Write a Blog >>
ICPC 2022
Mon 16 - Tue 17 May 2022
co-located with ICSE 2022
Mon 16 May 2022 08:07 - 08:14 at ICPC room - Session 5: Security Chair(s): Na Meng

The Java libraries JCA and JSSE provide various cryptographic APIs to facilitate secure coding. Prior work shows that many developers misuse some of the APIs, and consequently implement security features in insecure ways; such security-API misuses can introduce vulnerabilities into codebases, causing software vulnerable to cyber attacks. To eliminate the API-related vulnerabilities, tools were built to automatically detect security-API misuses via pattern matching. However, most of these tools do not (1) automatically fix misuses or (2) support users to extend the pattern set inside tools. To overcome both limitations, we developed Seader—an example-based approach that detects and repairs security-API misuses. Given an exemplar insecure code snippet and its secure counterpart, Seader compares the snippets to infer any API-misuse template and corresponding fixing edit. Based on the inferred information, given a program, Seader performs inter-procedural static analysis to search for security-API misuses and to propose customized fixes.

For evaluation, we applied Seader to 28 ⟨insecure, secure⟩ code pairs, and Seader successfully inferred 21 unique API-misuse templates as well as related fixes. With these ⟨vulnerability, fix⟩ patterns, we applied Seader to a third-party program benchmark that contains in total 86 known vulnerabilities. Our experiment shows that Seader detected vulnerabilities with 95% precision, 72% recall, and 82% F-score. Additionally, we applied Seader to 100 Apache open-source projects and sampled 77 of the suggested repairs for manual inspection; we found that Seader often customized repairs correctly. Seader can help reduce the technical barrier for developers to correctly use security APIs.

Mon 16 May

Displayed time zone: Eastern Time (US & Canada) change

08:00 - 08:30
Session 5: SecurityResearch / Journal First at ICPC room
Chair(s): Na Meng Virginia Tech
Automated Identification of Libraries from Vulnerability Data: Can We Do Better?
Stefanus Agus Haryono Singapore Management University, Hong Jin Kang Singapore Management University, Abhishek Sharma Veracode, Inc., Asankhaya Sharma Veracode, Inc., Andrew Santosa Veracode, Inc., Ang Ming Yi Veracode, Inc., David Lo Singapore Management University
Pre-print Media Attached
Example-Based Vulnerability Detection and Repair in Java Code
Ying Zhang Virginia Tech, USA, Ya Xiao Virginia Tech, Md Mahir Asef Kabir Department of Computer Science, Virginia Tech, Daphne Yao Virginia Tech, Na Meng Virginia Tech
Media Attached
Deep security analysis of program code - A systematic literature review
Journal First
Tim Sonnekalb , Thomas S. Heinze Aarhus University, Denmark, Patrick Mäder Technische Universität Ilmenau
Live Q&A
Q&A-Paper Session 5

Information for Participants
Mon 16 May 2022 08:00 - 08:30 at ICPC room - Session 5: Security Chair(s): Na Meng
Info for room ICPC room:

Click here to go to the room on Midspace