SHF: Medium: Collaborative Research: HUGS: Human-Guided Software Testing and Analysis for Scalable Bug Detection and Repair

SHF：中：协作研究：HUGS：用于可扩展错误检测和修复的人工引导软件测试和分析

• 批准号: 1901098
• 负责人: Tevfik Bultan
• 金额: $ 40万
• 依托单位: University of California-Santa Barbara
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-08-01 至 2024-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1901098&HistoricalAwards=false
• 关键词: SHF; Medium; Collaborative; Research; HUGS

As all aspects of human society increasingly rely on software systems, there is an urgent need for scalable techniques and tools that can detect and eliminate software bugs effectively. In the last decade, hybrid approaches that combine software analysis techniques of different strengths have resulted in powerful tools for automated software testing and repair. However, despite the significant progress that has been made so far, fully automated techniques often fail to scale in practice. The key strength of automated techniques is their ability to quickly analyze many program behaviors by performing repetitive, computational tasks at a rate far beyond the human attention span and computation speed. However, they do not know how to intelligently navigate complex state spaces, which often requires contextual and common-sense reasoning that humans excel at. The goal of this project is to combine the strengths of human ingenuity and automated tools in order to achieve bug and vulnerability detection and repair at scale, while keeping the human intervention at a minimum. All the techniques developed within the context of this project will be transitionable to scalable software testing products by industry and government, leading to better software dependability in all application domains, including critical national infrastructures. The project will also seek to broaden participation in computing by training students from under-represented groups.The project will develop human-guided hybrid techniques that combine fuzz testing, symbolic execution, and search strategies that will aim to optimize the search towards efficient and scalable bug detection; annotations for controlling the search and for pruning the search space; input generation techniques and human-guided value generation; and automated and semi-automated synthesis of repairs. All these techniques will be integrated into open-source tools targeting multiple programming languages. To minimize the human effort, the framework will incorporate self-monitoring mechanisms to detect when the automatic analysis fails, which will provide detailed feedback to the developers to remedy the problem. This will result in an interactive testing and analysis process that leverages human input in a principled way to best guide the automated techniques, resulting in scalable bug detection and software repair.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着人类社会的各个方面越来越依赖于软件系统，迫切需要可扩展的技术和工具，可以有效地检测和消除软件错误。在过去的十年中，混合方法，结合联合收割机软件分析技术的不同优势，导致了强大的工具，自动化软件测试和修复。然而，尽管到目前为止已经取得了重大进展，但全自动化技术在实践中往往无法扩展。自动化技术的关键优势在于，它们能够以远远超出人类注意力广度和计算速度的速度执行重复的计算任务，从而快速分析许多程序行为。 然而，他们不知道如何智能地导航复杂的状态空间，这通常需要人类擅长的上下文和常识推理。该项目的目标是将人类的聪明才智和自动化工具的优势联合收割机结合起来，以实现大规模的错误和漏洞检测和修复，同时将人为干预保持在最低限度。在该项目范围内开发的所有技术将可由行业和政府转换为可扩展的软件测试产品，从而在所有应用领域（包括关键的国家基础设施）中提高软件的可靠性。该项目还将通过培训来自代表性不足群体的学生来扩大对计算的参与。该项目将开发人工引导的混合技术，该技术结合了联合收割机、符号执行和搜索策略，旨在优化搜索，实现高效和可扩展的错误检测;用于控制搜索和修剪搜索空间的注释;输入生成技术和人工引导的值生成;以及自动化和半自动化的修复合成。所有这些技术都将被集成到针对多种编程语言的开源工具中。为了最大限度地减少人工工作，框架将纳入自我监控机制，以检测自动分析何时失败，这将向开发人员提供详细的反馈，以解决问题。这将产生一个交互式的测试和分析过程，以原则性的方式利用人工输入来最好地指导自动化技术，从而实现可扩展的错误检测和软件修复。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Quantifying permissiveness of access control policies

量化访问控制策略的允许性

• DOI: 10.1145/3510003.3510233
• 发表时间: 2022
• 期刊: ICSE '22: Proceedings of the 44th International Conference on Software Engineering
• 作者: Eiers, William;Sankaran, Ganesh;Li, Albert;O'Mahony, Emily;Prince, Benjamin;Bultan, Tevfik
• 通讯作者: Bultan, Tevfik

Fuzzing, Symbolic Execution, and Expert Guidance for Better Testing

模糊测试、符号执行和专家指导以实现更好的测试

• DOI: 10.1109/ms.2023.3237981
• 发表时间: 2023
• 期刊: IEEE Software
• 影响因子: 3.3
• 作者: Kadron, Ismet Burak;Noller, Yannic;Padhye, Rohan;Bultan, Tevfik;Pasareanu, Corina S.;Sen, Koushik
• 通讯作者: Sen, Koushik

PREACH: A Heuristic for Probabilistic Reachability to Identify Hard to Reach Statements

• DOI: 10.1145/3510003.3510227
• 发表时间: 2022-05
• 期刊: 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE)
• 作者: Seemanta Saha;M. Downing;Tegan Brennan;T. Bultan

CorbFuzz: Checking Browser Security Policies with Fuzzing

CorbFuzz：通过模糊测试检查浏览器安全策略

• DOI: 10.1109/ase51524.2021.9678636
• 发表时间: 2021
• 期刊: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE
• 作者: Shou, Chaofan;Kadron, Ismet Burak;Su, Qi;Bultan, Tevfik
• 通讯作者: Bultan, Tevfik

Feedback-driven side-channel analysis for networked applications

• DOI: 10.1145/3395363.3397365
• 发表时间: 2020-07
• 期刊: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Ismet Burak Kadron;Nicolás Rosner;T. Bultan