Automatic Repair of Java Code with Timing Side-Channel Vulnerabilities

Abstract

Vulnerability detection and repair is a demanding and expensive part of the software development process. As such, there has been an effort to develop new and better ways to automatically detect and repair vulnerabilities. DifFuzz is a state-of-the-art tool for automatic detection of timing side-channel vulnerabilities, a type of vulnerability that is particularly difficult to detect and correct. Despite recent progress made with tools such as DifFuzz, work on tools capable of automatically repairing timing side-channel vulnerabilities is scarce. In this paper, we propose DifFuzzAR, a new tool for automatic repair of timing side-channel vulnerabilities in Java code. The tool works in conjunction with DifFuzz and it is able to repair 56% of thevulnerabilities identified in DifFuzz’s dataset. The results show that the tool can indeed automatically correct timing side-channel vulnerabilities, being more effective with those that are control-flow based.

Publication
In the 5th International Workshop on Refactoring (co-located with the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE’21))
João F. Ferreira
João F. Ferreira
INESC-ID & IST
Alexandra Mendes
Alexandra Mendes
INESC TEC & UBI