PrivacyCAT: Privacy-Aware Code Analysis at Scale (ICSE 2024 - Software Engineering in Practice)

Who

Ke Mao, Cons Ahs, Sopot Cela, Dino Distefano, Nick Gardner, Radu Grigore, Per Gustafsson, Ákos Hajdu, Timotej Kapus, Matteo Marescotti, Gabriela Cunha Sampaio, Thibault Suzanne

Track

ICSE 2024 Software Engineering in Practice

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 17 Apr 2024 16:45 - 17:00 at Grande Auditório - Security 2 Chair(s): Diomidis Spinellis

Abstract

Static and dynamic code analyses have been widely adopted in industry to enhance software reliability, security, and performance by automatically detecting bugs in the code. In this paper, we introduce PrivacyCAT, a code analysis system developed and deployed at WhatsApp to protect user privacy. PrivacyCAT automatically detects privacy defects in code at early stages (before reaching production and affecting users), and therefore, it prevents such vulnerabilities from evolving into privacy incidents. PrivacyCAT comprises of a collection of static and dynamic taint analysers.

We report on the technical development of PrivacyCAT and the results of two years of its large-scale industrial deployment at WhatsApp. We present our experience in designing its system architecture, and continuous integration process. We discuss the unique challenges encountered in developing and deploying such kind of analyses within an industrial context.

Since its deployment in 2021, PrivacyCAT has safeguarded data privacy in 74% of privacy site events (SEVs). It has prevented 493 potential privacy SEVs to land on WhatsApp codebase, helping developers keeping a high privacy standard for the code supporting over 2 billion WhatsApp users.

Ke Mao

Meta

Cons Ahs

Meta

Sopot Cela

Meta

Dino Distefano

Meta

Nick Gardner

Meta

Radu Grigore

Meta

Per Gustafsson

Meta

Ákos Hajdu

Meta

Timotej Kapus

Meta

Matteo Marescotti

Meta

Gabriela Cunha Sampaio

Meta

Thibault Suzanne

Meta

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Wed 17 Apr
Displayed time zone: Lisbon change

16:00 - 17:30	Security 2Research Track / Software Engineering in Practice / Journal-first Papers / New Ideas and Emerging Results at Grande Auditório Chair(s): Diomidis Spinellis Athens University of Economics and Business & Delft University of Technology

16:00 15m Talk		PonziGuard: Detecting Ponzi Schemes on Ethereum with Contract Runtime Behavior Graph (CRBG) Research Track Ruichao Liang Wuhan University, Jing Chen Wuhan University, Kun He Wuhan University, Yueming Wu Nanyang Technological University, Gelei Deng Nanyang Technological University, Ruiying Du Wuhan University, Cong Wu The University of Hong Kong
16:15 15m Talk		FuzzSlice: Pruning False Positives in Static Analysis Warnings through Function-Level Fuzzing Research Track Aniruddhan Murali University of Waterloo, Noble Saji Mathews University of Waterloo, Canada, Mahmoud Alfadel University of Waterloo, Mei Nagappan University of Waterloo, Meng Xu University of Waterloo DOI Pre-print
16:30 15m Talk		LibvDiff: Library Version Difference Guided OSS Version Identification in Binaries Research Track Chaopeng Dong University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, Siyuan Li University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, shouguo yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, Yang Xiao Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yongpan Wang University of Chinese Academy of Sciences & Institute of Information Engineering Chinese Academy of Sciences, China, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Zhi Li Institute of Information Engineering, Chinese Academy of Sciences, China, Limin Sun Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences,
16:45 15m Talk		PrivacyCAT: Privacy-Aware Code Analysis at Scale Software Engineering in Practice Ke Mao Meta, Cons Ahs Meta, Sopot Cela Meta, Dino Distefano Meta, Nick Gardner Meta, Radu Grigore Meta, Per Gustafsson Meta, Ákos Hajdu Meta, Timotej Kapus Meta, Matteo Marescotti Meta, Gabriela Cunha Sampaio Meta, Thibault Suzanne Meta
17:00 7m Talk		Software in the Manufacturing Industry: Emerging Security Challenge Areas for IIoT Platforms Software Engineering in Practice Yannick Landeck fortiss GmbH, Dian Balta fortiss GmbH, Martin Wimmer Siemens AG, Christian Knierim Siemens AG DOI
17:07 7m Talk		Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based Infrastructure Management Journal-first Papers Akond Rahman Auburn University, Chris Parnin Microsoft Link to publication DOI Pre-print
17:14 7m Talk		Synthesis of Allowlists for Runtime Protection against SQLi New Ideas and Emerging Results Kostyantyn Vorobyov Oracle Labs, François Gauthier Oracle Labs, Paddy Krishnan Oracle Labs, Australia