My research tackles software vulnerabilities in two directions: mitigating vulnerabilities and fixing vulnerabilities. To mitigate vulnerabilities, we propose Software Workaround for Rapid Response (SWRR) that mitigate vulnerabilities by disabling the execution of vulnerable code. With the help of error-handling code, SWRRs gracefully continue program execution after bypassing vulnerable code. We design SWRRs to be used like configuration workarounds. After SWRRs are deployed in applications, users can activate or deactivate them just like configuration options. Our prototype Talos employs program analysis to automatically synthesize SWRRs in the form of source code and instrument SWRRs into existing applications.

In situations where source code is not available, applying SWRRs to binary code directly is needed. We propose an approach called RVM to automatically hardening binary code with security workarounds. RVM statically analyzes binary code of programs to identify error-handling code in the programs, in order to synthesize security workarounds. We have developed a prototype of RVM that automatically synthesizes SWRRs in the form of binary code and instruments them directy to Windows and Linux binaries.

To fix vulnerabilities, we aim to automatically generate correct security patches. Focusing on three of the most common and severe software vulnerabilities, buffer overflow, bad offset and integer overflow, Senx combines symbolic execution and program analysis to generate semantically correct security patches based on pre-defined patch models. Particularly we design Senx to address complex vulnerabilities by taking into account complex code structures and data structures. The security patches generated by Senx mimic security patches produced by software developers. Our prototype illustrates that security patches generated by Senx are effective, safe, and efficient in fixing real-world software vulnerabilities.

Smartphone operating systems (OSs) have been developed with a greater emphasis on security and privacy. As one of the most popular smartphone OSs, Android uses a permission system that requires software developers to declare what sensitive resources their applications will use. As these permission systems become more common, questions have risen about their design and implementation. We perform an analysis of the permission system of the Android smartphone OS to begin answering some of these questions. To address the incompleteness of the documentation of Android's permission system and be able to analyze multiple versions of Android OS, we develop PScout to extract the permission specification from the Android OS source code using program analysis. PScout overcomes the challenges in scalability due to Android's millions lines of source code, cross-process permission enforcement, and diverse permission checking mechanisms.