Resolving the oracle problem for identifying high-level security properties

Identify effective methods to specify and operationalize the high-level security properties that must hold for a given software system by developing test oracles capable of detecting violations of these properties, thereby addressing the unresolved oracle problem.

Background

Dynamic analyses (testing, fuzzing, monitoring) rely on oracles to decide whether executions violate desired properties. However, determining what high-level properties should hold for a system, and how to encode them into actionable oracles, is a core challenge.

The paper explicitly notes that this challenge is captured by the oracle problem, which, despite extensive study, remains unsolved.

References

The problem of identifying the high-level properties that we need to hold for a software system is explicitly explored as part of the oracle problem , but remains unsolved (\S 2.1).

Fundamental Challenges in Cybersecurity and a Philosophy of Vulnerability-Guided Hardening (2402.01944 - Böhme, 2 Feb 2024) in Section 3.2.2 Fuzzing, Testing, and Monitoring