Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Wed 23 Sep 2020 01:10 - 01:30 at Platypus - Software Security and Trust (1) Chair(s): Christoph Csallner

Vendors who wish to provide software or services to large corporations and governments must often obtain numerous certificates of compliance. Each certificate asserts that the software satisfies a compliance regime, like SOC or the PCI DSS, to protect the privacy and security of sensitive data. Manual compliance audits of source code (the industry standard) are expensive, error-prone, partial, and prone to regressions.

We propose \emph{continuous compliance} to guarantee that the codebase stays compliant on each code change using lightweight verification tools. Continuous compliance increases assurance and reduces cost in the domain of source-code compliance.

We evaluated continuous compliance by building and deploying verification tools for five common audit controls related to data security: cryptographically unsafe algorithms must not be used, keys must be at least 256 bits long, credentials must not be hard-coded into program text, HTTPS must always be used instead of HTTP, and cloud data stores must not be world-readable. We report on our experience deploying these verification tools at a large company, where they are integrated into the compliance process (including auditors accepting their output as evidence) and have been run on over 68 million lines of code. We open-sourced our tools and applied them to over 5 million lines of open-source software. Compared to other publicly-available tools for detecting misuses of encryption, only ours are suitable for continuous compliance.

Wed 23 Sep
Times are displayed in time zone: (UTC) Coordinated Universal Time

01:10 - 02:10: Software Security and Trust (1) Research Papers / NIER track / Tool Demonstrations at Platypus
Chair(s): Christoph CsallnerUniversity of Texas at Arlington
01:10 - 01:30
Continuous ComplianceExperience
Research Papers
Martin KelloggUniversity of Washington, Seattle, Martin SchäfAmazon Web Services, Serdar TasiranAmazon Web Services, Michael D. ErnstUniversity of Washington, USA
01:30 - 01:50
SADT: Syntax-Aware Differential Testing of Certificate Validation in SSL/TLS Implementions
Research Papers
Lili QuanCollege of Intelligence and Computing,Tianjin University, Qianyu GuoCollege of Intelligence and Computing, Tianjin University, Hongxu ChenResearch Associate, xiexiaofei , Li XiaohongTianJin University, Yang LiuNanyang Technological University, Singapore, Jing HuTianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing,Tianjin University
01:50 - 02:00
A Hybrid Analysis to Detect Java Serialisation Vulnerabilities
NIER track
Shawn RasheedMassey University, Jens DietrichVictoria University of Wellington
02:00 - 02:10
EXPRESS: An Energy-Efficient and Secure Framework for Mobile Edge Computing and Blockchain based Smart Systems
Tool Demonstrations
Jia XuSchool of Computer Science and Technology, Anhui University, Xiao LiuSchool of Information Technology, Deakin University, Xuejun LiSchool of Computer Science and Technology, Anhui University, Lei ZhangAntwork Robotics Co., Ltm., Hangzhou, China, Yun YangSwinburne University of Technology