Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Wed 23 Sep 2020 01:10 - 01:30 at Platypus - Software Security and Trust (1) Chair(s): Christoph Csallner

Vendors who wish to provide software or services to large corporations and governments must often obtain numerous certificates of compliance. Each certificate asserts that the software satisfies a compliance regime, like SOC or the PCI DSS, to protect the privacy and security of sensitive data. Manual compliance audits of source code (the industry standard) are expensive, error-prone, partial, and prone to regressions.

We propose \emph{continuous compliance} to guarantee that the codebase stays compliant on each code change using lightweight verification tools. Continuous compliance increases assurance and reduces cost in the domain of source-code compliance.

We evaluated continuous compliance by building and deploying verification tools for five common audit controls related to data security: cryptographically unsafe algorithms must not be used, keys must be at least 256 bits long, credentials must not be hard-coded into program text, HTTPS must always be used instead of HTTP, and cloud data stores must not be world-readable. We report on our experience deploying these verification tools at a large company, where they are integrated into the compliance process (including auditors accepting their output as evidence) and have been run on over 68 million lines of code. We open-sourced our tools and applied them to over 5 million lines of open-source software. Compared to other publicly-available tools for detecting misuses of encryption, only ours are suitable for continuous compliance.

Wed 23 Sep

Displayed time zone: (UTC) Coordinated Universal Time change

01:10 - 02:10
Software Security and Trust (1) NIER track / Tool Demonstrations / Research Papers at Platypus
Chair(s): Christoph Csallner University of Texas at Arlington
01:10
20m
Talk
Continuous ComplianceExperience
Research Papers
Martin Kellogg University of Washington, Seattle, Martin Schäf Amazon Web Services, Serdar Tasiran Amazon Web Services, Michael D. Ernst University of Washington, USA
01:30
20m
Talk
SADT: Syntax-Aware Differential Testing of Certificate Validation in SSL/TLS Implementions
Research Papers
Lili Quan College of Intelligence and Computing,Tianjin University, Qianyu Guo College of Intelligence and Computing, Tianjin University, Hongxu Chen Research Associate, xiexiaofei , Li Xiaohong TianJin University, Yang Liu Nanyang Technological University, Singapore, Jing Hu Tianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing,Tianjin University
01:50
10m
Talk
A Hybrid Analysis to Detect Java Serialisation Vulnerabilities
NIER track
Shawn Rasheed Massey University, Jens Dietrich Victoria University of Wellington
02:00
10m
Talk
EXPRESS: An Energy-Efficient and Secure Framework for Mobile Edge Computing and Blockchain based Smart Systems
Tool Demonstrations
Jia Xu School of Computer Science and Technology, Anhui University, Xiao Liu School of Information Technology, Deakin University, Xuejun Li School of Computer Science and Technology, Anhui University, Lei Zhang Antwork Robotics Co., Ltm., Hangzhou, China, Yun Yang Swinburne University of Technology