Does Collaborative Editing Help Mitigate Security Vulnerabilities in Crowd-Shared IoT Code Examples?

Background: With the proliferation of crowd-sourced developer forums, software developers are increasingly sharing more coding solutions to programming problems with others in forums. The decentralized nature of knowledge sharing on sites has raised the concern of sharing security vulnerable code, which then can be reused into mission critical software systems - making those systems vulnerable in the process. Collaborative editing has been introduced in forums like Stack Overflow to improve the quality of the shared contents. Aim: In this paper, we investigate whether code editing can mitigate shared vulnerable code examples by analyzing IoT code snippets and their revisions in three Stack Exchange sites: Stack Overflow, Arduino, and Raspberry Pi. Method:We analyze the vulnerabilities present in shared IoT C/C++ code snippets, as C/C++ is one of the most widely used languages in mission-critical devices and low-powered IoT devices. We further analyse the revisions made to these code snippets, and their effects. Results: We find several vulnerabilities such as CWE 788 - Access of Memory Location After End of Buffer, in 740 code snippets . However, we find the vast majority of posts are not revised, or revisions are not made to the code snippets themselves (598 out of 740). We also find that revisions are most likely to result in no change to the number of vulnerabilities in a code snippet rather than deteriorating or improving the snippet. Conclusions: We conclude that the current collaborative editing system in the forums may be insufficient to help mitigate vulnerabilities in the shared code.Comment: 10 pages, 14 figures, ESEM2

Assessing the Security of GitHub Copilot Generated Code -- A Targeted Replication Study

AI-powered code generation models have been developing rapidly, allowing developers to expedite code generation and thus improve their productivity. These models are trained on large corpora of code (primarily sourced from public repositories), which may contain bugs and vulnerabilities. Several concerns have been raised about the security of the code generated by these models. Recent studies have investigated security issues in AI-powered code generation tools such as GitHub Copilot and Amazon CodeWhisperer, revealing several security weaknesses in the code generated by these tools. As these tools evolve, it is expected that they will improve their security protocols to prevent the suggestion of insecure code to developers. This paper replicates the study of Pearce et al., which investigated security weaknesses in Copilot and uncovered several weaknesses in the code suggested by Copilot across diverse scenarios and languages (Python, C and Verilog). Our replication examines Copilot security weaknesses using newer versions of Copilot and CodeQL (the security analysis framework). The replication focused on the presence of security vulnerabilities in Python code. Our results indicate that, even with the improvements in newer versions of Copilot, the percentage of vulnerable code suggestions has reduced from 36.54% to 27.25%. Nonetheless, it remains evident that the model still suggests insecure code

On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities

Software vulnerabilities are a major cyber threat and it is important to detect them. One important approach to detecting vulnerabilities is to use deep learning while treating a program function as a whole, known as function-level vulnerability detectors. However, the limitation of this approach is not understood. In this paper, we investigate its limitation in detecting one class of vulnerabilities known as inter-procedural vulnerabilities, where the to-be-patched statements and the vulnerability-triggering statements belong to different functions. For this purpose, we create the first Inter-Procedural Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we propose a tool dubbed VulTrigger for identifying vulnerability-triggering statements across functions. Experimental results show that VulTrigger can effectively identify vulnerability-triggering statements and inter-procedural vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are prevalent with an average of 2.8 inter-procedural layers; and (ii) function-level vulnerability detectors are much less effective in detecting to-be-patched functions of inter-procedural vulnerabilities than detecting their counterparts of intra-procedural vulnerabilities.Comment: 12 pages, 7 figures. To appear in the Proceedings of the 46th International Conference on Software Engineering (ICSE'24

Identifying and Scoping Context-Specific Use Cases For Blockchain-Enabled Systems in the Wild.

Advances in technology often provide a catalyst for digital innovation. Arising from the global banking crisis at the end of the first decade of the 21st Century, decentralised and distributed systems have seen a surge in growth and interest. Blockchain technology, the foundation of the decentralised virtual currency Bitcoin, is one such catalyst. The main component of a blockchain, is its public record of verified, timestamped transactions maintained in an append-only, chain-like, data structure. This record is replicated across n-nodes in a network of co-operating participants. This distribution offers a public proof of transactions verified in the past. Beyond tokens and virtual currency, real-world use cases for blockchain technology are in need of research and development. The challenge in this proof-of-concept research is to identify an orchestration model of innovation that leads to the successful development of software artefacts that utilise blockchain technology. These artefacts must maximise the potential of the technology and enhance the real-world business application. An original two phase orchestration model is defined. The model includes both a discovery and implementation phase and implements state-of-the-art process innovation frameworks: Capability Maturity Modelling, Business Process Redesign, Open Innovation and Distributed Digital Innovation. The model succeeds in its aim to generate feasible problem-solution design pairings to be implemented as blockchain enabled software systems. Three systems are developed: an internal supply-chain management system, a crowd-source sponsorship model for individual players on a team and a proof-of-origin smart tag system. The contribution is to have defined an innovation model through which context-specific blockchain usecases can be identified and scoped in the wild

Crisis translation: considering language needs in multilingual disaster settings

Purpose: The purpose of this conceptual paper is to highlight the role that language translation can play in disaster prevention and management and to make the case for increased attention to language translation in crisis communication. Approach: The article draws on literature relating to disaster management to suggest that translation is a perennial issue in crisis communication. Findings: Although communication with multicultural and multilinguistic communities is seen as being in urgent need of attention, we find that the role of translation in enabling this is underestimated, if not unrecognised. Value: This article raises awareness of the need for urgent attention to be given by scholars and practitioners to the role of translation in crisis communication

Information Flow for Web Security and Privacy

The use of libraries is prevalent in modern web development. But how to ensure sensitive data is not being leaked through these libraries? This is the first challenge this thesis aims to solve. We propose the use of information-flow control by developing a principled approach to allow information-flow tracking in libraries, even if the libraries are written in a language not supporting information-flow control. The approach allows library functions to have unlabel\ua0and relabel models that explain how values are unlabeled and relabeled when marshaled between the labeled program and the unlabeled library. The approach handles primitive values and lists, records, higher-order functions, and references through the use of lazy marshaling.Web pages can combine benign properties of a user\u27s browser to a fingerprint, which can identify the user. Fingerprinting can be intrusive and often happens without the user\u27s consent. The second challenge this thesis aims to solve is to bridge the gap between the principled approach of handling libraries, to practical use in the information-flow aware JavaScript interpreter JSFlow. We extend JSFlow to handle libraries and be deployed in a browser, enabling information-flow tracking on web pages to detect fingerprinting.Modern browsers allow for browser modifications through browser\ua0extensions. These extensions can be intrusive by, e.g., blocking content ormodifying the DOM, and it can be in the interest of web pages to detect which extensions are installed in the browser. The third challenge this thesis aims to solve is finding which browser extensions are executing in a user\u27s browser, and investigate how the installed browser extensions can be used to decrease the privacy of users. We do this by conducting several large-scale studies and show that due to added security by browser vendors, a web page may uniquely identify a user based on the installed browser extension alone.It is popular to use filter lists to block unwanted content such as ads and tracking scripts on web pages. These filter lists are usually crowd-sourced andmainly focus on English speaking regions. Non-English speaking regions should use a supplementary filter list, but smaller linguistic regions may not have an up to date filter list. The fourth challenge this thesis aims to solve is how to automatically generate supplementary filter lists for regions which currently do not have an up to date filter list