no description available

Bonita SharifModerator

University of Nebraska-Lincoln, USA

United States

Andrew HabibPanelist

SnT, University of Luxembourg

Luxembourg

Ibrahim MesecanPanelist

Iowa State University

Iftekhar AhmedPanelist

University of California, Irvine

Aakash BansalPanelist

University of Notre Dame

United States

Amin AlipourPanelist

University of Houston

United States

Arianna BlasiPanelist

Meta; prev. Università della Svizzera italiana

United Kingdom

Weihang WangPanelist

University of Southern California

Information leaks in software can unintentionally reveal private data, yet they are hard to detect and fix. Although several methods have been proposed to detect leakage, such as static verification-based approaches, they require specialist knowledge, and are time-consuming. Recently, HyperGI introduced a dynamic, hypertest-based approach that detects and produces potential fixes for information leakage. Its fitness function tries to balance information leakage and program correctness, but as the authors of that work point out, there may be a tradeoff between keeping program semantics and reducing information leakage.

In this work we ask if it is possible to automatically detect and repair information leakage in more realistic programs without requiring specialist knowledge. Our approach, called LeakReducer explicitly encodes the tradeoff between program correctness and information leakage as a multi-objective optimisation problem. We apply LeakReducer to a set of leaky programs including the well known Heartbleed bug. It is comparable with HyperGI on their toy applications. In addition, we demonstrate it can find and reduce leakage in real applications and we see diverse solutions on our Pareto front. Upon investigation we find that having a Pareto front helps with some types of information leakage, but not all.

Ibrahim Mesecan

Iowa State University

Daniel Blackwell

University College London

David Clark

University College London

United Kingdom

Myra Cohen

Iowa State University

United States

Justyna Petke

University College London

United Kingdom