Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
ASE 2020 (series) / [Workshop] HCSE&CS /

Vulnerability Discovery Strategies Used in Software Projects

Workshop
Farzana Ahamed Bhuiyan, Akond Rahman, Patrick Morrison
ASE 2020 [Workshop] HCSE&CS
Mon 21 Sep 2020 03:14 - 03:26 at Kangaroo - Session 1 Paper Presentation

Malicious users can exploit undiscovered software vulnerabilities i.e., undiscovered weaknesses in software, to cause serious consequences, such as large-scale data breaches. A systematic approach that synthesizes strategies used by security testers can aid practitioners to identify latent vulnerabilities. The goal of this paper is to help practitioners identify software vulnerabilities by categorizing vulnerability discovery strategies using open source software bug reports. We categorize vulnerability discovery strategies by applying qualitative analysis on 312 OSS bug reports. Next, we quantify the frequency and evolution of the identified strategies by analyzing 1,632 OSS bug reports collected from five software projects spanning across 2009 to 2019. The five software projects are Chrome, Eclipse, Mozilla, OpenStack, and PHP.

We identify four vulnerability discovery strategies: diagnostics, malicious payload construction, misconfiguration, and pernicious execution. For Eclipse and OpenStack, the most frequently used strategy is diagnostics, where security testers inspect source code and build/debug logs. For three web-related software projects namely, Chrome, Mozilla, and PHP, the most frequently occurring strategy is malicious payload construction i.e., creating malicious files, such as malicious certificates and malicious videos.

small-avatar
Farzana Ahamed Bhuiyan
Tennessee Tech University
Akond Rahman
Akond Rahman
Tennessee Tech University
United States
small-avatar
Patrick Morrison
IBM

Mon 21 Sep
Times are displayed in time zone: (UTC) Coordinated Universal Time

02:50 - 03:50: Session 1 Paper Presentation[Workshop] HCSE&CS at Kangaroo
02:50 - 03:02
Talk		A Risk Homeostasis Perspective on Zimbabwean Protective Point-of-Sale Transaction BehavioursWorkshop
[Workshop] HCSE&CS
Alfred MusarurwaAbertay University, Karen RenaudAbertay University, Tim ShuermannTU Darmstadt
03:02 - 03:14
Talk		Designing a Serious Game: Teaching Developers to Embed Privacy into Software SystemsWorkshop
[Workshop] HCSE&CS
Nalin Asanka Gamagedara ArachchilageLa Trobe University, Australia, Mumtaz AbdulhameedTechnovation Consulting & Training PVT
03:14 - 03:26
Talk		Vulnerability Discovery Strategies Used in Software ProjectsWorkshop
[Workshop] HCSE&CS
Farzana Ahamed BhuiyanTennessee Tech University, Akond RahmanTennessee Tech University, Patrick MorrisonIBM
03:26 - 03:38
Talk		An Informed Consent Model for Handling the Privacy Paradox in Smart BuildingsWorkshop
[Workshop] HCSE&CS
Chehara PathmabanduMonash University, Mohan Baruwal ChhetriData61 CSIRO Australia, John GrundyMonash University, Australia, A: Zubair BaigDeakin University
03:38 - 03:50
Talk		Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code ScriptsWorkshop
[Workshop] HCSE&CS
Farzana Ahamed BhuiyanTennessee Tech University, Akond RahmanTennessee Tech University

A Risk Homeostasis Perspective on Zimbabwean Protective Point-of-Sale Transaction Behaviours [Workshop] HCSE&CS

Session: Session 1 Paper Presentation Mon 21 Sep 2020 02:50 - 03:50

Workshop

Zimbabwe has introduced a number of currency reforms since the beginning of 2019. Of note are the Statutory Instruments 142 (SI142) and SI16 enacted in March 2019, which replaced the multi-currency regime with the Zimbabwe dollar as legal tender, rendering all other currencies illegal. These events constitute a unique opportunity to carry out a “natural experiment”. We used the opportunity to explore the impact of the currency changes on Zimbabweans’ protective PIN shielding behaviours. Our study was carried out spanning both the multi-currency and Zimbabwe Dollar (ZWL) currency periods. We observed far less PIN shielding than in comparable studies in other countries, and we suggest that this is due to uncertainty and reduced currency values. In essence, this was a natural experiment into the impact of currency changes on citizen behaviours, and what we discovered revealed an unexpected real-life risk homeostasis response.

Alfred Musarurwa
Alfred Musarurwa
Abertay University
United Kingdom
small-avatar
Karen Renaud
Abertay University
United Kingdom
small-avatar
Tim Shuermann
TU Darmstadt
All Details Close

Designing a Serious Game: Teaching Developers to Embed Privacy into Software Systems [Workshop] HCSE&CS

Session: Session 1 Paper Presentation Mon 21 Sep 2020 02:50 - 03:50

Workshop

Software applications continue to challenge user privacy when users interact with them. Privacy practices (e.g. Data Minimisation (DM), Privacy by Design (PbD) or General Data Protection Regulation (GDPR)) and related privacy engineering" methodologies exist and provide clear instructions for developers to implement privacy into software systems they develop that preserve user privacy. However, those practices and methodologies are not yet a common practice in the software development community. There has been no previous research focused on developingeducational" interventions such as serious games to enhance software developers’ coding behaviour. Therefore, this research proposes a game design framework as an educational tool for software developers to improve (secure) coding behaviour, so they can develop privacy-preserving software applications that people can use. The elements of the proposed framework were incorporated into a gaming application scenario that enhances the software developers’ coding behaviour through their motivation. The proposed work not only enables the development of privacy-preserving software systems but also helping the software development community to put privacy guidelines and engineering methodologies into practice.

small-avatar
Nalin Asanka Gamagedara Arachchilage
La Trobe University, Australia
small-avatar
Mumtaz Abdulhameed
Technovation Consulting & Training PVT
All Details Close

Vulnerability Discovery Strategies Used in Software Projects [Workshop] HCSE&CS

Session: Session 1 Paper Presentation Mon 21 Sep 2020 02:50 - 03:50

Workshop

Malicious users can exploit undiscovered software vulnerabilities i.e., undiscovered weaknesses in software, to cause serious consequences, such as large-scale data breaches. A systematic approach that synthesizes strategies used by security testers can aid practitioners to identify latent vulnerabilities. The goal of this paper is to help practitioners identify software vulnerabilities by categorizing vulnerability discovery strategies using open source software bug reports. We categorize vulnerability discovery strategies by applying qualitative analysis on 312 OSS bug reports. Next, we quantify the frequency and evolution of the identified strategies by analyzing 1,632 OSS bug reports collected from five software projects spanning across 2009 to 2019. The five software projects are Chrome, Eclipse, Mozilla, OpenStack, and PHP.

We identify four vulnerability discovery strategies: diagnostics, malicious payload construction, misconfiguration, and pernicious execution. For Eclipse and OpenStack, the most frequently used strategy is diagnostics, where security testers inspect source code and build/debug logs. For three web-related software projects namely, Chrome, Mozilla, and PHP, the most frequently occurring strategy is malicious payload construction i.e., creating malicious files, such as malicious certificates and malicious videos.

small-avatar
Farzana Ahamed Bhuiyan
Tennessee Tech University
Akond Rahman
Akond Rahman
Tennessee Tech University
United States
small-avatar
Patrick Morrison
IBM
All Details Close

An Informed Consent Model for Handling the Privacy Paradox in Smart Buildings [Workshop] HCSE&CS

Session: Session 1 Paper Presentation Mon 21 Sep 2020 02:50 - 03:50

Workshop

Smart Buildings are defined as the ``buildings of the future" and use the latest Internet of Things (IoT) technologies to automate building operations and services. This is to both increase operational efficiency as well as maximize occupant comfort and environmental impact. However, these ‘‘smart devices’’ – typically used with default settings – also enable the capture and sharing of a variety of sensitive and personal data about the occupants. Given the non-intrusive nature of most IoT devices, individuals have little awareness of what data is being collected about them and what happens to it downstream. Even if they are aware, convenience overrides any privacy concerns, and they do not take sufficient steps to control the data collection, thereby exacerbating the privacy paradox. At the same time, IoT-based building automation systems are revealing highly sensitive insights about the building occupants by synthesizing data from multiple sources and this can be exploited by the device vendors and unauthorised third parties. To address the tension between privacy and convenience in an increasingly connected world, we propose a user-centric informed consent model to handle the privacy paradox in Smart Buildings. The proposed model aims to (a) inform and increase user awareness about how their data is being collected and used, (b) provide fine-grained visibility into privacy compliance and infringement by IoT devices, and (c) recommend corrective actions through nudges (or soft notifications). We illustrate how our proposed consent model works through a use case scenario of a voice-activated smart office.

Chehara Pathmabandu
Chehara Pathmabandu
Monash University
small-avatar
Mohan Baruwal Chhetri
Data61 CSIRO Australia
John Grundy
John Grundy
Monash University, Australia
Australia
Zubair Baig
Zubair BaigAuthor
Deakin University
Australia
All Details Close

Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code Scripts [Workshop] HCSE&CS

Session: Session 1 Paper Presentation Mon 21 Sep 2020 02:50 - 03:50

Workshop

Context: Insecure coding patterns (ICPs), such as hard-coded passwords can be inadvertently introduced in infrastructure as code (IaC) scripts, providing malicious users the opportunity to attack provisioned computing infrastructure. As performing code reviews is resource-intensive, a characterization of co-located ICPs, i.e., ICPs that occur together in a script can help practitioners to prioritize their review efforts and mitigate ICPs in IaC scripts. Objective: The goal of this paper is to help practitioners in prioritizing code review efforts for infrastructure as code (IaC) scripts by conducting an empirical study of co-located insecure coding patterns in IaC scripts. Methodology: We conduct an empirical study with 1613, 2764 and 2845 Puppet scripts respectively collected from three organizations namely, Mozilla, Openstack, and Wikimedia. We apply association rule mining to identify co-located ICPs in IaC scripts. Results: We observe 17.9%, 32.9%, and 26.7% of the scripts to include co-located ICPs respectively, for Mozilla, Openstack, and Wikimedia. The most frequent co-located ICP category is hard-coded secret and suspicious comment. Conclusion: Practitioners can prioritize code review efforts for IaC scripts by reviewing scripts that include co-located ICPs.

small-avatar
Farzana Ahamed Bhuiyan
Tennessee Tech University
Akond Rahman
Akond Rahman
Tennessee Tech University
United States
All Details Close