Tue 10 May 2022 11:20 - 11:25 at ICSE room 4-odd hours - Software Security 7 Chair(s): Diomidis Spinellis
Tue 10 May 2022 21:20 - 21:25 at ICSE room 2-odd hours - Software Security 4 Chair(s): Hamid Bagheri
Thu 26 May 2022 09:25 - 09:30 at Room 306+307 - Papers 10: Software Security 1 Chair(s): Joshua Garcia
Tue 10 May 2022 21:20 - 21:25 at ICSE room 2-odd hours - Software Security 4 Chair(s): Hamid Bagheri
Thu 26 May 2022 09:25 - 09:30 at Room 306+307 - Papers 10: Software Security 1 Chair(s): Joshua Garcia
Web-based software services use server-side input sanitization to guard against harmful input. Web services sometimes publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Many services share the regexes they use to sanitize input strings — and regex-based denial of service (ReDoS) is an emerging threat. Recent service outages caused by ReDoS spurred interest in this topic. We know little about the degree to which live web services are vulnerable to ReDoS.
In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Hypothesis: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side.We identify a service’s regex-based client-side input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint ReDoS vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS (6 domains; 15 subdomains). One service was patched as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library. To summarize: through their client-visible sanitization logic, some web services advertise their ReDoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions.
Tue 10 MayDisplayed time zone: Eastern Time (US & Canada) change
Tue 10 May
Displayed time zone: Eastern Time (US & Canada) change
11:00 - 12:00 | Software Security 7Journal-First Papers / Technical Track at ICSE room 4-odd hours Chair(s): Diomidis Spinellis Athens University of Economics and Business; Delft University of Technology | ||
11:00 5mTalk | The Case for Adaptive Security Interventions Journal-First Papers Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland) Link to publication DOI Pre-print Media Attached | ||
11:05 5mTalk | Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite Journal-First Papers Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM Link to publication DOI Pre-print Media Attached | ||
11:10 5mTalk | The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper Technical Track David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee DOI Pre-print Media Attached | ||
11:15 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
11:20 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
11:25 5mTalk | Hiding Critical Program Components via Ambiguous Translation Technical Track Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia Pre-print Media Attached | ||
21:00 - 22:00 | Software Security 4Journal-First Papers / Technical Track at ICSE room 2-odd hours Chair(s): Hamid Bagheri University of Nebraska-Lincoln | ||
21:00 5mTalk | Out of Sight, Out of Mind? How Vulnerable Dependencies Affect Open-Source Projects Journal-First Papers Gede Artha Azriadi Prana Singapore Management University, Abhishek Sharma Veracode, Inc., Lwin Khin Shar Singapore Management University, Darius Foo National University of Singapore, Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University Pre-print Media Attached | ||
21:05 5mTalk | Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite Journal-First Papers Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM Link to publication DOI Pre-print Media Attached | ||
21:10 5mTalk | DeFault: Mutual Information-based Crash Triage for Massive Crashes Technical Track Xing Zhang National University of Defense Technology, Jiongyi Chen National University of Defense Technology, Chao Feng National University of Defense Technology, Ruilin Li National University of Defense Technolog, Wenrui Diao Shandong University, Kehuan Zhang The Chinese University of Hong Kong Pre-print Media Attached | ||
21:15 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
21:20 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
21:25 5mTalk | Hiding Critical Program Components via Ambiguous Translation Technical Track Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia Pre-print Media Attached | ||
Thu 26 MayDisplayed time zone: Eastern Time (US & Canada) change
Thu 26 May
Displayed time zone: Eastern Time (US & Canada) change
09:00 - 10:30 | Papers 10: Software Security 1Technical Track / SEIP - Software Engineering in Practice / Journal-First Papers at Room 306+307 Chair(s): Joshua Garcia University of California, Irvine | ||
09:00 5mTalk | The Case for Adaptive Security Interventions Journal-First Papers Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland) Link to publication DOI Pre-print Media Attached | ||
09:05 5mTalk | Out of Sight, Out of Mind? How Vulnerable Dependencies Affect Open-Source Projects Journal-First Papers Gede Artha Azriadi Prana Singapore Management University, Abhishek Sharma Veracode, Inc., Lwin Khin Shar Singapore Management University, Darius Foo National University of Singapore, Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University Pre-print Media Attached | ||
09:10 5mTalk | VulCNN: An Image-inspired Scalable Vulnerability Detection System Technical Track Yueming Wu Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Shihan Dou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Duo Xu Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology DOI Pre-print Media Attached | ||
09:15 5mTalk | Deep Learning based Vulnerability Detection: Are We There Yet? Journal-First Papers Saikat Chakraborty Columbia University, Rahul Krishna IBM Research, Yangruibo Ding Columbia University, Baishakhi Ray Columbia University Link to publication DOI Media Attached | ||
09:20 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
09:25 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
09:30 5mTalk | What are Weak Links in the npm Supply Chain? SEIP - Software Engineering in Practice Nusrat Zahan North Carolina State University, Laurie Williams North Carolina State University, Thomas Zimmermann Microsoft Research, Patrice Godefroid Microsoft Research, USA, Brendan Murphy Microsoft Research, Chandra Sekhar Maddila Microsoft Research Pre-print Media Attached | ||
09:35 5mTalk | Rotten Apples Spoil the Bunch: An Anatomy of Google Play Malware Technical Track Michael Cao University of British Columbia, Khaled Ahmed University of British Columbia (UBC), Julia Rubin University of British Columbia Pre-print Media Attached | ||
09:40 5mTalk | What the Fork? Finding Hidden Code Clones in npm Technical Track Elizabeth Wyss University of Kansas, Lorenzo De Carli Worcester Polytechnic Institute, Drew Davidson University of Kansas DOI Pre-print Media Attached | ||
Information for Participants
Tue 10 May 2022 11:00 - 12:00 at ICSE room 4-odd hours - Software Security 7 Chair(s): Diomidis Spinellis
Info for room ICSE room 4-odd hours:
Tue 10 May 2022 21:00 - 22:00 at ICSE room 2-odd hours - Software Security 4 Chair(s): Hamid Bagheri
Info for room ICSE room 2-odd hours: