Abstract:
Programs are susceptible to malformed data coming from untrusted sources. Occasionally the
programming logic or constructs used are inappropriate to handle all types of constraints that are
imposed by legal and well-formed data. As a result programs produce unexpected results or even
worse, they may crash. Program behavior in both of these cases would be highly undesirable.
In this thesis work, we present a novel hybrid approach that saves programs from crashing when
the failures originate from malformed strings or inappropriate handling of strings. Our approach
statically analyses a program to identify statements that are vulnerable to failures related to
associated string data. It then generates patches that are likely to satisfy constraints on the
data, and in case of failures produce program behavior which would be close to the expected.
The precision of the patches is improved with the help of a dynamic analysis. The patches are
activated only after a failure is detected, and the technique incurs no runtime overhead during
normal course of execution, and negligible overhead in case of failures.
We have experimented with Java String API, and applied Clotho to several hugely popular
open-source libraries to patch 30 bugs, several of them rated either critical or major. Our
evaluation shows that Clotho is both practical and e ective. The comparison of the patches
generated by our technique with the actual patches developed by the programmers in the later
versions shows that they are semantically similar.
