MIT tech squashes bugs without needing source code

Researchers at the Massachusetts Institute of Technology (MIT) have developed a system that can rectify software bugs without requiring access to the program's source code.

The MIT system, dubbed CodePhage, automatically imports functionality from a 'donor' application to the 'recipient" software it is trying to fix.

CodePhage analyses the donor application's execution and characterises the types of security checks the app performs. It then imports the checks to the recipient - even if the recipient and donor don't share the same programming language.

The effect of importing the checks is then analysed by CodePhage. To do so, CodePhage needs two sample inputs - one that causes the recipient to crash and another that has no effect.

It feeds the control input to the donor first to track and record the application's executions using a string of symbols that describes the constraints of the operation.

"At some point, for instance, the donor may check to see whether the size of the input is below some threshold," MIT wrote.

"If it is, CodePhage will add a term to its growing symbolic expression that represents the condition of being below that threshold. It doesn’t record the actual size of the file — just the constraint imposed by the check."

CodePhage then feeds the input that crashes the recipient application, again tracking and recording the operation through the string of symbols.

It interrupts the process when it finds the new symbolic expression differs from the control operation.

"The divergence represents a constraint that the safe input met and the crash-inducing input does not. As such, it could be a security check missing from the recipient," the researchers said.

"CodePhage then analyses the recipient to find locations at which the input meets most, but not quite all, of the constraints described by the new symbolic expression.

"At each of the locations it identifies, CodePhage can dispense with most of the constraints described by the symbolic expression — the constraints that the recipient, too, imposes."

Starting with the first location identified, it translates the remaining constraints that it hasn't been able to dispense with into the recipient's programming language and inserts them into the app's source code, then tests the crash-inducing input again to see whether the new code has fixed the bug.

If the application does not crash, the new code has addressed the problem. If not, CodePhage takes the next location - and as many other locations as it needs to - through the same process to identify where the error exists.

Should the application still crash after all locations are tested, CodePhage heads back to the donor application to find another point where the inputs diverge, interrupting the process when that point is discovered.

The researchers said they tested the technology on seven open source programs, and imported repairs to recipient applications from between two and four donor apps for each buggy app.

"In all instances, CodePhage was able to patch up the vulnerable code, and it generally took between two and 10 minutes per repair," MIT wrote.

"[The researchers' hope] is that future versions of CodePhage could drastically reduce the time that software developers spend on grunt work, by automating those checks’ insertion."