Md Rayhanul Masud,Michalis Faloutsos

2024-03-07

Abstract:Are malicious repositories hiding under the educational label in GitHub? Recent studies have identified collections of GitHub repositories hosting malware source code with notable collaboration among the developers. Thus, analyzing GitHub repositories deserves inevitable attention due to its open-source nature providing easy access to malicious software code and artifacts. Here we leverage the capabilities of ChatGPT in a qualitative study to annotate an educational GitHub repository based on maliciousness of its metadata contents. Our contribution is twofold. First, we demonstrate the employment of ChatGPT to understand and annotate the content published in software repositories. Second, we provide evidence of hidden risk in educational repositories contributing to the opportunities of potential threats and malicious intents. We carry out a systematic study on a collection of 35.2K GitHub repositories claimed to be created for educational purposes only. First, our study finds an increasing trend in the number of such repositories published every year. Second, 9294 of them are labeled by ChatGPT as malicious, and further categorization of the malicious ones detects 14 different malware families including DDoS, keylogger, ransomware and so on. Overall, this exploratory study flags a wake-up call for the community for better understanding and analysis of software platforms.

Software Engineering,Cryptography and Security

Runhan Feng,Ziyang Yan,Shiyan Peng,Yuanyuan Zhang

DOI: https://doi.org/10.1145/3510003.3510150

2022-01-01

Abstract:The prosperity of the GitHub community has raised new concerns about data security in public repositories. Practitioners who manage authentication secrets such as textual passwords and API keys in the source code may accidentally leave these texts in the public repositories, resulting in secret leakage. If such leakage in the source code can be automatically detected in time, potential damage would be avoided. With existing approaches focusing on detecting secrets with distinctive formats (e.g., API keys, cryptographic keys in PEM format), textual passwords, which are ubiquitously used for authentication, fall through the crack. Given that textual passwords could be virtually any strings, a naive detection scheme based on regular expression performs poorly. This paper presents PassFinder, an automated approach to effectively detecting password leakage from public repositories that involve various programming languages on a large scale. PassFinder utilizes deep neural networks to unveil the intrinsic characteristics of textual passwords and understand the semantics of the code snippets that use textual passwords for authentication, i.e., the contextual information of the passwords in the source code. Using this new technique, we performed the first large-scale and longitudinal analysis of password leakage on GitHub. We inspected newly uploaded public code files on GitHub for 75 days and found that password leakage is pervasive, affecting over sixty thousand repositories. Our work contributes to a better understanding of password leakage on GitHub, and we believe our technique could promote the security of the open-source ecosystem.

Danielle Gonzalez,Thomas Zimmermann,Patrice Godefroid,Max Schaefer

DOI: https://doi.org/10.48550/arXiv.2103.03846

2021-03-10

Abstract:Security is critical to the adoption of open source software (OSS), yet few automated solutions currently exist to help detect and prevent malicious contributions from infecting open source repositories. On GitHub, a primary host of OSS, repositories contain not only code but also a wealth of commit-related and contextual metadata - what if this metadata could be used to automatically identify malicious OSS contributions? In this work, we show how to use only commit logs and repository metadata to automatically detect anomalous and potentially malicious commits. We identify and evaluate several relevant factors which can be automatically computed from this data, such as the modification of sensitive files, outlier change properties, or a lack of trust in the commit's author. Our tool, Anomalicious, automatically computes these factors and considers them holistically using a rule-based decision model. In an evaluation on a data set of 15 malware-infected repositories, Anomalicious showed promising results and identified 53.33% of malicious commits, while flagging less than 1% of commits for most repositories. Additionally, the tool found other interesting anomalies that are not related to malicious commits in an analysis of repositories with no known malicious commits.

Software Engineering

Alexander Krause,Jan H. Klemmer,Nicolas Huaman,Dominik Wermke,Yasemin Acar,Sascha Fahl

DOI: https://doi.org/10.48550/arXiv.2211.06213

2022-11-14

Abstract:Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have illustrated that developers are blameworthy of committing code secrets, such as private encryption keys, passwords, or API keys, accidentally to public source code repositories. However, making secrets publicly available might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers and conducted 14 in-depth semi-structured interviews with developers which experienced secret leakage in the past. We find that 30.3% of our participants have encountered secret leakage in the past, and that developers are facing several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, e. g., estimating risks of leaked secrets, and needs of developers in remediating and preventing code secret leaks, e. g., low adoption requirements. We also give recommendations for developers and source code platform providers to reduce the risk of secret leakage.

Cryptography and Security

Soufian El Yadmani,Robin The,Olga Gadyatskaya

DOI: https://doi.org/10.48550/arXiv.2210.08374

2023-06-07

Abstract:Exploit proof-of-concepts (PoCs) for known vulnerabilities are widely shared in the security community. They help security analysts to learn from each other and they facilitate security assessments and red teaming tasks. In the recent years, PoCs have been widely distributed, e.g., via dedicated websites and platforms, and public code repositories such as GitHub. However, there is no guarantee that PoCs in public code repositories come from trustworthy sources or even that they do what they are supposed to do. In this work we investigate GitHub-hosted PoCs for known vulnerabilities discovered in 2017--2021. We discovered that not all PoCs are trustworthy. Some proof-of-concepts are malicious, e.g., they attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system, and in some cases they have hard-coded reverse shell listener. To measure the prevalence of this threat, we propose an approach to detecting malicious PoCs. Our approach relies on the maliciousness symptoms we have observed in our PoC dataset: calls to malicious IP addresses, encoded malicious code, and included Trojanized binaries. With this approach, we have discovered 899 malicious repositories out of 47,285 repositories that have been downloaded and checked (i.e., 1.9% of the studied repositories have indicators of malicious intent). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.

Cryptography and Security

Costanza Alfieri,Juri Di Rocco,Paola Inverardi,Phuong T. Nguyen

2024-09-10

Abstract:GitHub provides developers with a practical way to distribute source code and collaboratively work on common projects. To enhance account security and privacy, GitHub allows its users to manage access permissions, review audit logs, and enable two-factor authentication. However, despite the endless effort, the platform still faces various issues related to the privacy of its users. This paper presents an empirical study delving into the GitHub ecosystem. Our focus is on investigating the utilization of privacy settings on the platform and identifying various types of sensitive information disclosed by users. Leveraging a dataset comprising 6,132 developers, we report and analyze their activities by means of comments on pull requests. Our findings indicate an active engagement by users with the available privacy settings on GitHub. Notably, we observe the disclosure of different forms of private information within pull request comments. This observation has prompted our exploration into sensitivity detection using a large language model and BERT, to pave the way for a personalized privacy assistant. Our work provides insights into the utilization of existing privacy protection tools, such as privacy settings, along with their inherent limitations. Essentially, we aim to advance research in this field by providing both the motivation for creating such privacy protection tools and a proposed methodology for personalizing them.

Cryptography and Security,Software Engineering

Qingyuan Gong,Yushan Liu,Jiayun Zhang,Yang Chen,Qi Li,Yu Xiao,Xin Wang,Pan Hui

DOI: https://doi.org/10.1109/tkde.2023.3237838

IF: 9.235

2023-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Online developer communities like GitHub allow a massive number of developers to collaborate. However, the openness of the communities makes them vulnerable to different types of malicious attacks, since attackers can easily join these communities and interact with legitimate users. In this work, we propose GitSec, a deep learning-based solution for detecting malicious accounts in online developer communities. GitSec distinguishes malicious accounts from legitimate ones based on the account profiles, dynamic activity characteristics, as well as social interactions. First, GitSec introduces two user activity sequences and applies a parallel neural network design with an attention mechanism to process the sequences. Second, GitSec constructs two graphs to represent the interactions between users according to their repository operations. Especially, graph neural networks and structural hole theory are employed to deal with the two constructed graphs. Third, GitSec makes use of the descriptive features to enhance the detection performance. The final judgement is made by a decision maker implemented by a supervised machine learning-based classifier. Based on the real-world data of GitHub users, our comprehensive evaluations show that GitSec achieves a better performance than state-of-the-art solutions, with an AUC value of 0.916.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Shahriar Yazdipour

DOI: https://doi.org/10.48550/arXiv.2005.13448

2020-05-28

Abstract:This research study was conducted to illustrate how it is easily possible to get data access to disabled or blocked repositories in Github using GraphQL. There are situations in which you can lose access to your Github repositories; When you use the paid version of Github services and do not pay the monthly payment or another situation is that when you use Github from the countries in the United States sanction list. Having an insecure repository with malicious usages can also put your repository in Github blacklist. In all of these situations, Github will block and disable your repository and you will lose access to your files, codes and project assets. Here, we will discuss the procedure of how an Ethical Hacker can gain access to all those blocked data with GraphQL functionality.

Cryptography and Security,Networking and Internet Architecture

Hrushikesh Chunduri,P. Mohan Anand,Sandeep K Shukla,P.V. Sai Charan

DOI: https://doi.org/10.48550/arXiv.2305.15336

2023-05-24

Cryptography and Security

Abstract:This research article critically examines the potential risks and implications arising from the malicious utilization of large language models(LLM), focusing specifically on ChatGPT and Google's Bard. Although these large language models have numerous beneficial applications, the misuse of this technology by cybercriminals for creating offensive payloads and tools is a significant concern. In this study, we systematically generated implementable code for the top-10 MITRE Techniques prevalent in 2022, utilizing ChatGPT, and conduct a comparative analysis of its performance with Google's Bard. Our experimentation reveals that ChatGPT has the potential to enable attackers to accelerate the operation of more targeted and sophisticated attacks. Additionally, the technology provides amateur attackers with more capabilities to perform a wide range of attacks and empowers script kiddies to develop customized tools that contribute to the acceleration of cybercrime. Furthermore, LLMs significantly benefits malware authors, particularly ransomware gangs, in generating sophisticated variants of wiper and ransomware attacks with ease. On a positive note, our study also highlights how offensive security researchers and pentesters can make use of LLMs to simulate realistic attack scenarios, identify potential vulnerabilities, and better protect organizations. Overall, we conclude by emphasizing the need for increased vigilance in mitigating the risks associated with LLMs. This includes implementing robust security measures, increasing awareness and education around the potential risks of this technology, and collaborating with security experts to stay ahead of emerging threats.

Yi Wen,Xingshu Chen,Xuemei Zeng,Wei Wang

DOI: https://doi.org/10.1038/s41598-020-63191-5

2020-04-29

Abstract:E-mail has become the main carrier of spreading malicious software and been widely used for phishing, even high-level persistent threats. The e-mail accounts with high social reputation are primary targets to be attacked and utilized by attackers, suffering a lot of probing attacks for a long time. In this paper, in order to understand the probing pattern of the e-mail account attacks, we analyse the log of email account probing captured in the campus network based on graph mining. By analysing characteristics of the dataset in different dimensions, we find a kind of e-mail account probing attack and give it a new definition. Based on the analysis results, its probing pattern is figured out. From the point of probing groups and individuals, we find definitely opposite characteristics of the attack. Owing to the probing pattern and its characteristics, attacks can escape from the detection of security devices, which has a harmful effect on e-mail users and administrators. The analysis results of this paper provide support for the detection and defence of such distributed attacks.

Md Omar Faruk Rokon,Risul Islam,Ahmad Darki,Vagelis E. Papalexakis,Michalis Faloutsos

DOI: https://doi.org/10.48550/arXiv.2005.14311

2020-05-29

Abstract:Where can we find malware source code? This question is motivated by a real need: there is a dearth of malware source code, which impedes various types of security research. Our work is driven by the following insight: public archives, like GitHub, have a surprising number of malware repositories. Capitalizing on this opportunity, we propose, SourceFinder, a supervised-learning approach to identify repositories of malware source code efficiently. We evaluate and apply our approach using 97K repositories from GitHub. First, we show that our approach identifies malware repositories with 89% precision and 86% recall using a labeled dataset. Second, we use SourceFinder to identify 7504 malware source code repositories, which arguably constitutes the largest malware source code database. Finally, we study the fundamental properties and trends of the malware repositories and their authors. The number of such repositories appears to be growing by an order of magnitude every 4 years, and 18 malware authors seem to be "professionals" with well-established online reputation. We argue that our approach and our large repository of malware source code can be a catalyst for research studies, which are currently not possible.

Cryptography and Security

Nuthan Munaiah,Steven Kroh,Craig Cabrey,Meiyappan Nagappan

DOI: https://doi.org/10.1007/s10664-017-9512-6

IF: 3.762

2017-04-18

Empirical Software Engineering

Abstract:Software forges like GitHub host millions of repositories. Software engineering researchers have been able to take advantage of such a large corpora of potential study subjects with the help of tools like GHTorrent and Boa. However, the simplicity in querying comes with a caveat: there are limited means of separating the signal (e.g. repositories containing engineered software projects) from the noise (e.g. repositories containing home work assignments). The proportion of noise in a random sample of repositories could skew the study and may lead to researchers reaching unrealistic, potentially inaccurate, conclusions. We argue that it is imperative to have the ability to sieve out the noise in such large repository forges. We propose a framework, and present a reference implementation of the framework as a tool called reaper, to enable researchers to select GitHub repositories that contain evidence of an engineered software project. We identify software engineering practices (called dimensions) and propose means for validating their existence in a GitHub repository. We used reaper to measure the dimensions of 1,857,423 GitHub repositories. We then used manually classified data sets of repositories to train classifiers capable of predicting if a given GitHub repository contains an engineered software project. The performance of the classifiers was evaluated using a set of 200 repositories with known ground truth classification. We also compared the performance of the classifiers to other approaches to classification (e.g. number of GitHub Stargazers) and found our classifiers to outperform existing approaches. We found stargazers-based classifier (with 10 as the threshold for number of stargazers) to exhibit high precision (97%) but an inversely proportional recall (32%). On the other hand, our best classifier exhibited a high precision (82%) and a high recall (86%). The stargazer-based criteria offers precision but fails to recall a significant portion of the population.

computer science, software engineering

Michael Specter,Sunoo Park,Matthew Green

DOI: https://doi.org/10.48550/arXiv.1904.06425

2019-04-13

Abstract:Email breaches are commonplace, and they expose a wealth of personal, business, and political data that may have devastating consequences. The current email system allows any attacker who gains access to your email to prove the authenticity of the stolen messages to third parties -- a property arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This exacerbates the problem of email breaches by greatly increasing the potential for attackers to damage the users' reputation, blackmail them, or sell the stolen information to third parties. In this paper, we introduce "non-attributable email", which guarantees that a wide class of adversaries are unable to convince any third party of the authenticity of stolen emails. We formally define non-attributability, and present two practical system proposals -- KeyForge and TimeForge -- that provably achieve non-attributability while maintaining the important protection against spam and spoofing that is currently provided by DKIM. Moreover, we implement KeyForge and demonstrate that that scheme is practical, achieving competitive verification and signing speed while also requiring 42% less bandwidth per email than RSA2048.

Cryptography and Security,Computers and Society,Networking and Internet Architecture

Yupei Liu,Yuqi Jia,Jinyuan Jia,Neil Zhenqiang Gong

2024-08-14

Abstract:Automatically extracting personal information--such as name, phone number, and email address--from publicly available profiles at a large scale is a stepstone to many other security attacks including spear phishing. Traditional methods--such as regular expression, keyword search, and entity detection--achieve limited success at such personal information extraction. In this work, we perform a systematic measurement study to benchmark large language model (LLM) based personal information extraction and countermeasures. Towards this goal, we present a framework for LLM-based extraction attacks; collect three datasets including a synthetic dataset generated by GPT-4 and two real-world datasets with manually labeled 8 categories of personal information; introduce a novel mitigation strategy based on \emph{prompt injection}; and systematically benchmark LLM-based attacks and countermeasures using 10 LLMs and our 3 datasets. Our key findings include: LLM can be misused by attackers to accurately extract various personal information from personal profiles; LLM outperforms conventional methods at such extraction; and prompt injection can mitigate such risk to a large extent and outperforms conventional countermeasures. Our code and data are available at: \url{<a class="link-external link-https" href="https://github.com/liu00222/LLM-Based-Personal-Profile-Extraction" rel="external noopener nofollow">this https URL</a>}.

Cryptography and Security

Kamel Alrashedy,Ahmed Binjahlan

2024-04-05

Abstract:Millions of developers share their code on open-source platforms like GitHub, which offer social coding opportunities such as distributed collaboration and popularity-based ranking. Software engineering researchers have joined in as well, hosting their research artifacts (tools, replication package & datasets) in repositories, an action often marked as part of the publications contribution. Yet a decade after the first such paper-with-GitHub-link, little is known about the fate of such repositories in practice. Do research repositories ever gain the interest of the developer community, or other researchers? If so, how often and why (not)? Does effort invested on GitHub pay off with research impact? In short: we ask whether and how authors engage in social coding related to their research. We conduct a broad empirical investigation of repositories from published work, starting with ten thousand papers in top SE research venues, hand-annotating their 3449 GitHub (and Zenodo) links, and studying 309 paper-related repositories in detail. We find a wide distribution in popularity and impact, some strongly correlated with publication venue. These were often heavily informed by the authors investment in terms of timely responsiveness and upkeep, which was often remarkably subpar by GitHubs standards, if not absent altogether. Yet we also offer hope: popular repositories often go hand-in-hand with well-citepd papers and achieve broad impact. Our findings suggest the need to rethink the research incentives and reward structure around research products requiring such sustained contributions.

Software Engineering

Kaiwen Shen,Chuhan Wang,Minglei Guo,Xiaofeng Zheng,Chaoyi Lu,Baojun Liu,Yuxuan Zhao,Shuang Hao,Haixin Duan,Qingfeng Pan,Min Yang

DOI: https://doi.org/10.48550/arXiv.2011.08420

2020-11-17

Abstract:As a fundamental communicative service, email is playing an important role in both individual and corporate communications, which also makes it one of the most frequently attack vectors. An email's authenticity is based on an authentication chain involving multiple protocols, roles and services, the inconsistency among which creates security threats. Thus, it depends on the weakest link of the chain, as any failed part can break the whole chain-based defense. This paper systematically analyzes the transmission of an email and identifies a series of new attacks capable of bypassing SPF, DKIM, DMARC and user-interface protections. In particular, by conducting a "cocktail" joint attack, more realistic emails can be forged to penetrate the celebrated email services, such as Gmail and Outlook. We conduct a large-scale experiment on 30 popular email services and 23 email clients, and find that all of them are vulnerable to certain types of new attacks. We have duly reported the identified vulnerabilities to the related email service providers, and received positive responses from 11 of them, including Gmail, Yahoo, iCloud and Alibaba. Furthermore, we propose key mitigating measures to defend against the new attacks. Therefore, this work is of great value for identifying email spoofing attacks and improving the email ecosystem's overall security.

Cryptography and Security

Nikolaos Lykousas,Constantinos Patsakis

2023-07-03

Abstract:Typical users are known to use and reuse weak passwords. Yet, as cybersecurity concerns continue to rise, understanding the password practices of software developers becomes increasingly important. In this work, we examine developers' passwords on public repositories. Our dedicated crawler collected millions of passwords from public GitHub repositories; however, our focus is on their unique characteristics. To this end, this is the first study investigating the developer traits in password selection across different programming languages and contexts, e.g. email and database. Despite the fact that developers may have carelessly leaked their code on public repositories, our findings indicate that they tend to use significantly more secure passwords, regardless of the underlying programming language and context. Nevertheless, when the context allows, they often resort to similar password selection criteria as typical users. The public availability of such information in a cleartext format indicates that there is still much room for improvement and that further targeted awareness campaigns are necessary.

Software Engineering,Cryptography and Security

Zahin Wahab,Sadif Ahmed,Md Nafiu Rahman,Rifat Shahriyar,Gias Uddin

2024-10-31

Abstract:In the digital age, the exposure of sensitive information poses a significant threat to security. Leveraging the ubiquitous nature of code-sharing platforms like GitHub and BitBucket, developers often accidentally disclose credentials and API keys, granting unauthorized access to critical systems. Despite the availability of tools for detecting such breaches in source code, detecting secret breaches in software issue reports remains largely unexplored. This paper presents a novel technique for secret breach detection in software issue reports using a combination of language models and state-of-the-art regular expressions. We highlight the challenges posed by noise, such as log files, URLs, commit IDs, stack traces, and dummy passwords, which complicate the detection process. By employing relevant pre-processing techniques and leveraging the capabilities of advanced language models, we aim to mitigate potential breaches effectively. Drawing insights from existing research on secret detection tools and methodologies, we propose an approach combining the strengths of state-of-the-art regexes with the contextual understanding of language models. Our method aims to reduce false positives and improve the accuracy of secret breach detection in software issue reports. We have curated a benchmark dataset of 25000 instances with only 437 true positives. Although the data is highly skewed, our model performs well with a 0.6347 F1-score, whereas state-of-the-art regular expression hardly manages to get a 0.0341 F1-Score with a poor precision score. We have also developed a secret breach mitigator tool for GitHub, which will warn the user if there is any secret in the posted issue report. By addressing this critical gap in contemporary research, our work aims at enhancing the overall security posture of software development practices.

Software Engineering

Can Cheng,Bing Li,Zengyang Li,Peng Liang

DOI: https://doi.org/10.18293/seke2018-085

2018-01-01

Abstract:Hosting over 10 million of software projects, GitHub is one of the most important data sources to study behavior of developers and software projects. However, with the increase of the size of open source datasets, the potential threats to mining these datasets have also grown. As the dataset grows, it becomes gradually unrealistic for human to confirm quality of all samples. Some studies have investigated this problem and provided solutions to avoid threats in sample selection, but some of these solutions (e.g., finding development projects) require human intervention. When the amount of data to be processed increases, these semi-automatic solutions become less useful since the effort in need for human intervention is far beyond affordable. To solve this problem, we investigated the GHTorrent dataset and proposed a method to detect public development projects. The results show that our method can effectively improve the sample selection process in two ways: (1) We provide a simple model to automatically select samples (with 0.827 precision and 0.947 recall); (2) We also offer a complex model to help researchers carefully screen samples (with 63.2 precision and 0.959 recall).