An empirical study of automatic program repair techniques for injection vulnerabilities

Author

Tingwei ZHU
Tongtong XU
Kui LIU
Jiayuan ZHOU
Xing HU
Xin XIA
Tian ZHANG
David LO, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

10-2024

Abstract

Injection vulnerabilities are among the most serious and dangerous security defects, as they can be exploited by attackers to inject malicious inputs and carry out cybercrimes. Timely fixing of injection vulnerabilities is crucial. However, manual repairs of injection vulnerabilities often require specialized knowledge and are prone to errors, posing a challenge and a heavy burden on developers. In recent years, Automated Program Repair (APR) techniques have shown promising momentum in automatically fixing general defects. Yet, there has been no research on how APR techniques perform in repairing injection vulnerabilities. Therefore, in this paper, we conduct an empirical study. We first construct a benchmark for injection vulnerability repair and evaluate several representative state-of-the-art APR approaches on this benchmark. The results show that existing APR tools do not adequately support the repair of injection vulnerabilities. To investigate the underlying reasons, we compare the characteristics of patches for injection vulnerabilities and general defects, and explore whether the plastic surgery hypothesis widely used in APR still holds for injection vulnerabilities. The results reveal that fixing injection vulnerabilities is more complex than fixing general defects due to significant differences in the characteristics of their patches. Additionally, the support for the plastic surgery hypothesis is much lower in the context of injection vulnerability repair. We also analyzed developers' intentions when fixing injection vulnerabilities. Finally, we summarize the implications and point out potential research directions for injection vulnerability repair.

Keywords

Injection vulnerability, automatic program repair, empirical study

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Areas of Excellence

Digital transformation

Publication

Proceedings of the 40th IEEE International Conference on Software Maintenance and Evolution (ICSME 2024): Flagstaff, AZ, USA, October 6-11

First Page

25

Last Page

37

ISBN

9798350395686

Identifier

10.1109/ICSME58944.2024.00014

Publisher

IEEE

City or Country

Los Alamitos, CA

Citation

ZHU, Tingwei; XU, Tongtong; LIU, Kui; ZHOU, Jiayuan; HU, Xing; XIA, Xin; ZHANG, Tian; and David LO. An empirical study of automatic program repair techniques for injection vulnerabilities. (2024). Proceedings of the 40th IEEE International Conference on Software Maintenance and Evolution (ICSME 2024): Flagstaff, AZ, USA, October 6-11. 25-37.
Available at: https://ink.library.smu.edu.sg/sis_research/9888

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/ICSME58944.2024.00014