If it ain't broke, don't fix it: challenges and new directions for inferring the impact of software patches

Authors:
Jon Oberheide;Evan Cooke;Farnam Jahanian
Affiliations:
Electrical Engineering and Computer Science Department, University of Michigan, Ann Arbor, MI;Electrical Engineering and Computer Science Department, University of Michigan, Ann Arbor, MI;Electrical Engineering and Computer Science Department, University of Michigan, Ann Arbor, MI
Venue:
HotOS'09 Proceedings of the 12th conference on Hot topics in operating systems
Year:
2009

Citing 11
Cited 1

DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
DSD-Crasher: a hybrid analysis tool for bug finding

Proceedings of the 2006 international symposium on Software testing and analysis
Compositional dynamic test generation

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Feedback-Directed Random Test Generation

ICSE '07 Proceedings of the 29th international conference on Software Engineering
Hybrid Concolic Testing

ICSE '07 Proceedings of the 29th international conference on Software Engineering
Randomized Differential Testing as a Prelude to Formal Verification

ICSE '07 Proceedings of the 29th international conference on Software Engineering
Software Testing Research: Achievements, Challenges, Dreams

FOSE '07 2007 Future of Software Engineering
AutoBash: improving configuration management with operating system causality analysis

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
A Technique for Verifying Component-Based Software

Electronic Notes in Theoretical Computer Science (ENTCS)
Toward quantifying system manageability

HotDep'08 Proceedings of the Fourth conference on Hot topics in system dependability
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs

OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation

CANVuS: context-aware network vulnerability scanning

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software patches are designed to have a positive effect on the operation of software systems. However, these patches may cause incompatibilities, regressions, and other unintended negative impact on the reliability, performance, and security of software. In this paper, we propose PatchAdvisor, a technique to improve the manageability of the patching process for administrators by automatically inferring the impact of a patch or upgrade. PatchAdvisor inspects a software system and its patch using a combination of static control flow analysis, dynamic execution traces, and ranking heuristics to automatically infer the potential impact of the patch. To evaluate the feasibility of our approach, we implement an initial prototype of PatchAdvisor using the IDA and PaiMei frameworks and demonstrate its effectiveness on a real-world web application stack. Finally, we discuss the challenges and future research directions in this problem domain.