{"title":"验证安全补丁","authors":"J. Gallagher, Robin Gonzalez, M. Locasto","doi":"10.1145/2687148.2687151","DOIUrl":null,"url":null,"abstract":"In this paper, we introduce a formal framework for ensuring the correctness of security patches. We discuss the issues and provide a sketch of how one could implement a system that proves (in many cases) or provides robust evidence (in other cases) that a security patch fixes a bug, and changes nothing else about the semantics of a program. We make use of an analysis of \"bug surfaces\" the set of inputs that trigger a bug, to give a type theoretic characterization of the non-buggy surface of a program. We thus give credence to the Langsec notion that security flaws are often about input handling, and show how formal patch and bug analysis can be used to define a more correct input type for a program.","PeriodicalId":433332,"journal":{"name":"PSP '14","volume":"4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Verifying security patches\",\"authors\":\"J. Gallagher, Robin Gonzalez, M. Locasto\",\"doi\":\"10.1145/2687148.2687151\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this paper, we introduce a formal framework for ensuring the correctness of security patches. We discuss the issues and provide a sketch of how one could implement a system that proves (in many cases) or provides robust evidence (in other cases) that a security patch fixes a bug, and changes nothing else about the semantics of a program. We make use of an analysis of \\\"bug surfaces\\\" the set of inputs that trigger a bug, to give a type theoretic characterization of the non-buggy surface of a program. We thus give credence to the Langsec notion that security flaws are often about input handling, and show how formal patch and bug analysis can be used to define a more correct input type for a program.\",\"PeriodicalId\":433332,\"journal\":{\"name\":\"PSP '14\",\"volume\":\"4 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-10-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"PSP '14\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2687148.2687151\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"PSP '14","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2687148.2687151","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
In this paper, we introduce a formal framework for ensuring the correctness of security patches. We discuss the issues and provide a sketch of how one could implement a system that proves (in many cases) or provides robust evidence (in other cases) that a security patch fixes a bug, and changes nothing else about the semantics of a program. We make use of an analysis of "bug surfaces" the set of inputs that trigger a bug, to give a type theoretic characterization of the non-buggy surface of a program. We thus give credence to the Langsec notion that security flaws are often about input handling, and show how formal patch and bug analysis can be used to define a more correct input type for a program.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
