Semantic security bugs cause serious vulnerabilities across a wide range of software. For example, in a recent incident, attackers exploited a semantic security bug in Apache Struts to steal sensitive personal data of up to 143 million customers from Equifax servers. In fact, such vulnerabilities are quite common in practice. The total number of Common Vulnerabilities and Exposure Identifiers (CVEs) assigned to different types of semantic security bugs exceeds 2,000 just this year alone. The goal of this project is to improve security and reliability by automatically detecting such semantic vulnerabilities in critical software. Automatically detecting these bugs is hard because unlike crash bugs they may not show any obvious side effects. In contrast, semantic security bugs (e.g., bypassing security checks, gaining access to sensitive information, escalating privileges) usually result from violation of high-level safety/security specifications which, in practice, are rarely written formally. This project will investigate whether learning domain-specific metamorphic relations can help in detecting semantic bugs. In Software Engineering, metamorphic relations, which correlate outputs from multiple executions of a program with different inputs, have been shown to be effective at finding simple functional bugs. While metamorphic relations have promise to detect semantic security vulnerabilities, they are not able to detect semantic security vulnerabilities in their current form, as security properties cannot be expressed as simple input-output based properties. The approach uses pseudo-oracle testing techniques like differential testing and metamorphic testing. The project will use targeted path exploration techniques, with automata-learning algorithms to discover metamorphic testing rules. The project will learn how the semantics of metamorphic relations can be augmented to detect semantic security bugs. The research envisions a unified framework based on pseudo-random Oracles, which can automatically detect semantic security bugs without the need for manually creating formal specifications to compare program behaviors of related executions. As a first step, the objective of this EAGER project is to empirically measure whether there is a comprehensive range of semantically expressive pseudo-oracle relations that can detect semantic security vulnerabilities.
SaTC: CORE: EAGER: Finding Semantic Security Bugs with Pseudo-Oracle Testing