Saved in:
Bibliographic Details
Main Authors: Huang, Zhen, Dokic, Hristina
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.16372
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913363852787712
author Huang, Zhen
Dokic, Hristina
author_facet Huang, Zhen
Dokic, Hristina
contents Software vulnerabilities are prevalent but fixing software vulnerabilities is not trivial. Studies have shown that a considerable prepatch window exists because it often takes weeks or months for software vendors to fix a vulnerability. Existing approaches aim to reduce the pre-patch window by generating and applying mitigation patches that prevent adversaries from exploiting vulnerabilities rather than fix vulnerabilities. Because mitigation patches typically terminate the execution of vulnerability-triggering program paths at the level of functions, they can have significant side-effects. This paper describes an approach called PAVER that generates and inserts mitigation patches at the level of program paths, i.e. path-wise vulnerability mitigation patches, in order to reduce their side-effects. PAVER generates a program path graph that includes the paths leading to vulnerabilities and the control dependencies on these paths, then identifies candidate patch locations based on the program path graph. For each candidate patch location, PAVER generates and inserts a mitigation patch, and tests the patched program to assess the side-effect of the patch. It ranks the patches by the extent of their side-effects. We evaluates the prototype of PAVER on real world vulnerabilities and the evaluation shows that our path-wise vulnerability mitigation patches can achieve minimum side-effects.
format Preprint
id arxiv_https___arxiv_org_abs_2405_16372
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Path-wise Vulnerability Mitigation
Huang, Zhen
Dokic, Hristina
Cryptography and Security
Software vulnerabilities are prevalent but fixing software vulnerabilities is not trivial. Studies have shown that a considerable prepatch window exists because it often takes weeks or months for software vendors to fix a vulnerability. Existing approaches aim to reduce the pre-patch window by generating and applying mitigation patches that prevent adversaries from exploiting vulnerabilities rather than fix vulnerabilities. Because mitigation patches typically terminate the execution of vulnerability-triggering program paths at the level of functions, they can have significant side-effects. This paper describes an approach called PAVER that generates and inserts mitigation patches at the level of program paths, i.e. path-wise vulnerability mitigation patches, in order to reduce their side-effects. PAVER generates a program path graph that includes the paths leading to vulnerabilities and the control dependencies on these paths, then identifies candidate patch locations based on the program path graph. For each candidate patch location, PAVER generates and inserts a mitigation patch, and tests the patched program to assess the side-effect of the patch. It ranks the patches by the extent of their side-effects. We evaluates the prototype of PAVER on real world vulnerabilities and the evaluation shows that our path-wise vulnerability mitigation patches can achieve minimum side-effects.
title Path-wise Vulnerability Mitigation
topic Cryptography and Security
url https://arxiv.org/abs/2405.16372