{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T22:57:29Z","timestamp":1769727449538,"version":"3.49.0"},"reference-count":50,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,10,18]],"date-time":"2023-10-18T00:00:00Z","timestamp":1697587200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,10,18]],"date-time":"2023-10-18T00:00:00Z","timestamp":1697587200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001871","name":"Funda\u00e7\u00e3o para a Ci\u00eancia e a Tecnologia","doi-asserted-by":"publisher","award":["CMU\/TIC\/0006\/2019"],"award-info":[{"award-number":["CMU\/TIC\/0006\/2019"]}],"id":[{"id":"10.13039\/501100001871","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001871","name":"Funda\u00e7\u00e3o para a Ci\u00eancia e a Tecnologia","doi-asserted-by":"publisher","award":["CMU\/TIC\/0006\/2019"],"award-info":[{"award-number":["CMU\/TIC\/0006\/2019"]}],"id":[{"id":"10.13039\/501100001871","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001871","name":"Funda\u00e7\u00e3o para a Ci\u00eancia e a Tecnologia","doi-asserted-by":"publisher","award":["CMU\/TIC\/0006\/2019"],"award-info":[{"award-number":["CMU\/TIC\/0006\/2019"]}],"id":[{"id":"10.13039\/501100001871","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Funda\u00e7\u00e3o para a Ci\u00eancia e a Tecnologia,Portugal","award":["UIDB\/50021\/2020"],"award-info":[{"award-number":["UIDB\/50021\/2020"]}]},{"name":"Funda\u00e7\u00e3o para a Ci\u00eancia e a Tecnologia,Portugal","award":["UIDB\/50021\/2020"],"award-info":[{"award-number":["UIDB\/50021\/2020"]}]},{"DOI":"10.13039\/501100005765","name":"Universidade de Lisboa","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100005765","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Autom Softw Eng"],"published-print":{"date-parts":[[2024,5]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Vulnerability detection and repair is a demanding and expensive part of the software development process. As such, there has been an effort to develop new and better ways to automatically detect and repair vulnerabilities. DifFuzz is a state-of-the-art tool for automatic detection of timing side-channel vulnerabilities, a type of vulnerability that is particularly difficult to detect and correct. Despite recent progress made with tools such as DifFuzz, work on tools capable of automatically repairing timing side-channel vulnerabilities is scarce. In this paper, we propose DifFuzzAR, a tool for automatic repair of timing side-channel vulnerabilities in Java code. The tool works in conjunction with DifFuzz and it is able to repair 56% of the vulnerabilities identified in DifFuzz\u2019s dataset. The results show that the tool can automatically correct timing side-channel vulnerabilities, being more effective with those that are control-flow based. In addition, the results of a user study show that users generally trust the refactorings produced by DifFuzzAR and that they see value in such a tool, in particular for more critical code.<\/jats:p>","DOI":"10.1007\/s10515-023-00398-6","type":"journal-article","created":{"date-parts":[[2023,10,18]],"date-time":"2023-10-18T18:02:18Z","timestamp":1697652138000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["DifFuzzAR: automatic repair of timing side-channel vulnerabilities via refactoring"],"prefix":"10.1007","volume":"31","author":[{"given":"Rui","family":"Lima","sequence":"first","affiliation":[]},{"given":"Jo\u00e3o F.","family":"Ferreira","sequence":"additional","affiliation":[]},{"given":"Alexandra","family":"Mendes","sequence":"additional","affiliation":[]},{"given":"Carolina","family":"Carreira","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,10,18]]},"reference":[{"key":"398_CR1","unstructured":"Allamanis, M., Jackson-Flux, H., Brockschmidt, M.: Self-supervised bug detection and repair. In: NeurIPS (2021)"},{"issue":"6","key":"398_CR2","doi-asserted-by":"publisher","first-page":"362","DOI":"10.1145\/3140587.3062378","volume":"52","author":"T Antonopoulos","year":"2017","unstructured":"Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of self-composition for proving the absence of timing channels. ACM SIGPLAN Notices 52(6), 362\u2013375 (2017)","journal-title":"ACM SIGPLAN Notices"},{"issue":"6","key":"398_CR3","doi-asserted-by":"publisher","first-page":"567","DOI":"10.1109\/TSE.2003.1205183","volume":"29","author":"DM Berry","year":"2003","unstructured":"Berry, D.M., Tichy, W.F.: Comments on \u201cFormal methods application: an empirical tale of software development\u2019\u2019. IEEE Trans. Softw. Eng. 29(6), 567\u2013571 (2003)","journal-title":"IEEE Trans. Softw. Eng."},{"issue":"5","key":"398_CR4","doi-asserted-by":"publisher","first-page":"701","DOI":"10.1016\/j.comnet.2005.01.010","volume":"48","author":"D Brumley","year":"2005","unstructured":"Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701\u2013716 (2005)","journal-title":"Comput. Netw."},{"key":"398_CR5","doi-asserted-by":"crossref","unstructured":"Chen, J., Feng, Y., Dillig, I.: Precise detection of side-channel vulnerabilities using quantitative Cartesian Hoare logic. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 875\u2013890. ACM (2017)","DOI":"10.1145\/3133956.3134058"},{"key":"398_CR7","first-page":"1943","volume":"47","author":"Z Chen","year":"2019","unstructured":"Chen, Z., Kommrusch, S.J., Tufano, M., Pouchet, L.-N., Poshyvanyk, D., Monperrus, M.: Sequencer: sequence-to-sequence learning for end-to-end program repair. IEEE Trans. Softw. Eng. 47, 1943\u20131959 (2019)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"398_CR6","unstructured":"Chen, Z., Kommrusch, S., Monperrus, M.: Neural transfer learning for repairing security vulnerabilities in C code. arXiv preprint arXiv:2104.08308 (2021)"},{"key":"398_CR8","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45143-3_7","volume-title":"Practical Experiences in the Design and Conduct of Surveys in Empirical Software Engineering","author":"M Ciolkowski","year":"2003","unstructured":"Ciolkowski, M., Laitenberger, O., Vegas, S., Biffl, S.: Practical Experiences in the Design and Conduct of Surveys in Empirical Software Engineering. Springer, Berlin (2003)"},{"key":"398_CR9","unstructured":"Cloud Foundry: These are the top languages for enterprise application development and what that means for business. Accessed 2020-08-17. https:\/\/www.cloudfoundry.org\/wp-content\/uploads\/Developer-Language-Report_FINAL.pdf"},{"key":"398_CR10","unstructured":"Cornu, B., Durieux, T., Seinturier, L., Monperrus, M.: Npefix: Automatic runtime repair of null pointer exceptions in java. arXiv preprint arXiv:1512.07423 (2015)"},{"key":"398_CR11","doi-asserted-by":"crossref","unstructured":"Cummings, R., Kaptchuk, G., Redmiles, E.M.: \u201cI need a better description\u201d: an investigation into user expectations for differential privacy. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 3037\u20133052 (2021)","DOI":"10.1145\/3460120.3485252"},{"key":"398_CR12","unstructured":"DARPA: Space\/time analysis for cybersecurity (STAC). Accessed 2020-08-17. https:\/\/www.darpa.mil\/program\/space-time-analysis-for-cybersecurity"},{"key":"398_CR13","unstructured":"Eilertsen, M.: Improving the usability of refactoring tools for software change tasks. Ph.D. thesis, University of Bergen (2012)"},{"key":"398_CR14","unstructured":"EvoSuite: Automatic test suite generation for Java. Accessed 2020-08-27. https:\/\/www.evosuite.org\/"},{"key":"398_CR15","doi-asserted-by":"crossref","unstructured":"Forrest, S., Nguyen, T., Weimer, W., Le\u00a0Goues, C.: A genetic programming approach to automated software repair. In: Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 947\u2013954 (2009)","DOI":"10.1145\/1569901.1570031"},{"key":"398_CR16","unstructured":"GitHub: the state of the octoverse. Accessed 2019-10-07. https:\/\/octoverse.github.com\/projects#languages"},{"key":"398_CR17","doi-asserted-by":"crossref","unstructured":"Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, p. 11. IEEE (1982)","DOI":"10.1109\/SP.1982.10014"},{"issue":"12","key":"398_CR18","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1145\/3318162","volume":"62","author":"CL Goues","year":"2019","unstructured":"Goues, C.L., Pradel, M., Roychoudhury, A.: Automated program repair. Commun. ACM 62(12), 56\u201365 (2019)","journal-title":"Commun. ACM"},{"key":"398_CR19","doi-asserted-by":"crossref","unstructured":"Gupta, R., Pal, S., Kanade, A., Shevade, S.: Deepfix: fixing common C language errors by deep learning. In: Thirty-First AAAI Conference on Artificial Intelligence (2017)","DOI":"10.1609\/aaai.v31i1.10742"},{"issue":"8","key":"398_CR20","doi-asserted-by":"publisher","first-page":"2395","DOI":"10.1073\/pnas.1416587112","volume":"112","author":"J Hainmueller","year":"2015","unstructured":"Hainmueller, J., Hangartner, D., Yamamoto, T.: Validating vignette and conjoint survey experiments against real-world behavior. Proc. Natl. Acad. Sci. 112(8), 2395\u20132400 (2015)","journal-title":"Proc. Natl. Acad. Sci."},{"key":"398_CR21","unstructured":"IBM: Modern languages for the modern enterprise. Accessed 2020-08-17. https:\/\/developer.ibm.com\/articles\/d-modern-language-modern-enterprise\/"},{"key":"398_CR22","unstructured":"IVC Wiki: Xbox 360 timing attack. Accessed 2020-08-17. https:\/\/beta.ivc.no\/wiki\/index.php\/Xbox_360_Timing_Attack"},{"key":"398_CR23","doi-asserted-by":"crossref","unstructured":"Kersten, R., Luckow, K., P\u0103s\u0103reanu, C.S.: Poster: Afl-based fuzzing for java with kelinci. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2511\u20132513. ACM (2017)","DOI":"10.1145\/3133956.3138820"},{"key":"398_CR24","doi-asserted-by":"crossref","unstructured":"Kim, D., Nam, J., Song, J., Kim, S.: Automatic patch generation learned from human-written patches. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 802\u2013811. IEEE (2013)","DOI":"10.1109\/ICSE.2013.6606626"},{"key":"398_CR25","doi-asserted-by":"crossref","unstructured":"Koeune, F., Standaert, F.-X.: A tutorial on physical security and side-channel attacks. In: Foundations of Security Analysis and Design III, pp. 78\u2013108. Springer, Berlin (2005)","DOI":"10.1007\/11554578_3"},{"key":"398_CR26","doi-asserted-by":"publisher","DOI":"10.4135\/9781412963947","volume-title":"Encyclopedia of Survey Research Methods","author":"PJ Lavrakas","year":"2008","unstructured":"Lavrakas, P.J.: Encyclopedia of Survey Research Methods. Sage publications, Los Angeles (2008)"},{"key":"398_CR27","unstructured":"Lawson, N.: Timing attack in Google Keyczar library. Accessed 2020-08-17. https:\/\/rdist.root.org\/2009\/05\/28\/timing-attack-in-google-keyczar-library\/"},{"key":"398_CR28","volume-title":"Research Methods in Human\u2013computer Interaction","author":"J Lazar","year":"2017","unstructured":"Lazar, J., Feng, J.H., Hochheiser, H.: Research Methods in Human\u2013computer Interaction. Morgan Kaufmann, Boston (2017)"},{"key":"398_CR30","doi-asserted-by":"publisher","unstructured":"Lima, R., Ferreira, J.F., Mendes, A.: Automatic repair of Java code with timing side-channel vulnerabilities. In: 2021 36th IEEE\/ACM International Conference on Automated Software Engineering Workshops (ASEW), pp. 1\u20138 (2021). https:\/\/doi.org\/10.1109\/ASEW52652.2021.00014","DOI":"10.1109\/ASEW52652.2021.00014"},{"issue":"1","key":"398_CR29","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/TSE.2011.104","volume":"38","author":"C Le Goues","year":"2011","unstructured":"Le Goues, C., Nguyen, T., Forrest, S., Weimer, W.: Genprog: a generic method for automatic software repair. IEEE Trans. Softw. Eng. 38(1), 54\u201372 (2011)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"398_CR31","doi-asserted-by":"crossref","unstructured":"Lima, R.: Automatic repair of Java code with timing side-channel vulnerabilities. Master\u2019s thesis, Instituto Superior T\u00e9cnico, University of Lisbon (January 2021). https:\/\/fenix.tecnico.ulisboa.pt\/cursos\/meic-t\/dissertacao\/1128253548921982","DOI":"10.1109\/ASEW52652.2021.00014"},{"key":"398_CR32","doi-asserted-by":"crossref","unstructured":"Liu, K., Koyuncu, A., Kim, D., Bissyand\u00e9, T.F.: Tbar: revisiting template-based automated program repair. In: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 31\u201342 (2019)","DOI":"10.1145\/3293882.3330577"},{"key":"398_CR33","doi-asserted-by":"crossref","unstructured":"Lutellier, T., Pham, H.V., Pang, L., Li, Y., Wei, M., Tan, L.: Coconut: combining context-aware neural translation models using ensemble for program repair. In: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 101\u2013114 (2020)","DOI":"10.1145\/3395363.3397369"},{"key":"398_CR34","doi-asserted-by":"crossref","unstructured":"Mechtaev, S., Yi, J., Roychoudhury, A.: Angelix: scalable multiline program patch synthesis via symbolic analysis. In: Proceedings of the 38th International Conference on Software Engineering, pp. 691\u2013701 (2016)","DOI":"10.1145\/2884781.2884807"},{"key":"398_CR36","doi-asserted-by":"publisher","DOI":"10.1145\/3105906","author":"M Monperrus","year":"2015","unstructured":"Monperrus, M.: Automatic software repair: a bibliography. ACM Comput. Surv. (2015). https:\/\/doi.org\/10.1145\/3105906","journal-title":"ACM Comput. Surv."},{"key":"398_CR35","unstructured":"Monperrus, M.: The living review on automated program repair. Technical Report hal-01956501, HAL Archives Ouvertes (2018). https:\/\/www.monperrus.net\/martin\/repair-living-review.pdf"},{"issue":"1","key":"398_CR37","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1109\/TSE.2011.41","volume":"38","author":"E Murphy-Hill","year":"2011","unstructured":"Murphy-Hill, E., Parnin, C., Black, A.P.: How we refactor, and how we know it. IEEE Trans. Softw. Eng. 38(1), 5\u201318 (2011)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"398_CR38","doi-asserted-by":"crossref","unstructured":"Nguyen, H.D.T., Qi, D., Roychoudhury, A., Chandra, S.: Semfix: program repair via semantic analysis. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 772\u2013781. IEEE (2013)","DOI":"10.1109\/ICSE.2013.6606623"},{"key":"398_CR39","doi-asserted-by":"crossref","unstructured":"Nilizadeh, S., Noller, Y., P\u0103s\u0103reanu, C.S.: Diffuzz: differential fuzzing for side-channel analysis. In: Proceedings of the 41st International Conference on Software Engineering, pp. 176\u2013187. IEEE Press (2019)","DOI":"10.1109\/ICSE.2019.00034"},{"key":"398_CR40","doi-asserted-by":"publisher","first-page":"1155","DOI":"10.1002\/spe.2346","volume":"46","author":"R Pawlak","year":"2015","unstructured":"Pawlak, R., Monperrus, M., Petitprez, N., Noguera, C., Seinturier, L.: Spoon: a library for implementing analyses and transformations of Java source code. Softw. Pract. Exp. 46, 1155\u20131179 (2015). https:\/\/doi.org\/10.1002\/spe.2346","journal-title":"Softw. Pract. Exp."},{"key":"398_CR41","doi-asserted-by":"crossref","unstructured":"Pereira, R.B., Ferreira, J.F., Mendes, A., Abreu, R.: Extending EcoAndroid with automated detection of resource leaks. In: 9th IEEE\/ACM International Conference on Mobile Software Engineering and Systems 2022 (MobileSoft) (2022)","DOI":"10.1145\/3524613.3527815"},{"key":"398_CR42","unstructured":"Redmiles, E.M., Acar, Y., Fahl, S., Mazurek, M.L.: A summary of survey methodology best practices for security and privacy researchers. Technical report (2017)"},{"key":"398_CR43","doi-asserted-by":"publisher","unstructured":"Ribeiro, A., Ferreira, J.F., Mendes, A.: EcoAndroid: an android studio plugin for developing energy-efficient Java mobile applications. In: 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), pp. 62\u201369 (2021). https:\/\/doi.org\/10.1109\/QRS54544.2021.00017","DOI":"10.1109\/QRS54544.2021.00017"},{"key":"398_CR44","doi-asserted-by":"crossref","unstructured":"Wu, M., Guo, S., Schaumont, P., Wang, C.: Eliminating timing side-channel leaks using program repair. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 15\u201326 (2018)","DOI":"10.1145\/3213846.3213851"},{"issue":"1","key":"398_CR45","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1109\/TSE.2016.2560811","volume":"43","author":"J Xuan","year":"2016","unstructured":"Xuan, J., Martinez, M., Demarco, F., Clement, M., Marcote, S.L., Durieux, T., Le Berre, D., Monperrus, M.: Nopol: automatic repair of conditional statement bugs in java programs. IEEE Trans. Softw. Eng. 43(1), 34\u201355 (2016)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"398_CR47","unstructured":"Yasunaga, M., Liang, P.: Graph-based, self-supervised program repair from diagnostic feedback. In: International Conference on Machine Learning, pp. 10799\u201310808. PMLR (2020)"},{"key":"398_CR46","unstructured":"Yasunaga, M., Liang, P.: Break-it-fix-it: unsupervised learning for program repair. In: International Conference on Machine Learning (ICML) (2021)"},{"key":"398_CR48","doi-asserted-by":"crossref","unstructured":"Ye, H., Martinez, M., Monperrus, M.: Neural program repair with execution-based backpropagation. arXiv preprint arXiv:2105.04123 (2021)","DOI":"10.1145\/3510003.3510222"},{"key":"398_CR49","unstructured":"Zalewski, M.: American fuzzy lop (2017)"},{"key":"398_CR50","first-page":"388","volume":"2005","author":"Y Zhou","year":"2005","unstructured":"Zhou, Y., Feng, D.: Side-channel attacks: ten years after its publication and the impacts on cryptographic module security testing. IACR Cryptol. ePrint Archive 2005, 388 (2005)","journal-title":"IACR Cryptol. ePrint Archive"}],"container-title":["Automated Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10515-023-00398-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10515-023-00398-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10515-023-00398-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,29]],"date-time":"2024-04-29T13:14:00Z","timestamp":1714396440000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10515-023-00398-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,18]]},"references-count":50,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,5]]}},"alternative-id":["398"],"URL":"https:\/\/doi.org\/10.1007\/s10515-023-00398-6","relation":{},"ISSN":["0928-8910","1573-7535"],"issn-type":[{"value":"0928-8910","type":"print"},{"value":"1573-7535","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,10,18]]},"assertion":[{"value":"20 August 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 September 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 October 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"1"}}