implementation Conference on the Association for Computing Machinery’s Programming Language Design and Implementation, the MIT researchers demonstrated a new system, it is possible by introducing other, more security of application functions, and automatically repair dangerous software vulnerabilities.
The vulnerability of automatic repair system: CodePhage
The system is called CodePhage, it automatically“borrow”other programs ’ functionality does not need to obtain the source code. Therefore, the import program, i.e., the Donor the donor, hereinafter referred to AS D the development of language is not important. Once for the repair of code to import to the vulnerability of the application, i.e. the Recipient the recipient, referred to as R, CodePhage can provide a deeper layer of analysis to ensure that vulnerabilities are repaired.
MIT Computer Science and artificial intelligence laboratory CSAIL)CodePhage development head of Stelios Sidiroglou-Douskos said
“In the open source library, we have a lot of source code available for use, these millions of items as well as a large number of specifications similar to the project implementation. Over time, you need to complete is to from the these items to obtain the best components to build CodePhage-a mixed system.”
The beginning of the analysis, the CodePhage need two sample values input: a will cause R to crash, another will not. A known DIODE of the vulnerability of the positioning program can be generated automatically cause the crash crash-inducing input in. But the user is only considered to be open a specific file caused the crash accident.
The system is running
First, CodePhage D provides a does not cause the collapse of the“safe”input. Then the trace D of the Executive to manipulate the sequence and use symbolic expressions to record them, where the symbolic expression symbolic expression, referred to as the SE is a string description ofoperating systemapplied the logic of the constraint symbols.
In some cases, for example, may detect the D input is less than a certain threshold. If the result is less than, CodePhage will add a SE term to represent the situation below the threshold. Here does not record the file’s actual size, is only detected by applying a limiting constraint.
Next, CodePhage D to provide a cause the collapse of the input. It again constructed a SE to represent the D to perform the operation of the program. But when the new SE from the old one separated, CodePhage will interrupt its process. The deviations divergence is a safety input and experience of the constraints caused by the collapse of the input does not meet. Therefore, it is possible that R safe detection of the missing portion.
Then CodePhage analysis of the R program to find most of the SE limit of the input position, but not all. R can be in a different order to perform different operations, rather than entirely in accordance with the perpetrators did, at the same time can store different forms of data. After this process, the SE describes the state of the data, rather than the process itself.
At each identified location, CodePhage can be unaffected by most of the SE bound-the same applies to R. From the first position to start, the CodePhage will remain in the R programming language in a small amount of constraint is converted to the new code, and insert it into the source code. Then run again cause the collapse of the input.
If the program can run, the new code solves this problem. If not, CodePhage will move to the R of the next candidate position. If the project still crashes, even in CodePhage has tried to fix all the candidate positions, it will still return to the D Program, and to continue to build SE, until you find the next deviation.
View original article>
Automation of the future
The researchers found that the vulnerability of the DIODE seven common open source projects tested CodePhage, each from D imported two to four in number, ranging from bug fixes. In all cases, CodePhage are able to fix vulnerabilities in the code, and each repair only requires two to ten minutes time.
Security testingoccupies a modern business software 8 0% or more of the code. The researchers hope that the future CodePhage version can be automatically checked and inserted into the system, thereby greatly reducing the software developer spent in heavy work in the time, liberating the programmer.
The developers of the language
MIT Computer Science and engineering Professor Martin Rinard says
“Vision for the future is, you’ll never need to write a paragraph someone else wrote The code. This system is able to find the code, and no matter what kind of code can automatically put them together, get your program up and running.
To borrow another having similar functions to the program code of the tricks, and used to repair a basically already broken program, this is a very cool process. To be honest, I’m surprised it turned out to be able to run.”
Berger explained that
“Shi’s program is not the same person writing. They have different encoding standards; for variable naming is also different; the use of completely different variables; these variables can be local; or the higher of the stack. CodePhage be able to identify these links, and determine‘these variables and these variables are associated’with. With organ donation is similar, by the genetic code, The transfer makes an individual more perfect. It works and the final outcome is really surprising, which is very cool.”

JSON