Narrow Results

Open source components (OSCs) have become a vital part for developing modern applications. The security of these components could affect the overall security of the software depends on them. Thus, the security of an OSC should be evaluated first before integrating to the software. However, the existing models lack generality, and cannot be easily automatic applied to OSCs developed in different programming language. To this end, we propose a security assessment model for OSCs, called the CRAM, which features generality and automation. The proposed model is constructed under the hypothesis that OSC with a larger and more active community is more likely to disclose more vulnerabilities. And it evaluates the security of OSC from its performance in size as well as activities of open source community and vulnerability disclosures. In the experiment section, we present validation and application experiments. In the validation experiment, we find that the basic hypothesis of the proposed model is valid, and there is a positive correlation between the community size as well as activities and vulnerability risk of OSCs. In the application experiment, we further evaluate our approach with large-scale open source components. Our hypothesis is further validated. The most of OSCs in the ecosystem are in line with the hypothesis. Finally, we successfully build the security baseline according to the hypothesis, and 5 vulnerable OSCs classified as vulnerable by our model are analyzed. The result proves the effectiveness of our model to identify a vulnerable open source ecosystem around the ecosystem.

One of the most effective methods for detecting software security vulnerabilities is taint analysis. Some software defects originate from certain external input data. Analyzing the taint sources and the data flow propagation from these sources to defect points through static analysis can help us understand the causes of software defects and reduce the difficulty of debugging them. This paper combines intraprocedural and interprocedural analysis methods to obtain global taint source information. A novel propagation path calculation algorithm is proposed, incorporating predecessor node computation and alias analysis, effectively reducing the negative impact of irrelevant code on the performance of taint analysis. This method not only helps detect errors that lead to vulnerabilities but also analyzes the impact of vulnerable input data on the system. Based on the global taint source analysis algorithm, we developed a static taint source analysis prototype tool for C programs, called AWsTS. Experiments conducted on five open-source projects show that AWsTS improves the accuracy of analysis results without increasing the required analysis time. The average precision for intra-procedural taint source analysis is 93.4%, and the average recall is 90.2%. Similarly, for interprocedural taint source analysis, the average precision is 87.6%, and the average recall is 84.9%. Additionally, AWsTS can output taint propagation paths, providing valuable support for further taint analysis.

Purpose: This research paper proposes an automated approach for categorizing bug reports as security-related bugs (SRBs) or non-security-related bug reports (NSBRs) using machine learning techniques and software vulnerability information. The purpose of this paper is to address the challenges associated with identifying SRBs manually and provide an effective automated solution to ensure that potential security risks are identified and addressed promptly.

Methods: The proposed approach leverages software vulnerability information from authorized sources such as Common Weakness Enumeration (CWE) and manually collected security-related keywords to generate a list of security keywords. The authors use machine learning techniques and performance measures such as F1, false positive rate (FPR), and area under the curve (AUC), Balance, Accuracy to evaluate the effectiveness of the proposed approach. Statistical non-parametric tests, namely, Friedman test and the Kruskal–Wallis test, are conducted to compare the performance of different classifiers.

Results: The results of the paper indicate that XGBoost outperformed other classifiers in building bug prediction models. The proposed approach offers significant benefits over the traditional manual extraction of SRBs from large datasets using security-related keywords.

Conclusion: The paper concludes that automating the process of identifying SRBs is essential to ensure that potential security risks are identified and addressed promptly. The proposed approach provides an effective solution to the problem of identifying SRBs using machine learning techniques and software vulnerability information. The results of the paper highlight the importance of automating the process of identifying SRBs to ensure the security of software systems.

This paper discusses issues of engineering access control solutions in distributed applications for enterprise computing environments. It reviews application-level access control available in existing middleware technologies, discusses open problems in these technologies, and surveys research efforts to address the problems.

Cryptographic misuse is an increasingly common issue in real-world systems. In this paper, we collected and summarized 224 cryptography vulnerabilities in the CVE database over the previous five years and analyzed the implementation of cryptography systems in 131 common Android application packages (APKs), to understand why certain cryptographic misuses are more likely to appear in certain scenarios. We present a systematic analysis about the pertinence between certain cryptographic misuses and the different characteristics of three actual platforms (mobile, embedded and server). Thereafter, we propose several lightweight countermeasures to alleviate cryptographic misuse.