Download: PDF, Slides (PDF), Slides (PowerPoint).
“Automatically patching errors in deployed software” by Jeff H. Perkins, Sunghun Kim, Sam Larsen, Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Carlos Pacheco, Frank Sherwood, Stelios Sidiroglou, Greg Sullivan, Weng-Fai Wong, Yoav Zibin, Michael D. Ernst, and Martin Rinard. In SOSP 2009, Proceedings of the 22nd ACM Symposium on Operating Systems Principles, (Big Sky, MT, USA), Oct. 2009, pp. 87-102.
We present ClearView, a system for automatically patching errors in deployed software. ClearView works on stripped Windows x86 binaries without any need for source code, debugging information, or other external information, and without human intervention.
ClearView (1) observes normal executions to learn invariants that characterize the application's normal behavior, (2) uses error detectors to monitor the execution to detect failures, (3) identifies violations of learned invariants that occur during failed executions, (4) generates candidate repair patches that enforce selected invariants by changing the state or the flow of control to make the invariant true, and (5) observes the continued execution of patched applications to select the most successful patch.
ClearView is designed to correct errors in software with high availability requirements. Aspects of ClearView that make it particularly appropriate for this context include its ability to generate patches without human intervention, to apply and remove patches in running applications without requiring restarts or otherwise perturbing the execution, and to identify and discard ineffective or damaging patches by evaluating the continued behavior of patched applications.
In a Red Team exercise, ClearView survived attacks that exploit security vulnerabilities. A hostile external Red Team developed ten code-injection exploits and used these exploits to repeatedly attack an application protected by ClearView. ClearView detected and blocked all of the attacks. For seven of the ten exploits, ClearView automatically generated patches that corrected the error, enabling the application to survive the attacks and successfully process subsequent inputs. The Red Team also attempted to make ClearView apply an undesirable patch, but ClearView's patch evaluation mechanism enabled ClearView to identify and discard both ineffective patches and damaging patches.
Download: PDF, Slides (PDF), Slides (PowerPoint).
BibTeX entry:
@inproceedings{PerkinsKLABCPSSSWZER2009, author = {Jeff H. Perkins and Sunghun Kim and Sam Larsen and Saman Amarasinghe and Jonathan Bachrach and Michael Carbin and Carlos Pacheco and Frank Sherwood and Stelios Sidiroglou and Greg Sullivan and Weng-Fai Wong and Yoav Zibin and Michael D. Ernst and Martin Rinard}, title = {Automatically patching errors in deployed software}, booktitle = {SOSP 2009, Proceedings of the 22nd ACM Symposium on Operating Systems Principles}, pages = {87--102}, address = {Big Sky, MT, USA}, month = oct, year = {2009} }