Are there any examples of programming synthesis in vulnerability research?

Question

Program Synthesis

To borrow from Microsoft:

Program synthesis is the task of automatically discovering an executable piece of code given user intent expressed using various forms of constraints such as input-output examples, demonstrations, natural language, etc.

One of the best program synthesis examples I've come across created new authenticated encryption (AE) schemes; the paper also automated the analysis and privacy and authenticity security proofs for the synthesized AE schemes.

The take-away from program synthesis is: (1) it can provide novel solutions to solve a problem through an automated process and (2) it is possible to verify the solution's correctness.

Vulnerability Research & Program Synthesis

There has been a great deal of effort made in recent years in automating vulnerability analysis. A culmination of this effort was demonstrated this summer at the Cyber Grand Challenge(https:// www. cybergrandchallenge.com/).

It would seem like program synthesis would have great potential in automated vulnerability research.

• Perhaps it could derive new exploits
• Perhaps it could derive new patches or tests

My question is this: Are there any examples of program synthesis in vulnerability research?

I am having a hard time finding any examples of such and I would like to know if anyone has come across it.

Answer 1

Yes, there's plenty of work on synthesizing exploits using program synthesis. One of the seminal papers was:

Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J. Schwartz, Maverick Woo, and David Brumley. Automatic Exploit Generation. Communications of the ACM, 57(2):74–84, 2014.

This is a cleaned-up and general-audience version of a paper published at NDSS in 2011.

You should be able to use Google Scholar to find lots of other related work and follow-on work, by finding papers that cite it. Also, many of the research teams participating in the Cyber Grand Challenge have been publishing on this subject for the past several years; look up each of their web pages and go check out their papers, and you should be able to find more.

Generally speaking, the challenge typically lies more in finding inputs to a vulnerable program that will cause it to do something bad, rather than in finding programs that directly do something bad themselves. Thus, the techniques tend to be slightly different from standard work on program synthesis, because the challenges are slightly different in this space: here it's often more about synthesizing data rather than code.

There is also plenty of work on automated patch creation. There, the big challenge is usually identifying which part of the code is vulnerable and what the vulnerability is; once you know that, the patch synthesis is usually rather straightforward. Consequently, the challenge typically seems to be more about program analysis than synthesis, though of course there are certainly aspects of both that do need to be solved, and different papers have a different focus.