Write a Blog >>
ICSE 2022
Sun 8 - Fri 27 May 2022
Tue 10 May 2022 11:10 - 11:15 at ICSE room 4-odd hours - Software Security 7 Chair(s): Diomidis Spinellis
Wed 11 May 2022 22:15 - 22:20 at ICSE room 2-even hours - Software Security 6 Chair(s): Travis Breaux

Motivation: A key premise of open source software is the ability to copy code to other open source projects (white-box reuse). Such copying accelerates development of new projects, but the code flaws in the original projects, such as vulnerabilities, may also spread even if fixed in the projects from where the code was appropriated. The extent of the spread of vulnerabilities through code reuse, the potential impact of such spread, or avenues for mitigating risk of these secondary vulnerabilities has not been studied in the context of a nearly complete collection of open source code.

Aim: We aim to find ways to detect the white-box reuse induced vulnerabilities, determine how prevalent they are, and explore how they may be addressed.

Method: We rely on World of Code infrastructure that provides a curated and cross-referenced collection of nearly all open source software to conduct a case study of a few known vulnerabilities. To conduct our case study we develop a tool, VDiOS, to help identify and fix white-box-reuse-induced vulnerabilities that have been already patched in the original projects (orphan vulnerabilities).

Results: We find numerous instances of orphan vulnerabilities even in currently active and in highly popular projects (over 1K stars). Even apparently inactive projects are still publicly available for others to use and spread the vulnerability further. The often long delay in fixing orphan vulnerabilities even in highly popular projects increases the chances of it spreading to new projects. We provided patches to a number of project maintainers and found that only a small percentage accepted and applied the patch. We hope that VDiOS will lead to further study and mitigation of risks from orphan vulnerabilities and other orphan code flaws.

Tue 10 May

Displayed time zone: Eastern Time (US & Canada) change

11:00 - 12:00
Software Security 7Journal-First Papers / Technical Track at ICSE room 4-odd hours
Chair(s): Diomidis Spinellis Athens University of Economics and Business; Delft University of Technology
11:00
5m
Talk
The Case for Adaptive Security Interventions
Journal-First Papers
Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland)
Link to publication DOI Pre-print Media Attached
11:05
5m
Talk
Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite
Journal-First Papers
Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM
Link to publication DOI Pre-print Media Attached
11:10
5m
Talk
The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper
Technical Track
David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee
DOI Pre-print Media Attached
11:15
5m
Talk
Practical Automated Detection of Malicious npm Packages
Technical Track
Adriana Sejfia University of Southern California, Max Schaefer GitHub, Inc.
Pre-print Media Attached
11:20
5m
Talk
Exploiting Input Sanitization for Regex Denial of Service
Technical Track
Efe Barlas Purdue University, Xin Du Purdue University, James C. Davis Purdue University, USA
DOI Pre-print Media Attached
11:25
5m
Talk
Hiding Critical Program Components via Ambiguous Translation
Technical Track
Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia
Pre-print Media Attached

Wed 11 May

Displayed time zone: Eastern Time (US & Canada) change

22:00 - 23:00
Software Security 6Technical Track / Journal-First Papers at ICSE room 2-even hours
Chair(s): Travis Breaux Carnegie Mellon University
22:00
5m
Talk
Lags in the release, adoption, and propagation of npm vulnerability fixes
Journal-First Papers
Bodin Chinthanet Nara Institute of Science and Technology, Raula Gaikovina Kula Nara Institute of Science and Technology, Shane McIntosh University of Waterloo, Takashi Ishio Nara Institute of Science and Technology, Akinori Ihara Wakayama University, Kenichi Matsumoto Nara Institute of Science and Technology
Link to publication DOI Pre-print Media Attached
22:05
5m
Talk
Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps
Technical Track
Sinan Wang Southern University of Science and Technology, Yibo Wang Northeastern University, Xian Zhan The Hong Kong Polytechnic University, Ying Wang Northeastern University, China, Yepang Liu Southern University of Science and Technology, Xiapu Luo Hong Kong Polytechnic University, Shing-Chi Cheung Hong Kong University of Science and Technology
DOI Pre-print Media Attached
22:10
5m
Talk
A Grounded Theory Based Approach to Characterize Software Attack Surfaces
Technical Track
sara moshtari Rochester Institute of Technology, Ahmet Okutan Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology
Pre-print Media Attached
22:15
5m
Talk
The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper
Technical Track
David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee
DOI Pre-print Media Attached
22:20
5m
Talk
MVD: Memory-related Vulnerability Detection Based on Flow-Sensitive Graph Neural Networks
Technical Track
Sicong Cao Yangzhou University, Xiaobing Sun Yangzhou University, Lili Bo Yangzhou University, Rongxin Wu Xiamen University, Bin Li Yangzhou University, Chuanqi Tao Nanjing University of Aeronautics and Astronautics
DOI Pre-print Media Attached
22:25
5m
Talk
VulCNN: An Image-inspired Scalable Vulnerability Detection System
Technical Track
Yueming Wu Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Shihan Dou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Duo Xu Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
DOI Pre-print Media Attached

Information for Participants
Tue 10 May 2022 11:00 - 12:00 at ICSE room 4-odd hours - Software Security 7 Chair(s): Diomidis Spinellis
Info for room ICSE room 4-odd hours:

Click here to go to the room on Midspace

Wed 11 May 2022 22:00 - 23:00 at ICSE room 2-even hours - Software Security 6 Chair(s): Travis Breaux
Info for room ICSE room 2-even hours:

Click here to go to the room on Midspace