Automatic Repair of Java Code with Timing Side-Channel Vulnerabilities

Abstract

Vulnerability detection and repair is a demanding and expensive part of the software development process. As such, there has been an effort to develop new and better ways to automatically detect and repair vulnerabilities. DifFuzz is a state-of-the-art tool for automatic detection of timing side-channel vulnerabilities, a type of vulnerability that is particularly difficult to detect and correct. Despite recent progress made with tools such as DifFuzz, work on tools capable of automatically repairing timing side-channel vulnerabilities is scarce. In this paper, we propose DifFuzzAR, a new tool for automatic repair of timing side-channel vulnerabilities in Java code. The tool works in conjunction with DifFuzz and it is able to repair 56% of thevulnerabilities identified in DifFuzz’s dataset. The results show that the tool can indeed automatically correct timing side-channel vulnerabilities, being more effective with those that are control-flow based.

Alexandra Mendes

Assistant Professor

My research focuses on innovative user interfaces for formal methods and mathematical approaches to software quality. More recently, I started work on usable security, in particular on the impact of formal verification on the use and adoption of formally verified security software product. Much of my most recent work overlaps with the area of software engineering. I am also interested on innovative and fun ways to teach Computer Science. For more details, see selected publications and some of my projects. Follow me on Twitter or add me on LinkedIn.