On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools.
Security
Fri 2 May 2025 10:30 - 11:00 at Canada Hall 3 Poster Area - Fri Morning Break Posters 10:30-11
Fri 2 May 2025 15:15 - 15:22 at 207 - User Experience Chair(s): Ramiro Liscano
[Objective] We investigated whether (possibly wrong) security patches suggested by Automated Program Repairs (APR) for real world projects are recognized by human reviewers. We also investigated whether knowing that a patch was produced by an allegedly specialized tool does change the decision of human reviewers. [Method] We perform an experiment with Master students in Computer Science. In the first phase, using a balanced design, we propose to human reviewers a combination of patches proposed by APR tools for different vulnerabilities and ask reviewers to adopt or reject the proposed patches. In the second phase, we tell participants that some of the proposed patches were generated by security-specialized tools (even if the tool was actually a �normal’ APR tool) and measure whether the human reviewers would change their decision to adopt or reject a patch. [Results] It is easier to identify wrong patches than correct patches, and correct patches are not confused with partially correct patches. Also patches from APR Security tools are adopted more often than patches suggested by generic APR tools but there is not enough evidence to verify if �bogus’ security claims are distinguishable from �true security’ claims. Finally, the number of switches to the patches suggested by security tool is significantly higher after the security information is revealed irrespective of correctness. [Limitations] The experiment was conducted in an academic setting, and focused on a limited sample of popular APR tools and popular vulnerability types.
Thu 1 MayDisplayed time zone: Eastern Time (US & Canada) change
13:00 - 13:30 | Thu Lunch Posters 13:00-13:30Research Track / SE in Society (SEIS) / Journal-first Papers / SE In Practice (SEIP) at Canada Hall 3 Poster Area | ||
13:00 30mTalk | BDefects4NN: A Backdoor Defect Database for Controlled Localization Studies in Neural Networks Research Track Yisong Xiao Beihang University, Aishan Liu Beihang University; Institute of Dataspace, Xinwei Zhang Beihang University, Tianyuan Zhang Beihang University, Li Tianlin NTU, Siyuan Liang National University of Singapore, Xianglong Liu Beihang University; Institute of Dataspace; Zhongguancun Laboratory, Yang Liu Nanyang Technological University, Dacheng Tao Nanyang Technological University | ||
13:00 30mTalk | Ethical Issues in Video Games: Insights from Reddit Discussions SE in Society (SEIS) | ||
13:00 30mTalk | An Empirical Study on Developers' Shared Conversations with ChatGPT in GitHub Pull Requests and Issues Journal-first Papers Huizi Hao Queen's University, Canada, Kazi Amit Hasan Queen's University, Canada, Hong Qin Queen's University, Marcos Macedo Queen's University, Yuan Tian Queen's University, Kingston, Ontario, Ding Steven, H., H. Queen’s University at Kingston, Ahmed E. Hassan Queen’s University | ||
13:00 30mTalk | QuanTest: Entanglement-Guided Testing of Quantum Neural Network SystemsQuantum Journal-first Papers Jinjing Shi Central South University, Zimeng Xiao Central South University, Heyuan Shi Central South University, Yu Jiang Tsinghua University, Xuelong LI China Telecom Link to publication | ||
13:00 30mPoster | FlatD: Protecting Deep Neural Network Program from Reversing Attacks SE In Practice (SEIP) Jinquan Zhang The Pennsylvania State University, Zihao Wang Penn State University, Pei Wang Independent Researcher, Rui Zhong Palo Alto Networks, Dinghao Wu Pennsylvania State University | ||
13:00 30mTalk | Building Domain-Specific Machine Learning Workflows: A Conceptual Framework for the State-of-the-PracticeSE for AI Journal-first Papers Bentley Oakes Polytechnique Montréal, Michalis Famelis Université de Montréal, Houari Sahraoui DIRO, Université de Montréal DOI Pre-print File Attached | ||
13:00 30mTalk | On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools.Security Journal-first Papers Aurora Papotti Vrije Universiteit Amsterdam, Ranindya Paramitha University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam | ||
13:00 30mTalk | Automating Explanation Need Management in App Reviews: A Case Study from the Navigation App Industry SE In Practice (SEIP) Martin Obaidi Leibniz Universität Hannover, Nicolas Voß Graphmasters GmbH, Hannah Deters Leibniz University Hannover, Jakob Droste Leibniz Universität Hannover, Marc Herrmann Leibniz University Hannover, Jannik Fischbach Netlight Consulting GmbH and fortiss GmbH, Kurt Schneider Leibniz Universität Hannover, Software Engineering Group | ||
Fri 2 MayDisplayed time zone: Eastern Time (US & Canada) change
10:30 - 11:00 | Fri Morning Break Posters 10:30-11Journal-first Papers / SE In Practice (SEIP) / Research Track / SE in Society (SEIS) / New Ideas and Emerging Results (NIER) at Canada Hall 3 Poster Area | ||
10:30 30mTalk | An Empirical Study on Developers' Shared Conversations with ChatGPT in GitHub Pull Requests and Issues Journal-first Papers Huizi Hao Queen's University, Canada, Kazi Amit Hasan Queen's University, Canada, Hong Qin Queen's University, Marcos Macedo Queen's University, Yuan Tian Queen's University, Kingston, Ontario, Ding Steven, H., H. Queen’s University at Kingston, Ahmed E. Hassan Queen’s University | ||
10:30 30mTalk | Automating Explanation Need Management in App Reviews: A Case Study from the Navigation App Industry SE In Practice (SEIP) Martin Obaidi Leibniz Universität Hannover, Nicolas Voß Graphmasters GmbH, Hannah Deters Leibniz University Hannover, Jakob Droste Leibniz Universität Hannover, Marc Herrmann Leibniz University Hannover, Jannik Fischbach Netlight Consulting GmbH and fortiss GmbH, Kurt Schneider Leibniz Universität Hannover, Software Engineering Group | ||
10:30 30mTalk | On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools.Security Journal-first Papers Aurora Papotti Vrije Universiteit Amsterdam, Ranindya Paramitha University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam | ||
10:30 30mTalk | Relevant information in TDD experiment reporting Journal-first Papers Fernando Uyaguari Instituto Superior Tecnológico Wissen, Silvia Teresita Acuña Castillo Universidad Autónoma de Madrid, John W. Castro Universidad de Atacama, Davide Fucci Blekinge Institute of Technology, Oscar Dieste Universidad Politécnica de Madrid, Sira Vegas Universidad Politecnica de Madrid | ||
10:30 30mTalk | BDefects4NN: A Backdoor Defect Database for Controlled Localization Studies in Neural Networks Research Track Yisong Xiao Beihang University, Aishan Liu Beihang University; Institute of Dataspace, Xinwei Zhang Beihang University, Tianyuan Zhang Beihang University, Li Tianlin NTU, Siyuan Liang National University of Singapore, Xianglong Liu Beihang University; Institute of Dataspace; Zhongguancun Laboratory, Yang Liu Nanyang Technological University, Dacheng Tao Nanyang Technological University | ||
10:30 30mTalk | Ethical Issues in Video Games: Insights from Reddit Discussions SE in Society (SEIS) | ||
10:30 30mTalk | SusDevOps: Promoting Sustainability to a First Principle in Software Delivery New Ideas and Emerging Results (NIER) Istvan David McMaster University / McMaster Centre for Software Certification (McSCert) | ||