Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Wed 17 May 2023 16:15 - 16:30 at Meeting Room 105 - Vulnerability analysis and assessment Chair(s): Xiaoyin Wang

Npm is the largest software ecosystem in the world, offering millions of free, reusable packages. In recent years, various security threats to packages published on npm have been reported, including vulnerabilities that affect millions of users. To continuously improve techniques for detecting vulnerabilities and mitigating attacks that exploit them, a reusable benchmark of vulnerabilities would be highly desirable. Ideally, such a benchmark should be realistic, come with executable exploits, and include fixes of vulnerabilities. Unfortunately, there currently is no such benchmark, forcing researchers to repeatedly develop their own evaluation datasets and making it difficult to compare techniques with each other. This paper presents SecBench.js, the first comprehensive benchmark suite of vulnerabilities and executable exploits for npm. The benchmark comprises 600 vulnerabilities, which cover the five most common vulnerability classes for server-side JavaScript. Each vulnerability comes with a payload that exploits the vulnerability and an oracle that validates successful exploitation. SecBench.js enables various applications, of which we explore three in this paper: (i) crosschecking SecBench.js against existing security advisories reveals 168 vulnerable versions in 19 packages that are mislabeled in the advisories; (ii) applying simple code transformations to the exploits in our suite helps identify flawed fixes of vulnerabilities; (iii) dynamically analyzing calls to common sink APIs, e.g., exec(), yields a ground truth of code locations for evaluating vulnerability detectors. Beyond providing a reusable benchmark to the community, our work identified 20 zero-day vulnerabilities, most of which are already acknowledged by practitioners.

Wed 17 May

Displayed time zone: Hobart change

15:45 - 17:15
Vulnerability analysis and assessmentTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105
Chair(s): Xiaoyin Wang University of Texas at San Antonio
15:45
15m
Talk
Chronos: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports
Technical Track
Yunbo Lyu Singapore Management University, Le-Cong Thanh The University of Melbourne, Hong Jin Kang UCLA, Ratnadira Widyasari Singapore Management University, Singapore, Zhipeng Zhao Singapore Management University, Xuan-Bach D. Le University of Melbourne, Ming Li Nanjing University, David Lo Singapore Management University
Pre-print
16:00
15m
Talk
Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem
Technical Track
Yulun Wu Huazhong University of Science and Technology, Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Qiang Li Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
Pre-print
16:15
15m
Talk
SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript
Technical Track
Masudul Hasan Masud Bhuiyan CISPA Helmholtz Center for Information Security, Adithya Srinivas Parthasarathy Indian Institute of Information Technology, Design and Manufacturing, Kancheepuram, Nikos Vasilakis Massachusetts Institute of Technology, Michael Pradel University of Stuttgart, Cristian-Alexandru Staicu CISPA Helmholtz Center for Information Security
Pre-print
16:30
15m
Talk
On Privacy Weaknesses and Vulnerabilities in Software Systems
Technical Track
Pattaraporn Sangaroonsilp University of Wollongong, Hoa Khanh Dam University of Wollongong, Aditya Ghose University of Wollongong
16:45
7m
Talk
A Multi-faceted Vulnerability Searching Website Powered by Aspect-level Vulnerability Knowledge Graph
DEMO - Demonstrations
Jiamou Sun CSIRO's Data61, Zhenchang Xing CSIRO’s Data61; Australian National University, Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61
16:52
7m
Talk
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
Journal-First Papers
Imen Sayar IRIT, University of Toulouse, IUT Blagnac Toulouse II, 1 Place Georges Brassens, Blagnac Cedex, France, 31703, Alexandre Bartel Umeå University, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Yves Le Traon University of Luxembourg, Luxembourg
17:00
7m
Talk
Blindspots in Python and Java APIs Result in Vulnerable Code
Journal-First Papers
Yuriy Brun University of Massachusetts, Tian Lin University of Florida, Jessie Elise Somerville University of Florida, Elisha M. Myers Florida Atlantic University, Natalie C. Ebner University of Florida
Link to publication DOI Pre-print Media Attached