273 research outputs found
Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking
Web security is an important part of any web-based software
system. XML External Entity (XXE) attacks are one of web applications’
most significant security risks. A successful XXE attack can have severe
consequences like Denial-of-Service (DoS), remote code execution, and information extraction. Many Java codes are vulnerable to XXE due to missing the proper setting of the parser’s security attributes after initializing the instance of the parser. To fix such vulnerabilities, we invented a novel instance tracking approach to detect Java XXE vulnerabilities and integrated the approach into a vulnerability detection plugin of Integrated Development Environment (IDE). We have also implemented auto-fixes for the identified XXE vulnerabilities by modifying the source code’s Abstract Syntax Tree (AST). The detection and auto-fixing approaches were evaluated using typical Java code vulnerable to XXE. The evaluation results showed that our detection approach provided 100% precision and recall in detecting the XXE vulnerabilities and correctly fixed 86% of the identified vulnerabilities
Efficient Avoidance of Vulnerabilities in Auto-completed Smart Contract Code Using Vulnerability-constrained Decoding
Auto-completing code enables developers to speed up coding significantly.
Recent advances in transformer-based large language model (LLM) technologies
have been applied to code synthesis. However, studies show that many of such
synthesized codes contain vulnerabilities. We propose a novel
vulnerability-constrained decoding approach to reduce the amount of vulnerable
code generated by such models. Using a small dataset of labeled vulnerable
lines of code, we fine-tune an LLM to include vulnerability labels when
generating code, acting as an embedded classifier. Then, during decoding, we
deny the model to generate these labels to avoid generating vulnerable code. To
evaluate the method, we chose to automatically complete Ethereum Blockchain
smart contracts (SCs) as the case study due to the strict requirements of SC
security. We first fine-tuned the 6-billion-parameter GPT-J model using 186,397
Ethereum SCs after removing the duplication from 2,217,692 SCs. The fine-tuning
took more than one week using ten GPUs. The results showed that our fine-tuned
model could synthesize SCs with an average BLEU (BiLingual Evaluation
Understudy) score of 0.557. However, many codes in the auto-completed SCs were
vulnerable. Using the code before the vulnerable line of 176 SCs containing
different types of vulnerabilities to auto-complete the code, we found that
more than 70% of the auto-completed codes were insecure. Thus, we further
fine-tuned the model on other 941 vulnerable SCs containing the same types of
vulnerabilities and applied vulnerability-constrained decoding. The fine-tuning
took only one hour with four GPUs. We then auto-completed the 176 SCs again and
found that our approach could identify 62% of the code to be generated as
vulnerable and avoid generating 67% of them, indicating the approach could
efficiently and effectively avoid vulnerabilities in the auto-completed code.Comment: 12 pages, 8 figures, 2 tables, 5 listings, accepted to the 34th IEEE
International Symposium on Software Reliability Engineering (ISSRE 2023
Selection of third party software in Off-The-Shelf-based software development: an interview study with industrial practitioners
The success of software development using third party components highly depends on the ability to select a suitable component for the intended application. The evidence shows that there is limited knowledge about current industrial OTS selection practices. As a result, there is often a gap between theory and practice, and the proposed methods for supporting selection are rarely adopted in the industrial practice. This paper's goal is to investigate the actual industrial practice of component selection in order to provide an initial empirical basis that allows the reconciliation of research and industrial endeavors. The study consisted of semi-structured interviews with 23 employees from 20 different software-intensive companies that mostly develop web information system applications. It provides qualitative information that help to further understand these practices, and emphasize some aspects that have been overlooked by researchers. For instance, although the literature claims that component repositories are important for locating reusable components; these are hardly used in industrial practice. Instead, other resources that have not received considerable attention are used with this aim. Practices and potential market niches for software-intensive companies have been also identified. The results are valuable from both the research and the industrial perspectives as they provide a basis for formulating well-substantiated hypotheses and more effective improvement strategies.Peer ReviewedPostprint (author's final draft
Blockchain and Sustainability: A Tertiary Study
Blockchain is an emerging technology with potential to address issues related
to sustainability. Literature reviews on blockchain and sustainability exist,
but there is a need to consolidate existing results, in particular, in terms of
Sustainable Development Goals (SDG). This extended abstract presents an ongoing
tertiary study based on existing literature reviews to investigate the
relationship between blockchain and sustainability in terms of SDGs. Results
from a pilot analysis of 18 reviews using thematic analysis are presented.Comment: Accepted by BoKSS 2021, to be published by IEE
Testing and verification of neural-network-based safety-critical control software: A systematic literature review
Context: Neural Network (NN) algorithms have been successfully adopted in a
number of Safety-Critical Cyber-Physical Systems (SCCPSs). Testing and
Verification (T&V) of NN-based control software in safety-critical domains are
gaining interest and attention from both software engineering and safety
engineering researchers and practitioners. Objective: With the increase in
studies on the T&V of NN-based control software in safety-critical domains, it
is important to systematically review the state-of-the-art T&V methodologies,
to classify approaches and tools that are invented, and to identify challenges
and gaps for future studies. Method: We retrieved 950 papers on the T&V of
NN-based Safety-Critical Control Software (SCCS). To reach our result, we
filtered 83 primary papers published between 2001 and 2018, applied the
thematic analysis approach for analyzing the data extracted from the selected
papers, presented the classification of approaches, and identified challenges.
Conclusion: The approaches were categorized into five high-order themes:
assuring robustness of NNs, assuring safety properties of NN-based control
software, improving the failure resilience of NNs, measuring and ensuring test
completeness, and improving the interpretability of NNs. From the industry
perspective, improving the interpretability of NNs is a crucial need in
safety-critical applications. We also investigated nine safety integrity
properties within four major safety lifecycle phases to investigate the
achievement level of T&V goals in IEC 61508-3. Results show that correctness,
completeness, freedom from intrinsic faults, and fault tolerance have drawn
most attention from the research community. However, little effort has been
invested in achieving repeatability; no reviewed study focused on precisely
defined testing configuration or on defense against common cause failure.Comment: This paper had been submitted to Journal of Information and Software
Technology on April 20, 2019,Revised 5 December 2019, Accepted 6 March 2020,
Available online 7 March 202
Towards a business analytics capability for the circular economy
Digital technologies are growing in importance for accelerating firms’ circular economy transition. However, so far, the focus has primarily been on the technical aspects of implementing these technologies with limited research on the organizational resources and capabilities required for successfully leveraging digital technologies for circular economy. To address this gap, this paper explores the business analytics resources firms should develop and how these should be orchestrated towards a firm-wide capability. The paper proposes a conceptual model highlighting eight business analytics resources that, in combination, build a business analytics capability for the circular economy and how this relates to firms’ circular economy implementation, resource orchestration capability, and competitive performance. The model is based on the results of a thematic analysis of 15 semi-structured expert interviews with key positions in industry. Our approach is informed by and further develops, the theory of the resource-based view and the resource orchestration view. Based on the results, we develop a deeper understanding of the importance of taking a holistic approach to business analytics when leveraging data and analytics towards a more efficient and effective digital-enabled circular economy, the smart circular economy.publishedVersio
A Conceptual Framework for Smart City International Standards
Smart cities construction has been a global focus during the past ten years. It contributes to the achievement of the sustainability development goals (for economy, society, and environment) by leveraging information and communication technologies (ICTs). International organizations (such as ISO, IEC, and ITU-T) have developed standards to encapsulate precise and state-of-the-art knowledge regarding research, practice and policy. However, thousands of such standards have not been fully used due to the lack of generally agreed vocabularies or frameworks. In this article, a conceptual framework named ‘ALL’ is proposed. Some initial evaluations on the proposed framework have been performed. The result shows that the framework could help people observe, organize and use such standards more efficiently. Some preliminary conversations with governments prove the potential usefulness of the framework in practice
Automatic translation from FBD-PLC-programs to NuSMV for model checking safety-critical control systems
Programmable logic
controllers (PLCs) are digital control systems, commonly used in industrial automation and
safety-critical applications. Control systems used in
safety-critical areas must undergo an extensive and
thorough certification and verification process. In
safety-critical applications, the PLC programming
standard IEC 61131-3 is widely accepted in
industry. PLC programmers who develop control
systems for safety-critical systems are often required
to verify the logic of PLCs by using formal methods
such as model checking. Translating manually from a
PLC program to the input language of a model checker
takes times and is often error-prone.
We develop a compiler to automatically translate PLC programs in the function block diagram (FBD) language, one of five industry standard PLC programming notations, to the input language of the model checker NuSMV. We have evaluated correctness, robustness, and performance of the PLC-NuSMV compiler using a case study. Evaluation results show that the compiler can translate the PLC programs correctly. The compiler can also identify several input errors and can scale to relative large PLC programs
- …