Early Vulnerability Detection for Supporting Secure Programming

I recently finished my master’s degree. Now I am sharing my dissertation so other people can continue the work I started.

Secure programming is the practice of writing programs that are resistant to attacks by malicious people or programs. Programmers of secure software have to be continuously aware of security vulnerabilities when writing their program statements. They also ought to continuously perform actions for preventing or removing vulnerabilities from their programs. In order to support these activities, static analysis techniques have been devised to find vulnerabilities in the source code. However, most of these techniques are built to encourage vulnerability detection a posteriori, only when developers have already fully produced (and compiled) one or more modules of a program. Therefore, this approach, also known as late detection, does not support secure programming but rather encourages posterior security analysis. The lateness of vulnerability detection is also influenced by the high rate of false positives, yielded by pattern matching, the underlying mechanism used by existing static analysis techniques. The goal of this dissertation is twofold. First, we propose to perform continuous detection of security vulnerabilities while the developer is editing each program statement, also known as early detection. Early detection can leverage his knowledge on the context of the code being created, contrary to late detection when developers struggle to recall and fix the intricacies of the vulnerable code they produced from hours to weeks ago. Our continuous vulnerability detector is incorporated into the editor of an integrated software development environment. Second, we explore a technique originally created and commonly used for implementing optimizations on compilers, called data flow analysis, hereinafter referred as DFA. DFA has the ability to follow the path of an object until its origins or to paths where it had its content changed. DFA might be suitable for finding if an object has a vulnerable path. To this end, we have implemented a proof-of-concept Eclipse plugin for continuous vulnerability detection in Java programs. We also performed two empirical studies based on several industry-strength systems to evaluate if the code security can be improved through DFA and early vulnerability detection. Our studies confirmed that: (i) the use of data flow analysis significantly reduces the rate of false positives when compared to existing techniques, without being detrimental to the detector performance, and (ii) early detection improves the awareness among developers and encourages programmers to fix security vulnerabilities promptly.

If you want to read the whole dissertation, you can download it here. I would love to receive your feedback about it.

Keywords
Early detection; security vulnerability; data flow analysis; secure programming.

Tweet about this on TwitterShare on StumbleUponShare on Google+Share on LinkedInShare on Facebook

2 Responses to “Early Vulnerability Detection for Supporting Secure Programming”

  1. Michael Courcy Says:

    Hi

    I’ve been giving a try to your plugin, it’s very interesting. I have two things to ask.

    First : I modify the test02 method this way introducing a fake sanitize method :

    private void test02(Enumeration getAttributeNames) {
    getAttributeNames = sanitizeForTest02(getAttributeNames);
    while (getAttributeNames.hasMoreElements()) {
    request.setAttribute(“a”, getAttributeNames.nextElement());
    request.setAttribute(“b”, “”);
    }
    }

    private Enumeration sanitizeForTest02(final Enumeration getAttributeNames) {
    // TODO Auto-generated method stub
    return new Enumeration() {

    @Override
    public boolean hasMoreElements() {
    return getAttributeNames.hasMoreElements();
    }

    @Override
    public String nextElement() {
    //don’t sanitize actually …
    return getAttributeNames.nextElement();
    }

    };
    }

    The sanitizeForTest02 don’t sanitize anything actually, but the security warning vanish, if I come back to the initial code it appears again.

    Second is you project open source ? and if yes do you have github repository to report bug or enhancement ant propose pull request.

    Thanks for this nice contribution, it really look promising.

  2. Luciano Sampaio Says:

    HI Michael Courcy,

    I am really glad you liked my project. 🙂

    Checking the code you have provided I noticed that you just found a bug on my plugin. I can see that the code is not secure but the plugin thinks the code has been sanitized. The project and the plugin were created while I was doing my masters degreed and I never had the chance to make it open source. I do have a github repository but it is private. I will talk to my advisor and let you know.

    Thank you very much for your comment and talk to you later,
    Luciano Sampaio

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.