2,528 research outputs found
Does Collaborative Editing Help Mitigate Security Vulnerabilities in Crowd-Shared IoT Code Examples?
Background: With the proliferation of crowd-sourced developer forums,
software developers are increasingly sharing more coding solutions to
programming problems with others in forums. The decentralized nature of
knowledge sharing on sites has raised the concern of sharing security
vulnerable code, which then can be reused into mission critical software
systems - making those systems vulnerable in the process. Collaborative editing
has been introduced in forums like Stack Overflow to improve the quality of the
shared contents. Aim: In this paper, we investigate whether code editing can
mitigate shared vulnerable code examples by analyzing IoT code snippets and
their revisions in three Stack Exchange sites: Stack Overflow, Arduino, and
Raspberry Pi. Method:We analyze the vulnerabilities present in shared IoT C/C++
code snippets, as C/C++ is one of the most widely used languages in
mission-critical devices and low-powered IoT devices. We further analyse the
revisions made to these code snippets, and their effects. Results: We find
several vulnerabilities such as CWE 788 - Access of Memory Location After End
of Buffer, in 740 code snippets . However, we find the vast majority of posts
are not revised, or revisions are not made to the code snippets themselves (598
out of 740). We also find that revisions are most likely to result in no change
to the number of vulnerabilities in a code snippet rather than deteriorating or
improving the snippet. Conclusions: We conclude that the current collaborative
editing system in the forums may be insufficient to help mitigate
vulnerabilities in the shared code.Comment: 10 pages, 14 figures, ESEM2
Assessing the Security of GitHub Copilot Generated Code -- A Targeted Replication Study
AI-powered code generation models have been developing rapidly, allowing
developers to expedite code generation and thus improve their productivity.
These models are trained on large corpora of code (primarily sourced from
public repositories), which may contain bugs and vulnerabilities. Several
concerns have been raised about the security of the code generated by these
models. Recent studies have investigated security issues in AI-powered code
generation tools such as GitHub Copilot and Amazon CodeWhisperer, revealing
several security weaknesses in the code generated by these tools. As these
tools evolve, it is expected that they will improve their security protocols to
prevent the suggestion of insecure code to developers. This paper replicates
the study of Pearce et al., which investigated security weaknesses in Copilot
and uncovered several weaknesses in the code suggested by Copilot across
diverse scenarios and languages (Python, C and Verilog). Our replication
examines Copilot security weaknesses using newer versions of Copilot and CodeQL
(the security analysis framework). The replication focused on the presence of
security vulnerabilities in Python code. Our results indicate that, even with
the improvements in newer versions of Copilot, the percentage of vulnerable
code suggestions has reduced from 36.54% to 27.25%. Nonetheless, it remains
evident that the model still suggests insecure code
On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities
Software vulnerabilities are a major cyber threat and it is important to
detect them. One important approach to detecting vulnerabilities is to use deep
learning while treating a program function as a whole, known as function-level
vulnerability detectors. However, the limitation of this approach is not
understood. In this paper, we investigate its limitation in detecting one class
of vulnerabilities known as inter-procedural vulnerabilities, where the
to-be-patched statements and the vulnerability-triggering statements belong to
different functions. For this purpose, we create the first Inter-Procedural
Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we
propose a tool dubbed VulTrigger for identifying vulnerability-triggering
statements across functions. Experimental results show that VulTrigger can
effectively identify vulnerability-triggering statements and inter-procedural
vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are
prevalent with an average of 2.8 inter-procedural layers; and (ii)
function-level vulnerability detectors are much less effective in detecting
to-be-patched functions of inter-procedural vulnerabilities than detecting
their counterparts of intra-procedural vulnerabilities.Comment: 12 pages, 7 figures. To appear in the Proceedings of the 46th
International Conference on Software Engineering (ICSE'24
Identifying and Scoping Context-Specific Use Cases For Blockchain-Enabled Systems in the Wild.
Advances in technology often provide a catalyst for digital innovation. Arising from the global banking crisis at the end of the first decade of the 21st Century, decentralised and distributed systems have seen a surge in growth and interest. Blockchain technology, the foundation of the decentralised virtual currency Bitcoin, is one such catalyst. The main component of a blockchain, is its public record of verified, timestamped transactions maintained in an append-only, chain-like, data structure. This record is replicated across n-nodes in a network of co-operating participants. This distribution offers a public proof of transactions verified in the past. Beyond tokens and virtual currency, real-world use cases for blockchain technology are in need of research and development. The challenge in this proof-of-concept research is to identify an orchestration model of innovation that leads to the successful development of software artefacts that utilise blockchain technology. These artefacts must maximise the potential of the technology and enhance the real-world business application. An original two phase orchestration model is defined. The model includes both a discovery and implementation phase and implements state-of-the-art process innovation frameworks: Capability Maturity Modelling, Business Process Redesign, Open Innovation and Distributed Digital Innovation. The model succeeds in its aim to generate feasible problem-solution design pairings to be implemented as blockchain enabled software systems. Three systems are developed: an internal supply-chain management system, a crowd-source sponsorship model for individual players on a team and a proof-of-origin smart tag system. The contribution is to have defined an innovation model through which context-specific blockchain usecases can be identified and scoped in the wild
Crisis translation: considering language needs in multilingual disaster settings
Purpose: The purpose of this conceptual paper is to highlight the role that language translation can play in disaster prevention and management and to make the case for increased attention to language translation in crisis communication.
Approach: The article draws on literature relating to disaster management to suggest that translation is a perennial issue in crisis communication.
Findings: Although communication with multicultural and multilinguistic communities is seen as being in urgent need of attention, we find that the role of translation in enabling this is underestimated, if not unrecognised.
Value: This article raises awareness of the need for urgent attention to be given by scholars and practitioners to the role of translation in crisis communication
Information Flow for Web Security and Privacy
The use of libraries is prevalent in modern web development. But how to ensure sensitive data is not being leaked through these libraries? This is the first challenge this thesis aims to solve. We propose the use of information-flow control by developing a principled approach to allow information-flow tracking in libraries, even if the libraries are written in a language not supporting information-flow control. The approach allows library functions to have unlabel\ua0and relabel models that explain how values are unlabeled and relabeled when marshaled between the labeled program and the unlabeled library. The approach handles primitive values and lists, records, higher-order functions, and references through the use of lazy marshaling.Web pages can combine benign properties of a user\u27s browser to a fingerprint, which can identify the user. Fingerprinting can be intrusive and often happens without the user\u27s consent. The second challenge this thesis aims to solve is to bridge the gap between the principled approach of handling libraries, to practical use in the information-flow aware JavaScript interpreter JSFlow. We extend JSFlow to handle libraries and be deployed in a browser, enabling information-flow tracking on web pages to detect fingerprinting.Modern browsers allow for browser modifications through browser\ua0extensions. These extensions can be intrusive by, e.g., blocking content ormodifying the DOM, and it can be in the interest of web pages to detect which extensions are installed in the browser. The third challenge this thesis aims to solve is finding which browser extensions are executing in a user\u27s browser, and investigate how the installed browser extensions can be used to decrease the privacy of users. We do this by conducting several large-scale studies and show that due to added security by browser vendors, a web page may uniquely identify a user based on the installed browser extension alone.It is popular to use filter lists to block unwanted content such as ads and tracking scripts on web pages. These filter lists are usually crowd-sourced andmainly focus on English speaking regions. Non-English speaking regions should use a supplementary filter list, but smaller linguistic regions may not have an up to date filter list. The fourth challenge this thesis aims to solve is how to automatically generate supplementary filter lists for regions which currently do not have an up to date filter list
- …