MSR 2023
Dates to be announced Melbourne, Australia
co-located with ICSE 2023
Mon 15 May 2023 16:47 - 16:59 at Meeting Room 110 - Security Chair(s): Chanchal K. Roy

[Background] Personal software configurations, known as \emph{dotfiles}, are increasingly being shared in public repositories.

[Aim] To understand the security and privacy implications of this phenomenon, we conducted a large-scale analysis of dotfiles repositories on GitHub. Furthermore, we surveyed repository owners to understand people’s motivations for sharing dotfiles and their awareness of the security implications.

[Method] Our mixed-method approach, therefore, consisted of two parts. We mined 124230 public dotfiles repositories and inductively searched them for security and privacy flaws. We then conducted a survey (n=1650) of repository owners to disclose our findings and learn more about the problems and implications.

[Results] We found that 73.6% of repositories leak potentially sensitive information, most commonly email addresses (of which we found 1.2 million), but also RSA private keys, API keys, installed software versions, browsing history, and even mail client inboxes. In addition, we found that sharing is mainly ideological (an end in itself) and to show off (``ricing''), in addition to easing machine setup. Most users are confident about the contents of their files and claim to understand the security implications. In response to our disclosures, a small minority (2.2%) will make their repositories private or delete them, but the majority of respondents will continue sharing their dotfiles after taking appropriate actions.

[Conclusions] Dotfiles repositories are a great tool for developers to share knowledge and communicate – if done correctly. We provide recommendations for users and platforms to make them more secure. Specifically, tools should be used to manage dotfiles. In addition platforms should work on more sophisticated tests, to find weaknesses automatically and inform the users or control the damage.

Mon 15 May

Displayed time zone: Hobart change

16:35 - 17:20
SecurityTechnical Papers / Data and Tool Showcase Track at Meeting Room 110
Chair(s): Chanchal K. Roy University of Saskatchewan
16:35
12m
Talk
UNGOML: Automated Classification of unsafe Usages in Go
Technical Papers
Anna-Katharina Wickert TU Darmstadt, Germany, Clemens Damke University of Munich (LMU), Lars Baumgärtner Technische Universität Darmstadt, Eyke Hüllermeier University of Munich (LMU), Mira Mezini TU Darmstadt
Pre-print File Attached
16:47
12m
Talk
Connecting the .dotfiles: Checked-In Secret Exposure with Extra (Lateral Movement) Steps
Technical Papers
Gerhard Jungwirth TU Wien, Aakanksha Saha TU Wien, Michael Schröder TU Wien, Tobias Fiebig Max-Planck-Institut für Informatik, Martina Lindorfer TU Wien, Jürgen Cito TU Wien
Pre-print
16:59
12m
Talk
MANDO-HGT: Heterogeneous Graph Transformers for Smart Contract Vulnerability Detection
Technical Papers
Hoang H. Nguyen L3S Research Center, Leibniz Universität Hannover, Hannover, Germany, Nhat-Minh Nguyen Singapore Management University, Singapore, Chunyao Xie L3S Research Center, Leibniz Universität Hannover, Germany, Zahra Ahmadi L3S Research Center, Leibniz Universität Hannover, Hannover, Germany, Daniel Kudenko L3S Research Center, Leibniz Universität Hannover, Germany, Thanh-Nam Doan Independent Researcher, Atlanta, Georgia, USA, Lingxiao Jiang Singapore Management University
Pre-print Media Attached
17:11
6m
Talk
SecretBench: A Dataset of Software Secrets
Data and Tool Showcase Track
Setu Kumar Basak North Carolina State University, Lorenzo Neil North Carolina State University, Bradley Reaves North Carolina State University, Laurie Williams North Carolina State University
Pre-print