Example-Based Vulnerability Detection and Repair in Java Code
The Java libraries JCA and JSSE provide various cryptographic APIs to facilitate secure coding. Prior work shows that many developers misuse some of the APIs, and consequently implement security features in insecure ways; such security-API misuses can introduce vulnerabilities into codebases, causing software vulnerable to cyber attacks. To eliminate the API-related vulnerabilities, tools were built to automatically detect security-API misuses via pattern matching. However, most of these tools do not (1) automatically fix misuses or (2) support users to extend the pattern set inside tools. To overcome both limitations, we developed Seader—an example-based approach that detects and repairs security-API misuses. Given an exemplar insecure code snippet and its secure counterpart, Seader compares the snippets to infer any API-misuse template and corresponding fixing edit. Based on the inferred information, given a program, Seader performs inter-procedural static analysis to search for security-API misuses and to propose customized fixes.
For evaluation, we applied Seader to 28 ⟨insecure, secure⟩ code pairs, and Seader successfully inferred 21 unique API-misuse templates as well as related fixes. With these ⟨vulnerability, fix⟩ patterns, we applied Seader to a third-party program benchmark that contains in total 86 known vulnerabilities. Our experiment shows that Seader detected vulnerabilities with 95% precision, 72% recall, and 82% F-score. Additionally, we applied Seader to 100 Apache open-source projects and sampled 77 of the suggested repairs for manual inspection; we found that Seader often customized repairs correctly. Seader can help reduce the technical barrier for developers to correctly use security APIs.
Mon 16 MayDisplayed time zone: Eastern Time (US & Canada) change
08:00 - 08:30
|Automated Identification of Libraries from Vulnerability Data: Can We Do Better?|
Stefanus Agus Haryono Singapore Management University, Hong Jin Kang Singapore Management University, Abhishek Sharma Veracode, Inc., Asankhaya Sharma Veracode, Inc., Andrew Santosa Veracode, Inc., Ang Ming Yi Veracode, Inc., David Lo Singapore Management UniversityPre-print Media Attached
|Example-Based Vulnerability Detection and Repair in Java Code|
Ying Zhang Virginia Tech, USA, Ya Xiao Virginia Tech, Md Mahir Asef Kabir Department of Computer Science, Virginia Tech, Daphne Yao Virginia Tech, Na Meng Virginia TechMedia Attached
|Deep security analysis of program code - A systematic literature review|
Tim Sonnekalb , Thomas S. Heinze Aarhus University, Denmark, Patrick Mäder Technische Universität IlmenauPre-print
|Q&A-Paper Session 5|