Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking

Web security is an important part of any web-based software system. XML External Entity (XXE) attacks are one of web applications’ most significant security risks. A successful XXE attack can have severe consequences like Denial-of-Service (DoS), remote code execution, and information extraction. Many Java codes are vulnerable to XXE due to missing the proper setting of the parser’s security attributes after initializing the instance of the parser. To fix such vulnerabilities, we invented a novel instance tracking approach to detect Java XXE vulnerabilities and integrated the approach into a vulnerability detection plugin of Integrated Development Environment (IDE). We have also implemented auto-fixes for the identified XXE vulnerabilities by modifying the source code’s Abstract Syntax Tree (AST). The detection and auto-fixing approaches were evaluated using typical Java code vulnerable to XXE. The evaluation results showed that our detection approach provided 100% precision and recall in detecting the XXE vulnerabilities and correctly fixed 86% of the identified vulnerabilities

Efficient Avoidance of Vulnerabilities in Auto-completed Smart Contract Code Using Vulnerability-constrained Decoding

Auto-completing code enables developers to speed up coding significantly. Recent advances in transformer-based large language model (LLM) technologies have been applied to code synthesis. However, studies show that many of such synthesized codes contain vulnerabilities. We propose a novel vulnerability-constrained decoding approach to reduce the amount of vulnerable code generated by such models. Using a small dataset of labeled vulnerable lines of code, we fine-tune an LLM to include vulnerability labels when generating code, acting as an embedded classifier. Then, during decoding, we deny the model to generate these labels to avoid generating vulnerable code. To evaluate the method, we chose to automatically complete Ethereum Blockchain smart contracts (SCs) as the case study due to the strict requirements of SC security. We first fine-tuned the 6-billion-parameter GPT-J model using 186,397 Ethereum SCs after removing the duplication from 2,217,692 SCs. The fine-tuning took more than one week using ten GPUs. The results showed that our fine-tuned model could synthesize SCs with an average BLEU (BiLingual Evaluation Understudy) score of 0.557. However, many codes in the auto-completed SCs were vulnerable. Using the code before the vulnerable line of 176 SCs containing different types of vulnerabilities to auto-complete the code, we found that more than 70% of the auto-completed codes were insecure. Thus, we further fine-tuned the model on other 941 vulnerable SCs containing the same types of vulnerabilities and applied vulnerability-constrained decoding. The fine-tuning took only one hour with four GPUs. We then auto-completed the 176 SCs again and found that our approach could identify 62% of the code to be generated as vulnerable and avoid generating 67% of them, indicating the approach could efficiently and effectively avoid vulnerabilities in the auto-completed code.Comment: 12 pages, 8 figures, 2 tables, 5 listings, accepted to the 34th IEEE International Symposium on Software Reliability Engineering (ISSRE 2023

Selection of third party software in Off-The-Shelf-based software development: an interview study with industrial practitioners

The success of software development using third party components highly depends on the ability to select a suitable component for the intended application. The evidence shows that there is limited knowledge about current industrial OTS selection practices. As a result, there is often a gap between theory and practice, and the proposed methods for supporting selection are rarely adopted in the industrial practice. This paper's goal is to investigate the actual industrial practice of component selection in order to provide an initial empirical basis that allows the reconciliation of research and industrial endeavors. The study consisted of semi-structured interviews with 23 employees from 20 different software-intensive companies that mostly develop web information system applications. It provides qualitative information that help to further understand these practices, and emphasize some aspects that have been overlooked by researchers. For instance, although the literature claims that component repositories are important for locating reusable components; these are hardly used in industrial practice. Instead, other resources that have not received considerable attention are used with this aim. Practices and potential market niches for software-intensive companies have been also identified. The results are valuable from both the research and the industrial perspectives as they provide a basis for formulating well-substantiated hypotheses and more effective improvement strategies.Peer ReviewedPostprint (author's final draft

Blockchain and Sustainability: A Tertiary Study

Blockchain is an emerging technology with potential to address issues related to sustainability. Literature reviews on blockchain and sustainability exist, but there is a need to consolidate existing results, in particular, in terms of Sustainable Development Goals (SDG). This extended abstract presents an ongoing tertiary study based on existing literature reviews to investigate the relationship between blockchain and sustainability in terms of SDGs. Results from a pilot analysis of 18 reviews using thematic analysis are presented.Comment: Accepted by BoKSS 2021, to be published by IEE

Testing and verification of neural-network-based safety-critical control software: A systematic literature review

Context: Neural Network (NN) algorithms have been successfully adopted in a number of Safety-Critical Cyber-Physical Systems (SCCPSs). Testing and Verification (T&V) of NN-based control software in safety-critical domains are gaining interest and attention from both software engineering and safety engineering researchers and practitioners. Objective: With the increase in studies on the T&V of NN-based control software in safety-critical domains, it is important to systematically review the state-of-the-art T&V methodologies, to classify approaches and tools that are invented, and to identify challenges and gaps for future studies. Method: We retrieved 950 papers on the T&V of NN-based Safety-Critical Control Software (SCCS). To reach our result, we filtered 83 primary papers published between 2001 and 2018, applied the thematic analysis approach for analyzing the data extracted from the selected papers, presented the classification of approaches, and identified challenges. Conclusion: The approaches were categorized into five high-order themes: assuring robustness of NNs, assuring safety properties of NN-based control software, improving the failure resilience of NNs, measuring and ensuring test completeness, and improving the interpretability of NNs. From the industry perspective, improving the interpretability of NNs is a crucial need in safety-critical applications. We also investigated nine safety integrity properties within four major safety lifecycle phases to investigate the achievement level of T&V goals in IEC 61508-3. Results show that correctness, completeness, freedom from intrinsic faults, and fault tolerance have drawn most attention from the research community. However, little effort has been invested in achieving repeatability; no reviewed study focused on precisely defined testing configuration or on defense against common cause failure.Comment: This paper had been submitted to Journal of Information and Software Technology on April 20, 2019,Revised 5 December 2019, Accepted 6 March 2020, Available online 7 March 202

Towards a business analytics capability for the circular economy

Digital technologies are growing in importance for accelerating firms’ circular economy transition. However, so far, the focus has primarily been on the technical aspects of implementing these technologies with limited research on the organizational resources and capabilities required for successfully leveraging digital technologies for circular economy. To address this gap, this paper explores the business analytics resources firms should develop and how these should be orchestrated towards a firm-wide capability. The paper proposes a conceptual model highlighting eight business analytics resources that, in combination, build a business analytics capability for the circular economy and how this relates to firms’ circular economy implementation, resource orchestration capability, and competitive performance. The model is based on the results of a thematic analysis of 15 semi-structured expert interviews with key positions in industry. Our approach is informed by and further develops, the theory of the resource-based view and the resource orchestration view. Based on the results, we develop a deeper understanding of the importance of taking a holistic approach to business analytics when leveraging data and analytics towards a more efficient and effective digital-enabled circular economy, the smart circular economy.publishedVersio

A Conceptual Framework for Smart City International Standards

Smart cities construction has been a global focus during the past ten years. It contributes to the achievement of the sustainability development goals (for economy, society, and environment) by leveraging information and communication technologies (ICTs). International organizations (such as ISO, IEC, and ITU-T) have developed standards to encapsulate precise and state-of-the-art knowledge regarding research, practice and policy. However, thousands of such standards have not been fully used due to the lack of generally agreed vocabularies or frameworks. In this article, a conceptual framework named ‘ALL’ is proposed. Some initial evaluations on the proposed framework have been performed. The result shows that the framework could help people observe, organize and use such standards more efficiently. Some preliminary conversations with governments prove the potential usefulness of the framework in practice

Automatic translation from FBD-PLC-programs to NuSMV for model checking safety-critical control systems

Programmable logic controllers (PLCs) are digital control systems, commonly used in industrial automation and safety-critical applications. Control systems used in safety-critical areas must undergo an extensive and thorough certification and verification process. In safety-critical applications, the PLC programming standard IEC 61131-3 is widely accepted in industry. PLC programmers who develop control systems for safety-critical systems are often required to verify the logic of PLCs by using formal methods such as model checking. Translating manually from a PLC program to the input language of a model checker takes times and is often error-prone. We develop a compiler to automatically translate PLC programs in the function block diagram (FBD) language, one of five industry standard PLC programming notations, to the input language of the model checker NuSMV. We have evaluated correctness, robustness, and performance of the PLC-NuSMV compiler using a case study. Evaluation results show that the compiler can translate the PLC programs correctly. The compiler can also identify several input errors and can scale to relative large PLC programs