Programs are susceptible to malformed data coming from untrusted sources. Occasionally the programming logic or constructs used are inappropriate to handle all types of constraints that are imposed by legal and well-formed data. As a result programs produce unexpected results or even worse, they may crash. Program behavior in both of these cases would be highly undesirable. In this thesis work, we present a novel hybrid approach that saves programs from crashing when the failures originate from malformed strings or inappropriate handling of strings. Our approach statically analyses a program to identify statements that are vulnerable to failures related to associate string data. It then generates patches that are likely to satisfy constraints on the data, and in case of failures produce program behavior which would be close to the expected. The precision of the patches is improved with the help of a dynamic analysis. The patches are activated only after a failure is detected, and the technique incurs no runtime overhead during normal course of execution, and negligible overhead in case of failures. We have experimented with Java String API, and applied Clotho to several hugely popular open-source libraries to patch 30 bugs, several of them rated either critical or major. Our evaluation shows that Clotho is both practical and effective. The comparison of the patches generated by our technique with the actual patches developed by the programmers in the later versions shows that they are semantically similar.

1. CLOTHO : Saving Programs from
Malformed Strings and Incorrect
String-handling
Aritra Dhar
M.Tech CSE (MT12004)
Information Security
Thesis Committee
Dr. Rahul Purandare (Advisor)
Dr. Mohan Dhawan (External Reviewer)
Dr. Sambuddho Chakravarty (Internal Reviewer)

2. Outline
 Problem definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
2

3. Problem Definition
 Runtime Exceptions go unnoticed at the time of
development.
 Restart/shutdown can be very expensive or
unacceptable.
 Example :
 Air-traffic control
 Autopilot
 UAV drones,
 life-support system
 smart power grid
 telephone network
 software controlled gas pipeline and many more.
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
3

4. Problem Definition
 Vulnerability in the code may be targeted by the
attacker.
 Crash is bad for business.
 3rd party library: no control over the sources.
 Classify candidates for patching : financial
transactions should not be repaired/patched.
 Major problem – availability
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
4

5. Why String?
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
5
 Heavily used
 Incorrect string handling and Malformed String
 Large number of major, critical and blocker priority
bugs.

6. Challenges
 No access of source code.
 Logic is unknown.
 Patching based on the program behavior and
information available in the byte code.
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
6

7. Most Frequently used Java String APIs
 String APIs
 Java SE String library
(java.lang.{String, StringBuffer, StringBuilder})
 Apache Commons
(org.apache.commons.lang.{StringUtils,StringEscapeUtils})
(http://commons.apache.org/)
 Google Guava (com.google.common.base.Strings)
(https://code.google.com/p/guava-libraries/)
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
7

8. Outline
 Problem definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
8

9. Related Works
 Cabin et al.(’11), Perkins et al.(’09) Dynamic approaches :
memory, data, and incorrect programming constructs such
as infinite loops
 Demsky et al. (’03, ’05, ’06) Data structure repairing by
isolating damaged data or memory portion
 Eom et al.(’12) Delay execution till program self-stabilizes
 Pezze et al.(’11) Find alternative execution paths
 Long et al. (’14) Suppressing signals and attach lightweight
monitors for divide by zero and null dereferencing errors
 Cerny et al.(’14), Wei et al. (’10) develop patch and check
correctness by computationally intensive techniques such
as model-checking
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
9

10. Outline
 Problem definition
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
10

11. Contribution
 Novel hybrid technique for patch generation which
ensures patch quality to be as per developers’ fix.
 Fully automated end-to-end tool : CLOTHO; soon to
be open sourced.
 Repairing solutions over 64+ String based API calls.
 Promising results for popular 30 java 3rd party
library bug.
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
11

12. Outline
 Problem Definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
12

13. Example
Apache FileUtils bug
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
13
No boundary check

14. Example : Automated Patch
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
14

15. Example : Developers’ Patch
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
15

16. Outline
 Problem definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
16

17. Design Goals
 High patch fidelity
 Precise
 Preserve intended program behavior
 Non-invasive instrumentation
 No side effect
 Patch triggers only when crash is imminent
 Low system overhead
 None when no exception
 Minimal incase patch triggers
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
17

18. CLOTHO : Overall Design
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
18
• Taint Analysis
• Call graph analysis
Java byte code

19. Design : Taint Analysis Module
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
19

20. Call Graph Analysis
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
20
foo()
bar()
g()
h()
 Look in the call sight of all the
ancestors.
 Level order traversal.

21. Design : Patching Module
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
21

22. Constraint analysis
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
22
//user input
//may fail
//may fail

23. 4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
23
Constraint Collection
𝑆𝑡 ∗ 𝑂𝑃
𝑆𝑡. 𝑠𝑡𝑎𝑟𝑡𝑠𝑊𝑖𝑡ℎ 𝑠 ⇒ ( 𝑆𝑡) 𝑠𝑡𝑎𝑟𝑡𝑠𝑊𝑖𝑡ℎ (𝑠 )
𝑆𝑡. 𝑙𝑒𝑛𝑔𝑡ℎ < 5 ⇒ ((𝑆𝑡) 𝑙𝑒𝑛𝑔𝑡ℎ < (5))

24. Static Constraint Evaluation
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
24
Min Length Max Length Prefix set Contains set
abcd

25. Dynamic Constraint Collection &
Evaluation
 Also need to collect the static constraints and re
evaluate.
 Evaluate only if necessary
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
25

26. What if nothing works?
 Parameter tweaking
 Evaluate safe indices from string properties
 Recall the 1st example
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
26

27. What if nothing works?
 Fallback to parameter tweaking
 Look for the string properties
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
27

28. Outline
 Problem definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
28

29. Implementation
 End-to-end repairing tool chain written in java
~15KLOC.
 Soot (version 2.5.0) for byte code analysis and
instrumentation.
 Soot infoFlow (May 2014 snapshot) for static taint
analysis.
 Java Decompiler (version 0.7.0.7) for visual inspection
of the instrumentation.
 Optimizations
 Minimize constraint analysis
 Minimize patch instrumentation
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
29

30. Outline
 Problem definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
30

31. Evaluation metrics
 Program Quality Index (PQI)
 Taint analysis precession
 Flow Consistency Index (FCI)
𝐹𝐶𝐼 = 𝑛 (𝐹𝐶𝐼 ≥ 0)
 Cascaded exceptions
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
31

32. CLOTHO Evaluation
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
32

33. CLOTHO Performance
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
33

34. CLOTHO Performance
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
34

35. CLOTHO Overheads
 Execution overhead
 None in case of no exception
 Average overhead of ~2.32 𝜇𝑠 per call for 50𝐾 runs.
 Maximum overhead of ~3.96 𝜇𝑠 per call for Apache
Hive
 Call graph
 Apache wicket ~70𝐾
 Analysis time ~52.4 𝑠 and 210 𝑀𝐵 memory
 Constraint analysis
 At most ~5𝑠 for collection and evaluation
 Instrumentation
 At most 4𝑠
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
35

36. Outline
 Problem definition & Motivation
 Related Works
 Contribution
 Example
 Repairing Strategy : CLOTHO design
 Implementation
 Evaluation
 Conclusion
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
36

37. Conclusion & Future work
 In most of the cases CLOTHO generates efficient
patches.
 Adding more support for other Java APIs.
 Adding more intelligence to patching mechanism
for more effective patch.
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
37

38. Thank you
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
38

39. Constraint Collection
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
39

40. Constraint Evaluation
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
40

41. Fallback : Parameter Tweaking
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
41

42. Patching Strategy
4/1/2015
CLOTHO : Saving Programs from Malformed
Strings and Incorrect
42