ASE 2023
Mon 11 - Fri 15 September 2023 Kirchberg, Luxembourg
Tue 12 Sep 2023 14:18 - 14:30 at Room E - Vulnerability and Security 1 Chair(s): Fatemeh Hendijani Fard

Software vulnerabilities are weaknesses in source code that can be potentially exploited to cause loss or harm. While researchers have been devising a number of methods to deal with vulnerabilities, there is still a noticeable lack of knowledge on their software engineering life cycle, for example how vulnerabilities are introduced and removed by developers. This information can be exploited to design more effective methods for vulnerability prevention and detection, as well as to understand the granularity at which these methods should aim. To investigate the life cycle of known software vulnerabilities, we focus on how, when, and under which circumstances the contributions to the introduction of vulnerabilities in software projects are made, as well as how long, and how they are removed . We consider 3,663 vulnerabilities with public patches from the National Vulnerability Database—pertaining to 1,096 open-source software projects on GitHub —and define an eight-step process involving both automated parts (e.g., using a procedure based on the SZZ algorithm to find the vulnerability-contributing commits) and manual analyses (e.g., how vulnerabilities were fixed). The investigated vulnerabilities can be classified in 144 categories, take on average at least 4 contributing commits before being introduced, and half of them remain unfixed for at least more than one year. Most of the contributions are done by developers with high workload, often when doing maintenance activities, and removed mostly with the addition of new source code aiming at implementing further checks on inputs. We conclude by distilling practical implications on how vulnerability detectors should work to assist developers in timely identifying these issues.

Tue 12 Sep

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

13:30 - 15:00
Vulnerability and Security 1Research Papers / Journal-first Papers at Room E
Chair(s): Fatemeh Hendijani Fard University of British Columbia
13:30
12m
Talk
A Needle is an Outlier in a Haystack: Hunting Malicious PyPI Packages with Code Clustering
Research Papers
Wentao Liang Institute of Software, Chinese Academy of Sciences, Xiang Ling Institute of Software, Chinese Academy of Sciences, Jingzheng Wu Institute of Software, The Chinese Academy of Sciences, Tianyue Luo Institute of Software, Chinese Academy of Sciences, Yanjun Wu Institute of Software, Chinese Academy of Sciences
File Attached
13:42
12m
Talk
Merge-Replay: Efficient IFDS-Based Taint Analysis by Consolidating Equivalent Value FlowsACM Distinguished Paper
Research Papers
Yujiang Gui UNSW Sydney, Dongjie He UNSW, Jingling Xue UNSW
Pre-print File Attached
13:54
12m
Talk
Learning to Locate and Describe Vulnerabilities
Research Papers
Jian Zhang Nanyang Technological University, Shangqing Liu Nanyang Technological University, Xu Wang Beihang University, Li Tianlin Nanyang Technological University, Yang Liu Nanyang Technological University
14:06
12m
Talk
When Less is Enough: Positive and Unlabeled Learning Model for Vulnerability Detection
Research Papers
Xin-Cheng Wen Harbin Institute of Technology, Xinchen Wang Harbin Institute of Technology, Cuiyun Gao Harbin Institute of Technology, Shaohua Wang New Jersey Institute of Technology, Yang Liu Nanyang Technological University, Zhaoquan Gu Harbin Institute of Technology
14:18
12m
Talk
The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study
Journal-first Papers
Emanuele Iannone University of Salerno, Roberta Guadagni University of Salerno, Filomena Ferrucci University of Salerno, Andrea De Lucia University of Salerno, Fabio Palomba University of Salerno
Link to publication DOI Pre-print Media Attached
14:30
12m
Talk
SCPatcher: Mining Crowd Security Discussions to Enrich Secure Coding Practices
Research Papers
Ziyou Jiang Institute of Software at Chinese Academy of Sciences, Lin Shi Beihang University, Guowei Yang University of Queensland, Qing Wang Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences
Media Attached File Attached