HyperGI: Automated Detection and Repair of Information Flow Leakage

@article{Mesecan2021HyperGIAD,
  title={HyperGI: Automated Detection and Repair of Information Flow Leakage},
  author={Ibrahim Mesecan and Daniel Blackwell and David Clark and Myra B. Cohen and Justyna Petke},
  journal={2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)},
  year={2021},
  pages={1358-1362}
}
Maintaining confidential information control in soft-ware is a persistent security problem where failure means secrets can be revealed via program behaviors. Information flow control techniques traditionally have been based on static or symbolic analyses — limited in scalability and specialized to particular languages. When programs do leak secrets there are no approaches to automatically repair them unless the leak causes a functional test to fail. We present our vision for HyperGI, a genetic… 

Figures and Tables from this paper

Deep Genetic Programming Trees are Robust
  • W. Langdon
  • Computer Science
    ACM Transactions on Evolutionary Learning and Optimization
  • 2022
TLDR
It is shown that deeply nested expressions are robust to crossover syntax changes, bugs, errors, run time glitches, perturbations, etc., because their disruption falls to zero, and so it fails to propagate beyond the program.

References

SHOWING 1-10 OF 29 REFERENCES
ct-fuzz: Fuzzing for Timing Leaks
TLDR
The ct-fuzz tool is presented, which lends coverage-guided grey box fuzzers the ability to detect two safety property violations, and is capable of exposing violations to any two-safety property expressed a sequality between two program traces.
Quantifying information leaks in software
TLDR
A technique which makes it possible to decide if a program conforms to a quantitative policy which scales to large state-spaces with the help of bounded model checking is introduced, and is the first demonstration of quantitative information flow addressing security concerns of real-world industrial programs.
Hypertesting : The Case for Automated Testing of Hyperproperties
TLDR
This paper outlines concepts and tools for the next generation of bug finding systems and aims to establish a generalized concept for the generation of “hypertests”, sets of tests that either provide some level of confidence in the system or give counterexamples to hyperproperties.
On-the-fly inlining of dynamic security monitors
Language-based information-flow security
TLDR
A structured view of research on information-flow security is given, particularly focusing on work that uses static program analysis to enforce information- flow policies, and some important open challenges are identified.
A Principled Approach to Tracking Information Flow in the Presence of Libraries
TLDR
This paper presents a principled approach to tracking information flow in the presence of libraries, and formalizes the approach for a core language, extends it with lists and higher-order functions, and establishes soundness results with respect to the security condition of noninterference.
Automatically eliminating speculative leaks from cryptographic code with blade
TLDR
Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect, and shows how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks.
Angelix: Scalable Multiline Program Patch Synthesis via Symbolic Analysis
TLDR
Angelix is a novel semantics- based repair method that scales up to programs of similar size as are handled by search-based repair tools such as GenProg and SPR, and is more scalable than previously proposed semantics based repair methods such as SemFix and DirectFix.
Symbolic quantitative information flow
TLDR
A novel method that precisely quanties information leaks is presented, built on top of Java Pathfinder, an open source model checking platform, and it is the first tool in the field to support information-theoretic QIF analysis.
F-BLEAU: Fast Black-Box Leakage Estimation
TLDR
An analogy between Machine Learning and black-box leakage estimation is exploited to show that the Bayes risk of a system can be estimated by using a class of ML methods: the universally consistent learning rules; these rules can exploit patterns in the input-output examples to improve the estimates' convergence, while retaining formal optimality guarantees.
...
...