CLOTHO: Saving Programs from Malformed Strings and Incorrect String-Handling
Aritra Dhar
Xerox Research Center India
SWS Colloquium
Aritra is a research engineer at Xerox Research Center India and a prospective PhD student. He has a
M.Tech degree from IIIT-Delhi and he is interested in program analysis, crypto currency and wireless sensor networks.
Software is susceptible to malformed data originating from untrusted sources. Occasionally the programming logic or constructs used are inappropriate
to handle the varied constraints imposed by legal and well-formed data. Consequently, software may produce unexpected results or even crash.
In this paper, we present \tool, a novel hybrid approach that saves such software from crashing when failures originate from malformed strings or
inappropriate handling of strings. Clotho statically analyzes a program to identify statements that are vulnerable to failures related to associated string data.
Clotho then generates patches that are likely to satisfy constraints on the data, and in case of failures produces program behavior which would be close
to the expected. The precision of the patches is improved with the help of a dynamic analysis.
We have implemented Clotho for the Java String API, and our evaluation based on several popular open-source libraries shows that Clotho generates
patches that are semantically similar to the patches generated by the programmers in the later versions. Additionally, these patches are activated only
when a failure is detected, and thus Clotho incurs no runtime overhead during normal execution, and negligible overhead in case of failures.