Thu 21 Jun 2018 15:15 - 15:40 at Grand Ballroom CD - Synthesis and Learning Chair(s): Xin Zhang

Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete.

To address this challenge, we present a new approach to extract security fixes from thousands of code changes. Our approach consists of: (i) identifying code changes, which often capture security fixes, (ii) an abstraction that filters irrelevant code changes (such as refactorings), and (iii) a clustering analysis that reveals commonalities between semantic code changes and helps in eliciting security rules.

We applied our approach to the Java Crypto API and showed that it is effective: (i) our abstraction effectively filters non-semantic code changes (over 99% of all changes) without removing security fixes, and (ii) over 80% of the code changes are security fixes identifying security rules. Based on our results, we identified 13 rules, including new ones not supported by existing security checkers.

Thu 21 Jun

Displayed time zone: Eastern Time (US & Canada) change

14:00 - 15:40
Synthesis and LearningPLDI Research Papers at Grand Ballroom CD
Chair(s): Xin Zhang Massachusetts Institute of Technology, USA
14:00
25m
Talk
A General Path-Based Representation for Predicting Program Properties
PLDI Research Papers
Uri Alon Technion, Meital Zilberstein Technion, Omer Levy University of Washington, USA, Eran Yahav Technion
Media Attached
14:25
25m
Talk
Program Synthesis using Conflict-Driven Learning
PLDI Research Papers
Yu Feng University of Texas at Austin, USA, Ruben Martins Carnegie Mellon University, Osbert Bastani Stanford University, Işıl Dillig UT Austin
Media Attached
14:50
25m
Talk
Accelerating Search-Based Program Synthesis using Learned Probabilistic Models
PLDI Research Papers
Woosuk Lee University of Pennsylvania, USA, Kihong Heo University of Pennsylvania, USA, Rajeev Alur University of Pennsylvania, Mayur Naik University of Pennsylvania
Media Attached
15:15
25m
Talk
Inferring Crypto API Rules from Code Changes
PLDI Research Papers
Media Attached