With the rise of mobile devices such as smart phones and IoTs and emerging new application areas such as fitness and sport aid, smart home, and augmented reality, computer systems have become a critical part of our daily lives. Our reliance on computer systems make software security and reliability extremely important. However, software security and reliability are threatened by software vulnerabilities and configuration errors.;Manually fixing software vulnerabilities and configuration errors is a tedious and time consuming task. Automating the task has gained intense interest. This dissertation addresses three challenges in automating the task: 1) mitigating software vulnerabilities rapidly and safely, 2) generating sound security patches and 3) troubleshooting complex configuration errors that involve dependent configuration settings. We make the following contributions.;First, we consider mitigating software vulnerabilities. Inspired by configuration workarounds, a fast alternative of security patches, we design Security Workaround for Rapid Response (SWRR) that works similarly to configuration workaround but has substantially larger coverage than configuration workarounds. We implement a prototype Talos that automatically produces SWRRs and instruments SWRRs into applications. SWRRs generated by Talos can cover 2.1x software vulnerabilities than configuration workarounds.;Second, we consider generating sound security patches. With a design specifically targeting three of the most common and severe software vulnerabilities: buffer overflow, bad offset, and integer overflow, we combine program analysis techniques to generate semantically correct security patches. Our prototype implementation called Senx successfully generates correct security patches for 76.2% of 42 real-world software vulnerabilities.;Third, we compare the strengths and drawbacks of Talos and Senx qualitatively and quantitatively. On one hand, Senx has the strength in applicability. On the other hand, Talos has the strength in scalability and usability. We find that Talos and Senx have complementary applicability. Combining them, we can address 90.5% of the 42 software vulnerabilities.;Finally, we consider troubleshooting and fixing configuration errors involving dependent configuration settings. We leverage unsupervised machine learning to understand the dependency among configuration settings and use automated GUI testing to enable regular users to troubleshoot and fix configuration errors with ease. We implement a prototype called Ocasta and conduct a user study on Ocasta. We find that Ocasta can correctly identify 88.6% of dependent configuration settings and significantly save user time and effort in troubleshooting and fixing configuration errors.
展开▼
