936 research outputs found
Identifying Personal Data Processing for Code Review
Code review is a critical step in the software development life cycle, which
assesses and boosts the code's effectiveness and correctness, pinpoints
security issues, and raises its quality by adhering to best practices. Due to
the increased need for personal data protection motivated by legislation, code
reviewers need to understand where personal data is located in software systems
and how it is handled. Although most recent work on code review focuses on
security vulnerabilities, privacy-related techniques are not easy for code
reviewers to implement, making their inclusion in the code review process
challenging. In this paper, we present ongoing work on a new approach to
identifying personal data processing, enabling developers and code reviewers in
drafting privacy analyses and complying with regulations such as the General
Data Protection Regulation (GDPR).Comment: Accepted by The 9th International Conference on Information Systems
Security and Privacy (ICISSP 2023
CodePlan: Repository-level Coding using LLMs and Planning
Software engineering activities such as package migration, fixing errors
reports from static analysis or testing, and adding type annotations or other
specifications to a codebase, involve pervasively editing the entire repository
of code. We formulate these activities as repository-level coding tasks.
Recent tools like GitHub Copilot, which are powered by Large Language Models
(LLMs), have succeeded in offering high-quality solutions to localized coding
problems. Repository-level coding tasks are more involved and cannot be solved
directly using LLMs, since code within a repository is inter-dependent and the
entire repository may be too large to fit into the prompt. We frame
repository-level coding as a planning problem and present a task-agnostic
framework, called CodePlan to solve it. CodePlan synthesizes a multi-step chain
of edits (plan), where each step results in a call to an LLM on a code location
with context derived from the entire repository, previous code changes and
task-specific instructions. CodePlan is based on a novel combination of an
incremental dependency analysis, a change may-impact analysis and an adaptive
planning algorithm.
We evaluate the effectiveness of CodePlan on two repository-level tasks:
package migration (C#) and temporal code edits (Python). Each task is evaluated
on multiple code repositories, each of which requires inter-dependent changes
to many files (between 2-97 files). Coding tasks of this level of complexity
have not been automated using LLMs before. Our results show that CodePlan has
better match with the ground truth compared to baselines. CodePlan is able to
get 5/6 repositories to pass the validity checks (e.g., to build without errors
and make correct code edits) whereas the baselines (without planning but with
the same type of contextual information as CodePlan) cannot get any of the
repositories to pass them
The Software Vulnerability Ecosystem: Software Development In The Context Of Adversarial Behavior
Software vulnerabilities are the root cause of many computer system security fail- ures. This dissertation addresses software vulnerabilities in the context of a software lifecycle, with a particular focus on three stages: (1) improving software quality dur- ing development; (2) pre- release bug discovery and repair; and (3) revising software as vulnerabilities are found.
The question I pose regarding software quality during development is whether long-standing software engineering principles and practices such as code reuse help or hurt with respect to vulnerabilities. Using a novel data-driven analysis of large databases of vulnerabilities, I show the surprising result that software quality and software security are distinct. Most notably, the analysis uncovered a counterintu- itive phenomenon, namely that newly introduced software enjoys a period with no vulnerability discoveries, and further that this âHoneymoon Effectâ (a term I coined) is well-explained by the unfamiliarity of the code to malicious actors. An important consequence for code reuse, intended to raise software quality, is that protections inherent in delays in vulnerability discovery from new code are reduced.
The second question I pose is the predictive power of this effect. My experimental design exploited a large-scale open source software system, Mozilla Firefox, in which two development methodologies are pursued in parallel, making that the sole variable in outcomes. Comparing the methodologies using a novel synthesis of data from vulnerability databases, These results suggest that the rapid-release cycles used in agile software development (in which new software is introduced frequently) have a vulnerability discovery rate equivalent to conventional development.
Finally, I pose the question of the relationship between the intrinsic security of software, stemming from design and development, and the ecosystem into which the software is embedded and in which it operates. I use the early development
lifecycle to examine this question, and again use vulnerability data as the means of answering it. Defect discovery rates should decrease in a purely intrinsic model, with software maturity making vulnerabilities increasingly rare. The data, which show that vulnerability rates increase after a delay, contradict this. Software security therefore must be modeled including extrinsic factors, thus comprising an ecosystem
Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js
Prototype pollution is a dangerous vulnerability affecting prototype-based
languages like JavaScript and the Node.js platform. It refers to the ability of
an attacker to inject properties into an object's root prototype at runtime and
subsequently trigger the execution of legitimate code gadgets that access these
properties on the object's prototype, leading to attacks such as DoS, privilege
escalation, and remote code execution (RCE). While there is anecdotal evidence
that prototype pollution leads to RCE, current research does not tackle the
challenge of gadget detection, thus only showing feasibility of DoS attacks
against Node.js libraries.
In this paper, we set out to study the problem in a holistic way, from the
detection of prototype pollution to detection of gadgets, with the ambitious
goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js
applications. We build the first multi-staged framework that uses multi-label
static taint analysis to identify prototype pollution in Node.js libraries and
applications, as well as a hybrid approach to detect universal gadgets,
notably, by analyzing the Node.js source code. We implement our framework on
top of GitHub's static analysis framework CodeQL to find 11 universal gadgets
in core Node.js APIs, leading to code execution. Furthermore, we use our
methodology in a study of 15 popular Node.js applications to identify prototype
pollutions and gadgets. We manually exploit RCE in two high-profile
applications. Our results provide alarming evidence that prototype pollution in
combination with powerful universal gadgets lead to RCE in Node.js.Comment: To appear at USENIX Security'2
Static Code Analysis in the AI Era: An In-depth Exploration of the Concept, Function, and Potential of Intelligent Code Analysis Agents
The escalating complexity of software systems and accelerating development
cycles pose a significant challenge in managing code errors and implementing
business logic. Traditional techniques, while cornerstone for software quality
assurance, exhibit limitations in handling intricate business logic and
extensive codebases. To address these challenges, we introduce the Intelligent
Code Analysis Agent (ICAA), a novel concept combining AI models, engineering
process designs, and traditional non-AI components. The ICAA employs the
capabilities of large language models (LLMs) such as GPT-3 or GPT-4 to
automatically detect and diagnose code errors and business logic
inconsistencies. In our exploration of this concept, we observed a substantial
improvement in bug detection accuracy, reducing the false-positive rate to 66\%
from the baseline's 85\%, and a promising recall rate of 60.8\%. However, the
token consumption cost associated with LLMs, particularly the average cost for
analyzing each line of code, remains a significant consideration for widespread
adoption. Despite this challenge, our findings suggest that the ICAA holds
considerable potential to revolutionize software quality assurance,
significantly enhancing the efficiency and accuracy of bug detection in the
software development process. We hope this pioneering work will inspire further
research and innovation in this field, focusing on refining the ICAA concept
and exploring ways to mitigate the associated costs
Software Design Change Artifacts Generation through Software Architectural Change Detection and Categorisation
Software is solely designed, implemented, tested, and inspected by expert people, unlike other engineering projects where they are mostly implemented by workers (non-experts) after designing by engineers. Researchers and practitioners have linked software bugs, security holes, problematic integration of changes, complex-to-understand codebase, unwarranted mental pressure, and so on in software development and maintenance to inconsistent and complex design and a lack of ways to easily understand what is going on and what to plan in a software system. The unavailability of proper information and insights needed by the development teams to make good decisions makes these challenges worse. Therefore, software design documents and other insightful information extraction are essential to reduce the above mentioned anomalies. Moreover, architectural design artifacts extraction is required to create the developerâs profile to be available to the market for many crucial scenarios. To that end, architectural change detection, categorization, and change description generation are crucial because they are the primary artifacts to trace other software artifacts.
However, it is not feasible for humans to analyze all the changes for a single release for detecting change and impact because it is time-consuming, laborious, costly, and inconsistent. In this thesis, we conduct six studies considering the mentioned challenges to automate the architectural change information extraction and document generation that could potentially assist the development and maintenance teams. In particular, (1) we detect architectural changes using lightweight techniques leveraging textual and codebase properties, (2) categorize them considering intelligent perspectives, and (3) generate design change documents by exploiting precise contexts of componentsâ relations and change purposes which were previously unexplored. Our experiment using 4000+ architectural change samples and 200+ design change documents suggests that our proposed approaches are promising in accuracy and scalability to deploy frequently. Our proposed change detection approach can detect up to 100% of the architectural change instances (and is very scalable). On the other hand, our proposed change classifierâs F1 score is 70%, which is promising given the challenges. Finally, our proposed system can produce descriptive design change artifacts with 75% significance. Since most of our studies are foundational, our approaches and prepared datasets can be used as baselines for advancing research in design change information extraction and documentation
- âŠ