CSR: Large: Collaborative Research: SemGrep: a System for Improving Software Reliability Through Semantic Similarity Bug Search

CSR：大型：协作研究：SemGrep：通过语义相似性错误搜索提高软件可靠性的系统

• 批准号: 1012107
• 负责人: Dawson Engler
• 金额: $ 13.1万
• 依托单位: Stanford University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-07-01 至 2012-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1012107&HistoricalAwards=false
• 关键词: CSR; Large; Collaborative; Research; SemGrep

Software bugs have been reported to take lives and cost billions of dollars annually. Studies have shown that many bugs are "cloned" (i.e., copied-and-pasted) to many places. Unfortunately, existing error detection tools have not provided programmers the ability to efficiently search for bug clones. Thus, they have to resort to ad hoc manual approaches such as grepping the source tree for bug clones.This project aims to improve software reliability and integrity through automatic detection and repair of bug clones given a newly discovered vulnerability. It will investigate a new dimension, code similarity, for detecting software bugs. Specifically, it will investigate the feasibility of an approach that derives bug "seeds" from a new bug patch or existing static or dynamic error detection tools, searches a large code base (potentially across administrative domains) for bug clones, and automatically protects the bug clones. This approach can detect bugs in cases where many existing techniques cannot due to code complexity: detecting similarity between code is easier than deconstructing its meaning.If successful, this project will result in accurate tools that will help to detect and repair software vulnerabilities early. Programmers will use these tools to detect and repair bug clones whenever applicable. Improvements in the reliability and security of software on which business, government, and individuals depend on will positively impact society. This project will provide a more reliable and robust computing infrastructure resilient to new threats and attacks. Integrating the proposed research into the CS curriculum will as promote reliability and security awareness.

据报道，软件漏洞每年夺去生命并造成数十亿美元的损失。研究表明，许多bug被“克隆”（即复制粘贴）到许多地方。不幸的是，现有的错误检测工具并没有为程序员提供有效搜索错误克隆的能力。因此，他们不得不求助于特别的手工方法，比如在源代码树中搜索bug克隆。该项目旨在针对新发现的漏洞，通过自动检测和修复漏洞克隆来提高软件的可靠性和完整性。它将调查一个新的维度，代码相似度，以检测软件漏洞。具体地说，它将研究一种方法的可行性，该方法从新的错误补丁或现有的静态或动态错误检测工具中派生错误“种子”，搜索大型代码库（可能跨越管理域）以查找错误克隆，并自动保护错误克隆。这种方法可以在许多现有技术由于代码复杂性而无法检测的情况下检测bug：检测代码之间的相似性比解构其含义更容易。如果成功，该项目将产生准确的工具，有助于及早检测和修复软件漏洞。程序员将使用这些工具来检测和修复错误克隆。企业、政府和个人所依赖的软件的可靠性和安全性的改进将对社会产生积极的影响。该项目将提供更可靠、更健壮的计算基础设施，以抵御新的威胁和攻击。将拟议的研究纳入计算机科学课程将有助于提高可靠性和安全意识。