137 research outputs found
Utilizing public repositories to improve the decision process for security defect resolution and information reuse in the development environment
Security risks are contained in solutions in software systems that could have been avoided if the design choices were analyzed by using public information security data sources. Public security sources have been shown to contain more relevant and recent information on current technologies than any textbook or research article, and these sources are often used by developers for solving software related problems. However, solutions copied from public discussion forums such as StackOverflow may contain security implications when copied directly into the developers environment. Several different methods to identify security bugs are being implemented, and recent efforts are looking into identifying security bugs from communication artifacts during software development lifecycle as well as using public security information sources to support secure design and development. The primary goal of this thesis is to investigate how to utilize public information sources to reduce security defects in software artifacts through improving the decision process for defect resolution and information reuse in the development environment. We build a data collection tool for collecting data from public information security sources and public discussion forums, construct machine learning models for classifying discussion forum posts and bug reports as security or not-security related, as well as word embedding models for finding matches between public security sources and public discussion forum posts or bug reports. The results of this thesis demonstrate that using public information security sources can provide additional validation layers for defect classification models, as well as provide additional security context for public discussion forum posts. The contributions of this thesis are to provide understanding of how public information security sources can better provide context for bug reports and discussion forums. Additionally, we provide data collection APIs for collecting datasets from these sources, and classification and word embedding models for recommending related security sources for bug reports and public discussion forum posts.Masteroppgave i Programutvikling samarbeid med HVLPROG399MAMN-PRO
How ChatGPT is Solving Vulnerability Management Problem
Recently, ChatGPT has attracted great attention from the code analysis
domain. Prior works show that ChatGPT has the capabilities of processing
foundational code analysis tasks, such as abstract syntax tree generation,
which indicates the potential of using ChatGPT to comprehend code syntax and
static behaviors. However, it is unclear whether ChatGPT can complete more
complicated real-world vulnerability management tasks, such as the prediction
of security relevance and patch correctness, which require an all-encompassing
understanding of various aspects, including code syntax, program semantics, and
related manual comments.
In this paper, we explore ChatGPT's capabilities on 6 tasks involving the
complete vulnerability management process with a large-scale dataset containing
78,445 samples. For each task, we compare ChatGPT against SOTA approaches,
investigate the impact of different prompts, and explore the difficulties. The
results suggest promising potential in leveraging ChatGPT to assist
vulnerability management. One notable example is ChatGPT's proficiency in tasks
like generating titles for software bug reports. Furthermore, our findings
reveal the difficulties encountered by ChatGPT and shed light on promising
future directions. For instance, directly providing random demonstration
examples in the prompt cannot consistently guarantee good performance in
vulnerability management. By contrast, leveraging ChatGPT in a self-heuristic
way -- extracting expertise from demonstration examples itself and integrating
the extracted expertise in the prompt is a promising research direction.
Besides, ChatGPT may misunderstand and misuse the information in the prompt.
Consequently, effectively guiding ChatGPT to focus on helpful information
rather than the irrelevant content is still an open problem
The anatomy of a vulnerability database: A systematic mapping study
Software vulnerabilities play a major role, as there are multiple risks associated, including loss and manipulation of private data. The software engineering research community has been contributing to the body of knowledge by proposing several empirical studies on vulnerabilities and automated techniques to detect and remove them from source code. The reliability and generalizability of the findings heavily depend on the quality of the information mineable from publicly available datasets of vulnerabilities as well as on the availability and suitability of those databases. In this paper, we seek to understand the anatomy of the currently available vulnerability databases through a systematic mapping study where we analyze (1) what are the popular vulnerability databases adopted; (2) what are the goals for adoption; (3) what are the other sources of information adopted; (4) what are the methods and techniques; (5) which tools are proposed. An improved understanding of these aspects might not only allow researchers to take informed decisions on the databases to consider when doing research but also practitioners to establish reliable sources of information to inform their security policies and standards.publishedVersionPeer reviewe
Chain-of-Thought Prompting of Large Language Models for Discovering and Fixing Software Vulnerabilities
Security vulnerabilities are increasingly prevalent in modern software and
they are widely consequential to our society. Various approaches to defending
against these vulnerabilities have been proposed, among which those leveraging
deep learning (DL) avoid major barriers with other techniques hence attracting
more attention in recent years. However, DL-based approaches face critical
challenges including the lack of sizable and quality-labeled task-specific
datasets and their inability to generalize well to unseen, real-world
scenarios. Lately, large language models (LLMs) have demonstrated impressive
potential in various domains by overcoming those challenges, especially through
chain-of-thought (CoT) prompting. In this paper, we explore how to leverage
LLMs and CoT to address three key software vulnerability analysis tasks:
identifying a given type of vulnerabilities, discovering vulnerabilities of any
type, and patching detected vulnerabilities. We instantiate the general CoT
methodology in the context of these tasks through VSP , our unified,
vulnerability-semantics-guided prompting approach, and conduct extensive
experiments assessing VSP versus five baselines for the three tasks against
three LLMs and two datasets. Results show substantial superiority of our
CoT-inspired prompting (553.3%, 36.5%, and 30.8% higher F1 accuracy for
vulnerability identification, discovery, and patching, respectively, on CVE
datasets) over the baselines. Through in-depth case studies analyzing VSP
failures, we also reveal current gaps in LLM/CoT for challenging vulnerability
cases, while proposing and validating respective improvements
The FormAI Dataset: Generative AI in Software Security Through the Lens of Formal Verification
This paper presents the FormAI dataset, a large collection of 112, 000
AI-generated compilable and independent C programs with vulnerability
classification. We introduce a dynamic zero-shot prompting technique
constructed to spawn diverse programs utilizing Large Language Models (LLMs).
The dataset is generated by GPT-3.5-turbo and comprises programs with varying
levels of complexity. Some programs handle complicated tasks like network
management, table games, or encryption, while others deal with simpler tasks
like string manipulation. Every program is labeled with the vulnerabilities
found within the source code, indicating the type, line number, and vulnerable
function name. This is accomplished by employing a formal verification method
using the Efficient SMT-based Bounded Model Checker (ESBMC), which uses model
checking, abstract interpretation, constraint programming, and satisfiability
modulo theories to reason over safety/security properties in programs. This
approach definitively detects vulnerabilities and offers a formal model known
as a counterexample, thus eliminating the possibility of generating false
positive reports. We have associated the identified vulnerabilities with Common
Weakness Enumeration (CWE) numbers. We make the source code available for the
112, 000 programs, accompanied by a separate file containing the
vulnerabilities detected in each program, making the dataset ideal for training
LLMs and machine learning algorithms. Our study unveiled that according to
ESBMC, 51.24% of the programs generated by GPT-3.5 contained vulnerabilities,
thereby presenting considerable risks to software safety and security.Comment: https://github.com/FormAI-Datase
Finding Software Vulnerabilities in Open-Source C Projects via Bounded Model Checking
Computer-based systems have solved several domain problems, including
industrial, military, education, and wearable. Nevertheless, such arrangements
need high-quality software to guarantee security and safety as both are
mandatory for modern software products. We advocate that bounded model-checking
techniques can efficiently detect vulnerabilities in general software systems.
However, such an approach struggles to scale up and verify extensive code
bases. Consequently, we have developed and evaluated a methodology to verify
large software systems using a state-of-the-art bounded model checker. In
particular, we pre-process input source-code files and guide the respective
model checker to explore them systematically. Moreover, the proposed scheme
includes a function-wise prioritization strategy, which readily provides
results for code entities according to a scale of importance. Experimental
results using a real implementation of the proposed methodology show that it
can efficiently verify large software systems. Besides, it presented low peak
memory allocation when executed. We have evaluated our approach by verifying
twelve popular open-source C projects, where we have found real software
vulnerabilities that their developers confirmed.Comment: 27 pages, submitted to STTT journa
NLP-Based Techniques for Cyber Threat Intelligence
In the digital era, threat actors employ sophisticated techniques for which,
often, digital traces in the form of textual data are available. Cyber Threat
Intelligence~(CTI) is related to all the solutions inherent to data collection,
processing, and analysis useful to understand a threat actor's targets and
attack behavior. Currently, CTI is assuming an always more crucial role in
identifying and mitigating threats and enabling proactive defense strategies.
In this context, NLP, an artificial intelligence branch, has emerged as a
powerful tool for enhancing threat intelligence capabilities. This survey paper
provides a comprehensive overview of NLP-based techniques applied in the
context of threat intelligence. It begins by describing the foundational
definitions and principles of CTI as a major tool for safeguarding digital
assets. It then undertakes a thorough examination of NLP-based techniques for
CTI data crawling from Web sources, CTI data analysis, Relation Extraction from
cybersecurity data, CTI sharing and collaboration, and security threats of CTI.
Finally, the challenges and limitations of NLP in threat intelligence are
exhaustively examined, including data quality issues and ethical
considerations. This survey draws a complete framework and serves as a valuable
resource for security professionals and researchers seeking to understand the
state-of-the-art NLP-based threat intelligence techniques and their potential
impact on cybersecurity
- …