This month CSAIL researchers presented a new system that repairs dangerous software bugs by automatically importing functionality from other, more secure applications.
Remarkably, the system, dubbed CodePhage, doesn’t require access to the source code of the applications whose functionality it’s borrowing. Instead, it analyzes the applications’ execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it’s repairing was written.
Once it’s imported code into a vulnerable application, CodePhage can provide a further layer of analysis that guarantees that the bug has been repaired.
“We have tons of source code available in open-source repositories, millions of projects, and a lot of these projects implement similar specifications,” says Stelios Sidiroglou-Douskos, a CSAIL research scientist who led the development of CodePhage. “Even though that might not be the core functionality of the program, they frequently have subcomponents that share functionality across a large number of projects.”
With CodePhage, he says, “over time, what you’d be doing is building this hybrid system that takes the best components from all these implementations.”
Read more about the work, which was presented at ACM’s Programming Language Design and Implementation conference: http://newsoffice.mit.edu/2015/automatic-code-bug-repair-0629