CSR: Large: Collaborative Research: SemGrep: a System for Improving Software Reliability Through Semantic Similarity Bug Search

Software bugs have been reported to take lives and cost billions of dollars annually. Studies have shown that many bugs are 'cloned' (i.e., copied-and-pasted) to many places. Unfortunately, existing error detection tools have not provided programmers the ability to efficiently search for bug clones. Thus, they have to resort to ad hoc manual approaches such as grepping the source tree for bug clones.

This project aims to improve software reliability and integrity through automatic detection and repair of bug clones given a newly discovered vulnerability. It will investigate a new dimension, code similarity, for detecting software bugs. Specifically, it will investigate the feasibility of an approach that derives bug 'seeds' from a new bug patch or existing static or dynamic error detection tools, searches a large code base (potentially across administrative domains) for bug clones, and automatically protects the bug clones. This approach can detect bugs in cases where many existing techniques cannot due to code complexity: detecting similarity between code is easier than deconstructing its meaning.

If successful, this project will result in accurate tools that will help to detect and repair software vulnerabilities early. Programmers will use these tools to detect and repair bug clones whenever applicable. Improvements in the reliability and security of software on which business, government, and individuals depend on will positively impact society. This project will provide a more reliable and robust computing infrastructure resilient to new threats and attacks. Integrating the proposed research into the CS curriculum will as promote reliability and security awareness.