An empirical study of automatic program repair techniques for injection vulnerabilities
Injection vulnerabilities are among the most serious and dangerous security defects, as they can be exploited by attackers to inject malicious inputs and carry out cybercrimes. Timely fixing of injection vulnerabilities is crucial. However, manual repairs of injection vulnerabilities often require s...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2024
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9888 https://ink.library.smu.edu.sg/context/sis_research/article/10888/viewcontent/956800a025.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-10888 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-108882025-01-02T09:09:06Z An empirical study of automatic program repair techniques for injection vulnerabilities ZHU, Tingwei XU, Tongtong LIU, Kui ZHOU, Jiayuan HU, Xing XIA, Xin ZHANG, Tian David LO, Injection vulnerabilities are among the most serious and dangerous security defects, as they can be exploited by attackers to inject malicious inputs and carry out cybercrimes. Timely fixing of injection vulnerabilities is crucial. However, manual repairs of injection vulnerabilities often require specialized knowledge and are prone to errors, posing a challenge and a heavy burden on developers. In recent years, Automated Program Repair (APR) techniques have shown promising momentum in automatically fixing general defects. Yet, there has been no research on how APR techniques perform in repairing injection vulnerabilities. Therefore, in this paper, we conduct an empirical study. We first construct a benchmark for injection vulnerability repair and evaluate several representative state-of-the-art APR approaches on this benchmark. The results show that existing APR tools do not adequately support the repair of injection vulnerabilities. To investigate the underlying reasons, we compare the characteristics of patches for injection vulnerabilities and general defects, and explore whether the plastic surgery hypothesis widely used in APR still holds for injection vulnerabilities. The results reveal that fixing injection vulnerabilities is more complex than fixing general defects due to significant differences in the characteristics of their patches. Additionally, the support for the plastic surgery hypothesis is much lower in the context of injection vulnerability repair. We also analyzed developers' intentions when fixing injection vulnerabilities. Finally, we summarize the implications and point out potential research directions for injection vulnerability repair. 2024-10-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9888 info:doi/10.1109/ICSME58944.2024.00014 https://ink.library.smu.edu.sg/context/sis_research/article/10888/viewcontent/956800a025.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Injection vulnerability automatic program repair empirical study Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Injection vulnerability automatic program repair empirical study Software Engineering |
| spellingShingle |
Injection vulnerability automatic program repair empirical study Software Engineering ZHU, Tingwei XU, Tongtong LIU, Kui ZHOU, Jiayuan HU, Xing XIA, Xin ZHANG, Tian David LO, An empirical study of automatic program repair techniques for injection vulnerabilities |
| description |
Injection vulnerabilities are among the most serious and dangerous security defects, as they can be exploited by attackers to inject malicious inputs and carry out cybercrimes. Timely fixing of injection vulnerabilities is crucial. However, manual repairs of injection vulnerabilities often require specialized knowledge and are prone to errors, posing a challenge and a heavy burden on developers. In recent years, Automated Program Repair (APR) techniques have shown promising momentum in automatically fixing general defects. Yet, there has been no research on how APR techniques perform in repairing injection vulnerabilities. Therefore, in this paper, we conduct an empirical study. We first construct a benchmark for injection vulnerability repair and evaluate several representative state-of-the-art APR approaches on this benchmark. The results show that existing APR tools do not adequately support the repair of injection vulnerabilities. To investigate the underlying reasons, we compare the characteristics of patches for injection vulnerabilities and general defects, and explore whether the plastic surgery hypothesis widely used in APR still holds for injection vulnerabilities. The results reveal that fixing injection vulnerabilities is more complex than fixing general defects due to significant differences in the characteristics of their patches. Additionally, the support for the plastic surgery hypothesis is much lower in the context of injection vulnerability repair. We also analyzed developers' intentions when fixing injection vulnerabilities. Finally, we summarize the implications and point out potential research directions for injection vulnerability repair. |
| format |
text |
| author |
ZHU, Tingwei XU, Tongtong LIU, Kui ZHOU, Jiayuan HU, Xing XIA, Xin ZHANG, Tian David LO, |
| author_facet |
ZHU, Tingwei XU, Tongtong LIU, Kui ZHOU, Jiayuan HU, Xing XIA, Xin ZHANG, Tian David LO, |
| author_sort |
ZHU, Tingwei |
| title |
An empirical study of automatic program repair techniques for injection vulnerabilities |
| title_short |
An empirical study of automatic program repair techniques for injection vulnerabilities |
| title_full |
An empirical study of automatic program repair techniques for injection vulnerabilities |
| title_fullStr |
An empirical study of automatic program repair techniques for injection vulnerabilities |
| title_full_unstemmed |
An empirical study of automatic program repair techniques for injection vulnerabilities |
| title_sort |
empirical study of automatic program repair techniques for injection vulnerabilities |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2024 |
| url |
https://ink.library.smu.edu.sg/sis_research/9888 https://ink.library.smu.edu.sg/context/sis_research/article/10888/viewcontent/956800a025.pdf |
| _version_ |
1821237275268218880 |