Dice Question Streamline Icon: https://streamlinehq.com

Resolving the oracle problem for identifying high-level security properties

Identify effective methods to specify and operationalize the high-level security properties that must hold for a given software system by developing test oracles capable of detecting violations of these properties, thereby addressing the unresolved oracle problem.

Information Square Streamline Icon: https://streamlinehq.com

Background

Dynamic analyses (testing, fuzzing, monitoring) rely on oracles to decide whether executions violate desired properties. However, determining what high-level properties should hold for a system, and how to encode them into actionable oracles, is a core challenge.

The paper explicitly notes that this challenge is captured by the oracle problem, which, despite extensive paper, remains unsolved.

References

The problem of identifying the high-level properties that we need to hold for a software system is explicitly explored as part of the oracle problem , but remains unsolved (\S 2.1).

Fundamental Challenges in Cybersecurity and a Philosophy of Vulnerability-Guided Hardening (2402.01944 - Böhme, 2 Feb 2024) in Section 3.2.2 Fuzzing, Testing, and Monitoring