This document presents a study on automatically detecting protection-impacting changes (PICs) in WordPress and MediaWiki source code versions. The study involved analyzing 211 WordPress and 193 MediaWiki release pairs to identify PICs using an existing tool. Characteristics of identified PIC commits were analyzed and machine learning models were developed that achieved high accuracy in predicting PICs. Future work could involve introducing new security metrics to improve models and expanding the research to other systems beyond PHP.
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
This paper presents the source code analysis of a file reader server socket program (connection-oriented
sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove five
important software security vulnerabilities, which if left unattended could severely impact the server
running the software and also the network hosting the server. The five vulnerabilities we study in this
paper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial of
Service and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of these
vulnerabilities occur in the file reader server socket program, discuss the impact of leaving them
unattended in the program, and propose solutions to remove each of these vulnerabilities from the
program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of
features) that could arise while incorporating the proposed solutions on the server program. The
proposed solutions are very generic in nature, and can be suitably modified to correct any such
vulnerabilities in software developed in any other programming language. We use the Fortify Source
Code Analyzer to conduct the source code analysis of the file reader server program, implemented on a
Windows XP virtual machine with the standard J2SE v.7 development kit
Software Defect Prediction Techniques in the Automotive Domain: Evaluation, S...RAKESH RANA
Software Defect Prediction Techniques in the Automotive Domain: Evaluation, Selection and Adoption
PhD Defense, Göteborg, Sweden
Feb, 2015
Get full text of publication at:
http://rakeshrana.website/index.php/work/publications/
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
This paper presents the source code analysis of a file reader server socket program (connection-oriented
sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove five
important software security vulnerabilities, which if left unattended could severely impact the server
running the software and also the network hosting the server. The five vulnerabilities we study in this
paper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial of
Service and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of these
vulnerabilities occur in the file reader server socket program, discuss the impact of leaving them
unattended in the program, and propose solutions to remove each of these vulnerabilities from the
program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of
features) that could arise while incorporating the proposed solutions on the server program. The
proposed solutions are very generic in nature, and can be suitably modified to correct any such
vulnerabilities in software developed in any other programming language. We use the Fortify Source
Code Analyzer to conduct the source code analysis of the file reader server program, implemented on a
Windows XP virtual machine with the standard J2SE v.7 development kit
Software Defect Prediction Techniques in the Automotive Domain: Evaluation, S...RAKESH RANA
Software Defect Prediction Techniques in the Automotive Domain: Evaluation, Selection and Adoption
PhD Defense, Göteborg, Sweden
Feb, 2015
Get full text of publication at:
http://rakeshrana.website/index.php/work/publications/
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect?
(Keynote for the SHIFT 2020 and IWSF 2020 Workshops, October 2020)
A source code security audit is a powerful methodology for locating and removing security vulnerabilities.
An audit can be used to (1) pass potentially prioritized list of vulnerabilities to developers (2) exploit
vulnerabilities or (3) provide proof-of-concepts for potential vulnerabilities. The security audit research
currently remains disjoint with minor discussion of methodologies utilized in the field. This paper
assembles a broad array of literature to promote standardizing source code security audits techniques. It,
then, explores a case study using the aforementioned techniques.
The case study analyzes the security for a stable version of the Apache Traffic Server (ATS). The study
takes a white to gray hat point of view as it reports vulnerabilities located by two popular proprietary tools,
examines and connects potential vulnerabilities with a standard community-driven taxonomy, and
describes consequences for exploiting the vulnerabilities. A review of other security-driven case studies
concludes this research.
Reproducible Crashes: Fuzzing Pharo by Mutating the Test MethodsUniversity of Antwerp
Fuzzing (or Fuzz Testing) is a technique to verify the robustness of a program-under-test. Valid input is replaced by random values with the goal to force the program-under-test into unresponsive states. In this position paper, we propose a white box Fuzzing approach by transforming (mutating) existing test methods. We adopt the mechanisms used for test amplification to generate crash inducing tests, which developers can reproduce later. We provide anecdotal evidence that our approach towards Fuzzing reveals crashing issues in the Pharo environment.
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
Developing mobile applications is a challenging business: de-
velopers need to support multiple platforms and, at the same time, need
to cope with limited resources, as the revenue generated by an average
app is rather small. This results in an increasing use of cross-platform
development frameworks that allow developing an app once and offering
it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform
apps. Cordova combines HTML5 and JavaScript with native applica-
tion code. Combining web and native technologies creates new security
challenges as, e. g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the
foreign language calls. We evaluate our approach by analysing the top
Cordova apps from Google Play. Moreover, we report on the current state
of the overall quality and security of Cordova apps.
With the rise of agile development and the adoption of continuous integration, the software industry has seen an increasing interest in test automation. Many organizations invest in test automation but fail to reap the expected benefits, most likely due to a lack of test-automation maturity. In this talk, we present the results of a test automation maturity survey collecting responses of 151 practitioners coming from 101 organizations in 25 countries. We make observations regarding the state of the practice and provide a benchmark for assessing the maturity of an agile team. The benchmark resulted in a self-assessment tool for practitioners to be released under an open source license. An alfa version is presented herein. The research underpinning the survey has been conducted through the TESTOMAT project, a European project with 34 partners coming from 6 different countries.
(Presentation delivered at the Test Automation Days and the Testnet Autumn Event; October 2020)
Towards 0-bug software in the automotive industryAshley Zupkus
What are the software safety and security standards that software developers in the automotive industry need to meet? How can safe, secure code be developed in accordance with the industry norms like ISO 26262, ISO 21434, and SOTIF? Experts specialized in the automotive industry will answer all your questions in this webinar dedicated to automotive software safety and security.
1. Latest safety and security standards for automotive software (ISO 26262, ISO 21434, and SOTIF) and how they impact software developers' work - Amin Amini, CertX
2. How to implement coding best practices to ensure the highest levels of safety & security in software in autonomous vehicles - Arnaud Telinge, EasyMile
3. How can code analysis tools be leveraged to help reach ISO 26262 and ISO 21434 demands more efficiently - Fabrice Derepas, TrustInSoft
Learn what formal methods are and how they make developing bug-free, impenetrable source code a possibility in this webinar by TrustInSoft, the leading provider of formal methods-based code analysis tools.
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
Presentation of Best student paper award on CASCON2018 intitled: Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
Link to the paper: https://dl.acm.org/citation.cfm?id=3291310
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect?
(Keynote for the SHIFT 2020 and IWSF 2020 Workshops, October 2020)
A source code security audit is a powerful methodology for locating and removing security vulnerabilities.
An audit can be used to (1) pass potentially prioritized list of vulnerabilities to developers (2) exploit
vulnerabilities or (3) provide proof-of-concepts for potential vulnerabilities. The security audit research
currently remains disjoint with minor discussion of methodologies utilized in the field. This paper
assembles a broad array of literature to promote standardizing source code security audits techniques. It,
then, explores a case study using the aforementioned techniques.
The case study analyzes the security for a stable version of the Apache Traffic Server (ATS). The study
takes a white to gray hat point of view as it reports vulnerabilities located by two popular proprietary tools,
examines and connects potential vulnerabilities with a standard community-driven taxonomy, and
describes consequences for exploiting the vulnerabilities. A review of other security-driven case studies
concludes this research.
Reproducible Crashes: Fuzzing Pharo by Mutating the Test MethodsUniversity of Antwerp
Fuzzing (or Fuzz Testing) is a technique to verify the robustness of a program-under-test. Valid input is replaced by random values with the goal to force the program-under-test into unresponsive states. In this position paper, we propose a white box Fuzzing approach by transforming (mutating) existing test methods. We adopt the mechanisms used for test amplification to generate crash inducing tests, which developers can reproduce later. We provide anecdotal evidence that our approach towards Fuzzing reveals crashing issues in the Pharo environment.
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
Developing mobile applications is a challenging business: de-
velopers need to support multiple platforms and, at the same time, need
to cope with limited resources, as the revenue generated by an average
app is rather small. This results in an increasing use of cross-platform
development frameworks that allow developing an app once and offering
it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform
apps. Cordova combines HTML5 and JavaScript with native applica-
tion code. Combining web and native technologies creates new security
challenges as, e. g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the
foreign language calls. We evaluate our approach by analysing the top
Cordova apps from Google Play. Moreover, we report on the current state
of the overall quality and security of Cordova apps.
With the rise of agile development and the adoption of continuous integration, the software industry has seen an increasing interest in test automation. Many organizations invest in test automation but fail to reap the expected benefits, most likely due to a lack of test-automation maturity. In this talk, we present the results of a test automation maturity survey collecting responses of 151 practitioners coming from 101 organizations in 25 countries. We make observations regarding the state of the practice and provide a benchmark for assessing the maturity of an agile team. The benchmark resulted in a self-assessment tool for practitioners to be released under an open source license. An alfa version is presented herein. The research underpinning the survey has been conducted through the TESTOMAT project, a European project with 34 partners coming from 6 different countries.
(Presentation delivered at the Test Automation Days and the Testnet Autumn Event; October 2020)
Towards 0-bug software in the automotive industryAshley Zupkus
What are the software safety and security standards that software developers in the automotive industry need to meet? How can safe, secure code be developed in accordance with the industry norms like ISO 26262, ISO 21434, and SOTIF? Experts specialized in the automotive industry will answer all your questions in this webinar dedicated to automotive software safety and security.
1. Latest safety and security standards for automotive software (ISO 26262, ISO 21434, and SOTIF) and how they impact software developers' work - Amin Amini, CertX
2. How to implement coding best practices to ensure the highest levels of safety & security in software in autonomous vehicles - Arnaud Telinge, EasyMile
3. How can code analysis tools be leveraged to help reach ISO 26262 and ISO 21434 demands more efficiently - Fabrice Derepas, TrustInSoft
Learn what formal methods are and how they make developing bug-free, impenetrable source code a possibility in this webinar by TrustInSoft, the leading provider of formal methods-based code analysis tools.
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
Presentation of Best student paper award on CASCON2018 intitled: Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
Link to the paper: https://dl.acm.org/citation.cfm?id=3291310
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
In today's increasingly digitalised world, software defects are enormously expensive. In 2018, the Consortium for IT Software Quality reported that software defects cost the global economy $2.84 trillion dollars and affected more than 4 billion people. The average annual cost of software defects on Australian businesses is A$29 billion per year. Thus, failure to eliminate defects in safety-critical systems could result in serious injury to people, threats to life, death, and disasters. Traditionally, software quality assurance activities like testing and code review are widely adopted to discover software defects in a software product. However, ultra-large-scale systems, such as, Google, can consist of more than two billion lines of code, so exhaustively reviewing and testing every single line of code isn't feasible with limited time and resources. This project aims to create technologies that enable software engineers to produce the highest quality software systems with the lowest operational costs. To achieve this, this project will invent an end-to-end explainable AI platform to (1) understand the nature of critical defects; (2) predict and locate defects; (3) explain and visualise the characteristics of defects; (4) suggest potential patches to automatically fix defects; (5) integrate such platform as a GitHub bot plugin.
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...University of Antwerp
A keynote delivered for the 3rd Workshop on
Validation, Analysis and Evolution of Software Tests
February 18, 2020 | co-located with SANER 2020, London, Ontario, Canada.
http://vst2020.scch.at
Abstract - With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect? The research underpinning all of this has been validated under "in vivo" circumstances through the TESTOMAT project, a European project with 34 partners coming from 6 different countries.
Implementation of reducing features to improve code change based bug predicti...eSAT Journals
Abstract Today, we are getting plenty of bugs in the software because of variations in the software and hardware technologies. Bugs are nothing but Software faults, existing a severe challenge for system reliability and dependability. To identify the bugs from the software bug prediction is convenient approach. To visualize the presence of a bug in a source code file, recently, Machine learning classifiers approach is developed. Because of a huge number of machine learned features current classifier-based bug prediction have two major problems i) inadequate precision for practical usage ii) measured prediction time. In this paper we used two techniques first, cos-triage algorithm which have a go to enhance the accuracy and also lower the price of bug prediction and second, feature selection methods which eliminate less significant features. Reducing features get better the quality of knowledge extracted and also boost the speed of computation. Keywords: Efficiency, Bug Prediction, Classification, Feature Selection, Accuracy
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarWhiteSource
In our latest webinar, we learned about our latest product updates here at WhiteSource. We unveiled our new, revolutionary technology as well as highlighting other cool releases and enhancements.
Weeding your micro service landscape.pdftimtebeek1
New microservices often start from reference templates of other microservices. But when those copies drift apart, your landscape grows wild and becomes difficult to maintain. How do you now whip your landscape back into shape?
The field of machine programming — the automation of the development of software — is making notable research advances. This is, in part, due to the emergence of a wide range of novel techniques in machine learning. In today’s technological landscape, software is integrated into almost everything we do, but maintaining software is a time-consuming and error-prone process. When fully realized, machine programming will enable everyone to express their creativity and develop their own software without writing a single line of code. Intel realizes the pioneering promise of machine programming, which is why it created the Machine Programming Research (MPR) team in Intel Labs. The MPR team’s goal is to create a society where everyone can create software, but machines will handle the “programming” part.
Automated server-side model for recognition of security vulnerabilities in sc...IJECEIAES
With the increase of global accessibility of web applications, maintaining a reasonable security level for both user data and server resources has become an extremely challenging issue. Therefore, static code analysis systems can help web developers to reduce time and cost. In this paper, a new static analysis model is proposed. This model is designed to discover the security problems in scripting languages. The proposed model is implemented in a prototype SCAT, which is a static code analysis tool. SCAT applies the phases of the proposed model to catch security vulnerabilities in PHP 5.3. Empirical results attest that the proposed prototype is feasible and is able to contribute to the security of real-world web applications. SCAT managed to detect 94% of security vulnerabilities found in the testing benchmarks; this clearly indicates that the proposed model is able to provide an effective solution to complicated web systems by offering benefits of securing private data for users and maintaining web application stability for web applications providers.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
1. Just-in-time Detection of Protection-Impacting
Changes on WordPress and MediaWiki
SWAT
Département de Génie Logiciel
École Polytechnique de Montréal
Novembre 2018
Mohamed Amine Barrak
Director : Foutse Khomh
Co-Director : Guiliano Antoniol
2. Outline
• Problem statement
• Related studies
• Introduction and
background
• Lack of existing work
• Case study design
• Case study results
• Summary and future works
2
7. 7
What is Broken Access Control Risk ?
Source: Direct Line Development Blog
8. Previous Studies
• MA Laverdière and E. Merlo (2018). “Detection of
protection-impacting changesduring software evolution”.
SANER 2018
• S. Georgios and A. Lefteris and T. Dimitrios (2017). “
Assessment of vul-nerability severity using text mining”.
ACM 2017.
• An, Le and Khomh, Foutse (2015a). “An empirical study of
crash-inducing commits in mozilla“, PROMISE 2015
8
10. Role-Based Access Control (RBAC)
10
Source: https://www.idenhaus.com/how-integrate-role-based-access-control-group-environment/
11. Role-Based Access Control (RBAC)
11
HR Manager Developer
Commit-
Code View-
Sprint
Hire
Approve-
Budget
Create-Sprint
View-CVs
View-Performance
=
Divides who can do what using groups
and privileges
Product Manager
Commercialise
product
Access to sales
revenue
12. • Access control is implemented in code source
• Code changes may affect privilege protection
Code change causing protection-
impacting change
VersionA VersionB
Codechange
f unction f o o ( ) {
/ / assumes pr i v i l ege p1 he ld
}
fo o ( );
if (!current_user_can(’p1’)) die();
foo();
Protected for p1
Application-specificstereotypicalAPI
}
if (!current_user_can(’p1’)) die();
foo();
Protected for p1
f unction f o o ( ) {
/ / assumes pr i v i l ege p1 he ld
10
13. How to detect Lines of Protection
Impacting Changes (Existing tool)?
13
14. • Compose source code to Abstract Syntax Tree (AST)
• Convert AST to inter-procedural Control Flow Graph (CFGs)
• Link CFGs to be intra-procedural CFGs (called PTFA)
Pattern Traversal Flow Analysis (PTFA)
14
Determine privilege protection on all execution paths
15. • Occurs when definite privilege protection for a statement s
that is common to Version A and Version B but differs
between versions.
Definite Protection Difference (DPD)
15
VersionA VersionB
Codechange
f unction f o o ( ) {
/ / assumes pr i v i l ege p1 he ld
}
+ fo o ( );
if (!current_user_can(’p1’)) die();
foo();
Protected for p1
Application-specificstereotypicalAPI
}
if (!current_user_can(’p1’)) die();
foo();
Protected for p1
f unction f o o ( ) {
/ / assumes pr i v i l ege p1 he ld
18. 18
Cost of Security Defect related to
development process?
• Cost of a Data Breach $7.2M
from law suits, loss of customer
trust, damage to brand
Find during Development
$80 / defect
Find during Build
$240 / defect
Find during QA/Test
$960 / defect
Find in Production
$7,600 / defect
Source: Protecting Mission-Critical Source Code from Application Security Vulnerabilities (IBM study)
Source: PonemonInstitute
Source: National Institute of Standards and Technology
19. • Delay of reporting PICs lines, take almost 10 minutes to
generate results of PICs per release pair
• Cost of executing the tool at each modification in the
source code
• Applied after the vulnerability occurrence and already
affected a large population of users
• Average Cost of a Data Breach $7.2M from law suits,
loss of customer trust, damage to brand
Lack of Existing Works
19
20. • Automatically identifying protection impacting change vulnerability before
introducing it in the system
• Implement an automated and just-in-time tool in the coding phase
• Usage of existing work to create machine learning algorithm
Our Goal: Prevention is better
than a cure
20
Source: http://ehealth.eletsonline.com/2016/08/preventive-cure-prevention-is-better-than-cure/
Create automated and Predictive
Models of Protection Impacting
Change
22. 22
Choice of Projects for PIC analysis
(CVE : Common Vulnerabilities and
Exposures)
WordPress Vulnerabilities MediaWiki Vulnerabilities
High
percentage
High
percentage
25. • Manual analysis of Releases tree
– Verify the adapted software configuration
management
– Choose a consecutive versions to minimize the
complexity of the analysis
– Make sure that the selected pair versions are not in
different branches
Attention: Several studies are comparing code source in
a system without paying attention to the unrelated
brunches.
How we choose pair releases for PIC
detection?
25
3.7.1
3.7.2 3.8.0
3.7.3
3.8.1
3.7.4 3.8.2
3.7.5 3.8.3
3.7.6 3.8.4 3.9.0
3.7.7 3.8.5 3.9.1
WordPress Release Tree
26. • Analysis include
– 211 releases pairs of WordPress from (2.0 to 4.7.3)
– 193 releases pairs of MediaWiki from (1.5.0 to 1.29.2)
• Mature open source systems (WordPress and
MediaWiki)
– Long release history and available archive
– Implement RBAC approach
– Important LOC
Data Collection
26
27. • Run Protection Impacting Changes tool to report
Protection-Impacting Lines
• Readable results for end user
– V1 V2 gain/ loss filename line_number
• Consider vulnerable lines as an Oracle
Protection-Impacting Change Lines
27
28. From PIC lines to PIC commits
28
• From protection impacting line to PIC commit
– B : Bifurcation point between V1 and V2
– C’ : Last commit that modified line_number
between V1 and V2
• Commit that modified privilege protection
– “git blame -L line_number B..C’ -- filename “
• Commits that removed privilege protection
– “git blame --reverse -L line_number B..C’ --
filename ”
29. From PIC lines to PIC commits
29
• Example:
– V1: 2.0.2 V2: 2.0.3
– B : ba8bb5af9e
– C’ : e1172126a1
– modified line is: 11
– Deleted line: 213
– Modified file : user-edit.php
• Commit that modified privilege protection
“git blame -L 11 ba8bb5af9e..e1172126a1 -- user-
edit.php“
• Commits that removed privilege protection
“git blame --reverse -L 11
ba8bb5af9e..e1172126a1 -- user-edit.php”
Bifurcation
V2
V1
31. • Date (week day, month day, Month)
• Author experience
• Commit size:
– Number of changed files
– Number of added and deleted lines
• Message size
• Is Bug fix ?
Commit Log metrics (structure of
commit code)
31
32. • Undertand tool (Source Code Analysis & Metrics)
– LOC
– Cyclomatic complexity McCabe
– Maximum nesting
– Number of declarative statements
– Number of functions
– Number of blank lines
– Ratio of comment lines over all lines in a file
Code Complexity metrics (code quality)
32
33. Research Questions
33
RQ1) What is the proportion of protection-impacting changes in
Wordpress and MediaWiki?
RQ2) What are the characteristics of protection-impacting changes?
RQ3) To which extent can we predict protection-impacting changes?
RQ4) Why do automatic machine learning models misclassify some
protection-impacting changes?
35. RQ1:What is the proportion of
protection-impacting changes in
Wordpress and MediaWiki?
35
36. Proportion of Protection-Impacting
changes commits in WordPress and
MediaWiki
36
PIC commit does not mean that
all its changed lines are
vulnerable
Software developers should strive to catch PIC commits as soon as
possible
37. RQ2: What are the characteristics
of protection-impacting changes?
37
38. Characteristics of PIC commits
38
Metrics PIC Non-PIC PIC Non-PIC
Message size 19 15 27 18
Author experience 1531 1343 1378 1012
Cyclomatic Complexity 9.9 7.9 2.4 2.2
Max Nesting 3.6 3.4 3.3 1.6
Declarative statement 42.1 37.7 57.3 27.8
Is bug fix 20% 21.7% 29.4% 23.4%
PN: More results are in the
paper
39. RQ3: To which extent can we predict
protection-impacting changes?
39
40. Steps of Building the Machine Learning
Infrastructure
40
Source: https://www.7wdata.be/big-data/building-the-machine-learning-infrastructure/
• Eliminate Collinearity between
variables using Variance Inflation
Factor (VIF)
• Divide your dataset into training set
and test set with 10-cross
validation technique
• Apply Machine Learning Algorithms
to predict the PIC variable.
• Evaluate models by reporting
(precision, recall, accuracy, etc)
41. Machine Learning Algorithm Results
41
Random Forest algorithm achieve best prediction performance in both
projects
42. RQ4: Why do automatic machine
learning models misclassify some
protection-impacting changes?
42
43. 43
Qualitative Observations Of Wrongly
Classified Commits
Adding more information to the model will increase the prediction
performance
44. Conclusion
There is a high proportion of PIC commits that engineers
should take care of
PICs commits are submitted by experienced developers.
They contain longer commit messages and make
complex changes in files
High accuracy of predicting PIC commits using ML
algorithms, then improving research by applying a
qualitative analysis to know causes of misclassification
44
45. Future Work
Introduce new security metrics to improve our models
such as Developer Activity Metrics
Improve our actual models by ignoring commits of
pushing versions or changing JS, HTML or CSS files.
Expand our research not only on PHP software systems,
and with more Oracle systems
45
47. Related Papers
• Paper 1: Searching for a Needle in a Haystack:
Predicting Security Vulnerabilities for Windows Vista
• empirically evaluate the efficacy of classical metrics
like complexity, churn, coverage, dependency
measures, and organizational structure of the
company to predict vulnerabilities and assess how
well these software measures correlate with
vulnerabilities
47
49. 49
CVE Tickets in WordPress about
Access Control
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory
traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink
function and can delete the wp-config.php file. This is related to missing filename validation in
the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities
for files and posts that are normally available only to the Author, Editor, and Administrator roles.
The attack methodology is to delete wp-config.php and then launch a new installation process
to increase the attacker's privileges.
Editor's Notes
Not robot attack
Continuation of existing work
Beter look on the problem
Minimize false positive and fN
A Broken Access Control term could be used to describe a cyber vulnerability which represents a lack of access rights check to the requested object. Web applications check the access rights before displaying the data to the user. However, the applications should also run an access rights check when any function is requested. For example, let’s pass upon an asynchronous loading. If it’s not performed, a talented hacker can fake a request and inevitably gain access to the private data. Fortunately, it can be avoided by setting the access rights check for all the stages of the receiving the data process. Or by calling us here at Direct Line Development!
Previous studies operate their analysis at the release pairs analysis granularity and reportthe PIC lines and take many minutes to complete. In our paper, we identified responsiblecommits that induced PIC lines and built predictive models for protection-impacting changesthat operate at the commit granularity
their modelscan only be applied after the vulnerability occurred and already affected a large population ofusers, which differs with our analysis where we study the apparition of protection impactingchange and predicting them before their merge on the code source in the commit level
This study is closely related to ours, theystudied crash-inducing in the commit granularity. Then, they created just-in-time predicting models. After that, they studied the causes of misclassified commits. But, as far as we know,this is the first study that uses just-in-time prediction techniques on the identification ofprotection-impacting changes
current_user_can( $capability ) will aways return true if user is Super Admin, unless specifically denied - see inline source code on
Add picture to show what is version and what are the difference of protection !
Show ticket code of vulnerability cve-…
Add versions and code source input to the figure
Add the several lack of
Average Cost of a Data Breach $7.2M** from law suits, loss of customer trust, damage to brand such study
What is the relation of gain information with broken access control
Backup slide to show why we choose these two repositories
. In this conventional model, the code branches when the release engineer delivers a new release. The new branch serves as the baseline for continuing Development while the old branch—the code’s baseline historical reference—is left behind
The release engineer spins off new branches for specific purposes such as alpha and beta testing, but development work remains on the main development line.
Show the figure of releases generation with commits from graph result, and line of code that determine point of biffurcation
Show the figure of releases generation with commits from graph result, and line of code that determine point of biffurcation
Show the figure of releases generation with commits from graph result, and line of code that determine point of biffurcation
Protection impacting could occur in a specific date
Show more details about the metrics we choose and why not we didn’t choose other metrics
Show metrics that bram mention as a future work
Explain each metrics in detail even those related to the code quality
Protection impacting could occur in a specific date
Show more details about the metrics we choose and why not we didn’t choose other metrics
Show metrics that bram mention as a future work
Explain each metrics in detail even those related to the code quality
Change these results on a boxplots
Explain why author experience is higher in PIC, because the changes on these commit even in delicate part of the program where they touch
Same as Message size
In MediaWiki, we see that PIC commits are likely to be more bug fixing, according to the fact that the developer was fixing a bug, then he changed some lines related to protection impacting
Commits that have PIC have more nested implemented functionalities and a higher mcCabe cyclomatic which prove that the files where the commit were involved are more complex and more test cases (if, case, for, …)
Declarative statement: since these PIC commits are likely to be more complex, they have more declarative statement which is a metrics that reflect number of variable declarative
Change figure to something make me talking
Show only precision and recall
Change to box plot
What is modified a version field, give example
Add a future work of the new metrics talk of bram
it allows corrections in an earlier stage of the software development process, when the cost of correction is low.
M.Sc.