David Knothe,Frederick Pietschmann

DOI: https://doi.org/10.48550/arXiv.1908.05354

2019-08-20

Abstract:When working with Git, a popular version-control system, email addresses are part of the metadata for each individual commit. When those commits are pushed to remote hosting services like GitHub, those email addresses become visible not only to fellow developers, but also to malicious actors aiming to exploit them. As a part of our research we created a tool that leverages the publicly available GitHub API to collect user data. Analysis of this data not only gives access to millions of email addresses in very little time, but is also powerful and dense enough to create targeted phishing attacks posing a great threat to all GitHub users and their private, potentially sensitive data. Even worse, existing countermeasures fail to effectively protect against such exploits. As a consequence and main conclusion of this paper, we suggest multiple preventive measures that should be implemented as soon as possible. We also consider it the duty of both companies like GitHub and well informed software engineers to inform fellow developers about the risk of exposing private email addresses in Git commits published publicly.

Cryptography and Security

Soufian El Yadmani,Robin The,Olga Gadyatskaya

DOI: https://doi.org/10.48550/arXiv.2210.08374

2023-06-07

Abstract:Exploit proof-of-concepts (PoCs) for known vulnerabilities are widely shared in the security community. They help security analysts to learn from each other and they facilitate security assessments and red teaming tasks. In the recent years, PoCs have been widely distributed, e.g., via dedicated websites and platforms, and public code repositories such as GitHub. However, there is no guarantee that PoCs in public code repositories come from trustworthy sources or even that they do what they are supposed to do. In this work we investigate GitHub-hosted PoCs for known vulnerabilities discovered in 2017--2021. We discovered that not all PoCs are trustworthy. Some proof-of-concepts are malicious, e.g., they attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system, and in some cases they have hard-coded reverse shell listener. To measure the prevalence of this threat, we propose an approach to detecting malicious PoCs. Our approach relies on the maliciousness symptoms we have observed in our PoC dataset: calls to malicious IP addresses, encoded malicious code, and included Trojanized binaries. With this approach, we have discovered 899 malicious repositories out of 47,285 repositories that have been downloaded and checked (i.e., 1.9% of the studied repositories have indicators of malicious intent). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.

Cryptography and Security

Md Rayhanul Masud,Michalis Faloutsos

2024-03-07

Abstract:Are malicious repositories hiding under the educational label in GitHub? Recent studies have identified collections of GitHub repositories hosting malware source code with notable collaboration among the developers. Thus, analyzing GitHub repositories deserves inevitable attention due to its open-source nature providing easy access to malicious software code and artifacts. Here we leverage the capabilities of ChatGPT in a qualitative study to annotate an educational GitHub repository based on maliciousness of its metadata contents. Our contribution is twofold. First, we demonstrate the employment of ChatGPT to understand and annotate the content published in software repositories. Second, we provide evidence of hidden risk in educational repositories contributing to the opportunities of potential threats and malicious intents. We carry out a systematic study on a collection of 35.2K GitHub repositories claimed to be created for educational purposes only. First, our study finds an increasing trend in the number of such repositories published every year. Second, 9294 of them are labeled by ChatGPT as malicious, and further categorization of the malicious ones detects 14 different malware families including DDoS, keylogger, ransomware and so on. Overall, this exploratory study flags a wake-up call for the community for better understanding and analysis of software platforms.

Software Engineering,Cryptography and Security

Youmei Fan,Ani Hovhannisyan,Hideaki Hata,Christoph Treude,Raula Gaikovina Kula

2024-04-08

Abstract:The GitHub platform has fueled the creation of truly global software, enabling contributions from developers across various geographical regions of the world. As software becomes more entwined with global politics and social regulations, it becomes similarly subject to government sanctions. In 2019, GitHub restricted access to certain services for users in specific locations but rolled back these restrictions for some communities (e.g., the Iranian community) in 2021. We conducted a large-scale empirical study, collecting approximately 156 thousand user profiles and their 41 million activity points from 2008 to 2022, to understand the response of developers. Our results indicate that many of these targeted developers were able to navigate through the sanctions. Furthermore, once these sanctions were lifted, these developers opted to return to GitHub instead of withdrawing their contributions to the platform. The study indicates that platforms like GitHub play key roles in sustaining global contributions to Open Source Software.

Software Engineering

Alexandros Tsakpinis,Alexander Pretschner

DOI: https://doi.org/10.1145/3661167.3661231

2024-04-26

Abstract:Industrial applications heavily rely on open-source software (OSS) libraries, which provide various benefits. But, they can also present a substantial risk if a vulnerability or attack arises and the community fails to promptly address the issue and release a fix due to inactivity. To be able to monitor the activities of such communities, a comprehensive list of repositories for the libraries of an ecosystem must be accessible. Based on these repositories, integrated libraries of an application can be monitored to observe whether they are adequately maintained. In this descriptive study, we analyze the accessibility of GitHub repositories for PyPI and NPM libraries. For all available libraries, we extract assigned repository URLs, direct dependencies and use the page rank algorithm to comprehensively analyze the ecosystems from a library and dependency chain perspective. For invalid repository URLs, we derive potential reasons. Both ecosystems show varying accessibility to GitHub repository URLs, depending on the page rank score of the analyzed libraries. For individual libraries, up to 73.8% of PyPI and up to 69.4% of NPM libraries have repository URLs. Within dependency chains, up to 80.1% of PyPI libraries have URLs, while up to 81.1% for NPM. That means, most libraries, especially the ones of increasing importance, can be monitored on GitHub. Among the most common reasons for invalid repository URLs is no URLs being assigned at all, which amounts up to 17.9% for PyPI and up to 39.6% for NPM. Package maintainers should address this issue and update the repository information to enable monitoring of their libraries.

Software Engineering

Erik Wittern,Alan Cha,James C. Davis,Guillaume Baudart,Louis Mandel

DOI: https://doi.org/10.48550/arXiv.1907.13012

2019-07-30

Abstract:GraphQL is a query language for APIs and a runtime to execute queries. Using GraphQL queries, clients define precisely what data they wish to retrieve or mutate on a server, leading to fewer round trips and reduced response sizes. Although interest in GraphQL is on the rise, with increasing adoption at major organizations, little is known about what GraphQL interfaces look like in practice. This lack of knowledge makes it hard for providers to understand what practices promote idiomatic, easy-to-use APIs, and what pitfalls to avoid. To address this gap, we study the design of GraphQL interfaces in practice by analyzing their schemas - the descriptions of their exposed data types and the possible operations on the underlying data. We base our study on two novel corpuses of GraphQL schemas, one of 16 commercial GraphQL schemas and the other of 8,399 GraphQL schemas mined from GitHub projects. We make both corpuses available to other researchers. Using these corpuses, we characterize the size of schemas and their use of GraphQL features and assess the use of both prescribed and organic naming conventions. We also report that a majority of APIs are susceptible to denial of service through complex queries, posing real security risks previously discussed only in theory. We also assess ways in which GraphQL APIs attempt to address these concerns.

Software Engineering

Saleh Amareen,Obed Soto Dector,Ali Dado,Amiangshu Bosu

2024-08-16

Abstract:GraphQL is a query language and web application programming interface (API) for client-server architecture. Its advantages include type-safe queries, which allow clients to retrieve the data they require precisely in a single request. As organizations adopt GraphQL for API implementations, it is imperative to understand its challenges and the software community's interests. To achieve this goal, we conducted a five-step mixed-method empirical analysis of 45K StackOverflow questions and answers on GraphQL. In the first step, we derive a reference architecture for the GraphQL ecosystem with five key layers. Second, we used topic modeling based on Latent Dirichlet Allocation (LDA) to automatically identify 14 topics and 47 subtopics. Third, we mapped discussion topics to architecture layers. Fourth, we manually investigate questions on each topic and subtopics to provide additional insight to the GraphQL stakeholders. Finally, we study topic difficulty, popularity, trends, and tradeoffs to provide insights into evolving community interests and challenges. Our results indicate that Client and Server are the top two architectural layers attracting discussion on SO. While earlier discussions on SO focused on building third-party applications consuming GraphQL APIs (i.e., API Integration) released by large organizations, recent trends suggest more organizations implementing APIs using GraphQL servers. Due to difficulty and lack of well-defined solutions, security remains a difficult and low-interest area. However, such a practice can lead to vulnerable APIs.

Software Engineering

Anthony Cintron Roman,Kevin Xu,Arfon Smith,Jehu Torres Vega,Caleb Robinson,Juan M Lavista Ferres

DOI: https://doi.org/10.48550/arXiv.2306.06191

2023-06-10

Abstract:GitHub is the world's largest platform for collaborative software development, with over 100 million users. GitHub is also used extensively for open data collaboration, hosting more than 800 million open data files, totaling 142 terabytes of data. This study highlights the potential of open data on GitHub and demonstrates how it can accelerate AI research. We analyze the existing landscape of open data on GitHub and the patterns of how users share datasets. Our findings show that GitHub is one of the largest hosts of open data in the world and has experienced an accelerated growth of open data assets over the past four years. By examining the open data landscape on GitHub, we aim to empower users and organizations to leverage existing open datasets and improve their discoverability -- ultimately contributing to the ongoing AI revolution to help address complex societal issues. We release the three datasets that we have collected to support this analysis as open datasets at <a class="link-external link-https" href="https://github.com/github/open-data-on-github" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Information Retrieval

Nicolás E. Díaz Ferreyra,Abdessamad Imine,Melina Vidoni,Riccardo Scandariato

2023-03-03

Abstract:Social Coding Platforms (SCPs) like GitHub have become central to modern software engineering thanks to their collaborative and version-control features. Like in mainstream Online Social Networks (OSNs) such as Facebook, users of SCPs are subjected to privacy attacks and threats given the high amounts of personal and project-related data available in their profiles and software repositories. However, unlike in OSNs, the privacy concerns and practices of SCP users have not been extensively explored nor documented in the current literature. In this work, we present the preliminary results of an online survey (N=105) addressing developers' concerns and perceptions about privacy threats steaming from SCPs. Our results suggest that, although users express concern about social and organisational privacy threats, they often feel safe sharing personal and project-related information on these platforms. Moreover, attacks targeting the inference of sensitive attributes are considered more likely than those seeking to re-identify source-code contributors. Based on these findings, we propose a set of recommendations for future investigations addressing privacy and identity management in SCPs.

Software Engineering,Human-Computer Interaction,Social and Information Networks

Mohammadreza Hazhirpasand,Mohammad Ghafari

DOI: https://doi.org/10.48550/arXiv.2111.03859

2021-11-06

Abstract:Previous studies have shown that cryptography is hard for developers to use and misusing cryptography leads to severe security vulnerabilities. We studied relevant vulnerability reports on the HackerOne bug bounty platform to understand what types of cryptography vulnerabilities exist in the wild. We extracted eight themes of vulnerabilities from the vulnerability reports and discussed their real-world implications and mitigation strategies. We hope that our findings alert developers, familiarize them with the dire consequences of cryptography misuses, and support them in avoiding such mistakes.

Cryptography and Security

Bernd Prünster,Alexander Marsalek,Thomas Zefferer

DOI: https://doi.org/10.48550/arXiv.2011.00874

2020-11-02

Abstract:Peer-to-peer networks are an attractive alternative to classical client-server architectures in several fields of application such as voice-over-IP telephony and file sharing. Recently, a new peer-to-peer solution called the InterPlanetary File System (IPFS) has attracted attention, which promises to re-decentralise the Web. Being increasingly used as a stand-alone application, IPFS has also emerged as the technical backbone of various other decentralised solutions and was even used to evade censorship. Decentralised applications serving millions of users rely on IPFS as one of their crucial building blocks. This popularity makes IPFS attractive for large-scale attacks. We have identified a conceptual issue in one of IPFS's core libraries and demonstrate their exploitation by means of a successful end-to-end attack. We evaluated this attack against the IPFS reference implementation on the public IPFS network, which is used by the average user to share and consume IPFS content. Results obtained from mounting this attack on live IPFS nodes show that arbitrary IPFS nodes can be eclipsed, i.e. isolated from the network, with moderate effort and limited resources. Compared to similar works, we show that our attack scales linearly even beyond current network sizes and can disrupt the entire public IPFS network with alarmingly low effort. The vulnerability set described in this paper has been assigned CVE-2020-10937. Responsible disclosure procedures are currently being carried out and have led to mitigations being deployed, with additional fixes to be rolled out in future releases.

Cryptography and Security

Cédric Lauradoux

DOI: https://doi.org/10.48550/arXiv.2203.02068

2022-03-04

Abstract:The right to access is a great tool provided by the GDPR to empower data subjects with their data. However, it needs to be implemented properly otherwise it could turn subject access requests against the subjects privacy. Indeed, recent works have shown that it is possible to abuse the right to access using impersonation attacks. We propose to extend those impersonation attacks by considering that the adversary has an access to governmental resources. In this case, the adversary can forge official documents or exploit copy of them. Our attack affects more people than one may expect. To defeat the attacks from this kind of adversary, several solutions are available like multi-factors or proof of aliveness. Our attacks highlight the need for strong procedures to authenticate subject access requests.

Cryptography and Security

Igor Sfiligoi,Daniel McDonald,Rob Knight,Frank Würthwein

DOI: https://doi.org/10.1145/3569951.3597586

2023-05-18

Abstract:GitHub is a popular repository for hosting software projects, both due to ease of use and the seamless integration with its testing environment. Native GitHub Actions make it easy for software developers to validate new commits and have confidence that new code does not introduce major bugs. The freely available test environments are limited to only a few popular setups but can be extended with custom Action Runners. Our team had access to a Kubernetes cluster with GPU accelerators, so we explored the feasibility of automatically deploying GPU-providing runners there. All available Kubernetes-based setups, however, require cluster-admin level privileges. To address this problem, we developed a simple custom setup that operates in a completely unprivileged manner. In this paper we provide a summary description of the setup and our experience using it in the context of two Knight lab projects on the Prototype National Research Platform system.

Software Engineering

Costanza Alfieri,Juri Di Rocco,Paola Inverardi,Phuong T. Nguyen

2024-09-10

Abstract:GitHub provides developers with a practical way to distribute source code and collaboratively work on common projects. To enhance account security and privacy, GitHub allows its users to manage access permissions, review audit logs, and enable two-factor authentication. However, despite the endless effort, the platform still faces various issues related to the privacy of its users. This paper presents an empirical study delving into the GitHub ecosystem. Our focus is on investigating the utilization of privacy settings on the platform and identifying various types of sensitive information disclosed by users. Leveraging a dataset comprising 6,132 developers, we report and analyze their activities by means of comments on pull requests. Our findings indicate an active engagement by users with the available privacy settings on GitHub. Notably, we observe the disclosure of different forms of private information within pull request comments. This observation has prompted our exploration into sensitivity detection using a large language model and BERT, to pave the way for a personalized privacy assistant. Our work provides insights into the utilization of existing privacy protection tools, such as privacy settings, along with their inherent limitations. Essentially, we aim to advance research in this field by providing both the motivation for creating such privacy protection tools and a proposed methodology for personalizing them.

Cryptography and Security,Software Engineering

Alexander Krause,Jan H. Klemmer,Nicolas Huaman,Dominik Wermke,Yasemin Acar,Sascha Fahl

DOI: https://doi.org/10.48550/arXiv.2211.06213

2022-11-14

Abstract:Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have illustrated that developers are blameworthy of committing code secrets, such as private encryption keys, passwords, or API keys, accidentally to public source code repositories. However, making secrets publicly available might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers and conducted 14 in-depth semi-structured interviews with developers which experienced secret leakage in the past. We find that 30.3% of our participants have encountered secret leakage in the past, and that developers are facing several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, e. g., estimating risks of leaked secrets, and needs of developers in remediating and preventing code secret leaks, e. g., low adoption requirements. We also give recommendations for developers and source code platform providers to reduce the risk of secret leakage.

Cryptography and Security

Yue Liu,Chakkrit Tantithamthavorn,Li Li

2024-12-01

Abstract:Recent years have witnessed the emerging trend of extensions in modern Integrated Development Environments (IDEs) like Visual Studio Code (VSCode) that significantly enhance developer productivity. Especially, popular AI coding assistants like GitHub Copilot and Tabnine provide conveniences like automated code completion and debugging. While these extensions offer numerous benefits, they may introduce privacy and security concerns to software developers. However, there is no existing work that systematically analyzes the security and privacy concerns, including the risks of data exposure in VSCode extensions. In this paper, we investigate on the security issues of cross-extension interactions in VSCode and shed light on the vulnerabilities caused by data exposure among different extensions. Our study uncovers high-impact security flaws that could allow adversaries to stealthily acquire or manipulate credential-related data (e.g., passwords, API keys, access tokens) from other extensions if not properly handled by extension vendors. To measure their prevalence, we design a novel automated risk detection framework that leverages program analysis and natural language processing techniques to automatically identify potential risks in VSCode extensions. By applying our tool to 27,261 real-world VSCode extensions, we discover that 8.5\% of them (i.e., 2,325 extensions) are exposed to credential-related data leakage through various vectors, such as commands, user input, and configurations. Our study sheds light on the security challenges and flaws of the extension-in-IDE paradigm and provides suggestions and recommendations for improving the security of VSCode extensions and mitigating the risks of data exposure.

Cryptography and Security,Artificial Intelligence,Software Engineering

Xin Jin,Charalampos Katsis,Fan Sang,Jiahao Sun,Elisa Bertino,Ramana Rao Kompella,Ashish Kundu

2024-05-01

Abstract:The rampant occurrence of cybersecurity breaches imposes substantial limitations on the progress of network infrastructures, leading to compromised data, financial losses, potential harm to individuals, and disruptions in essential services. The current security landscape demands the urgent development of a holistic security assessment solution that encompasses vulnerability analysis and investigates the potential exploitation of these vulnerabilities as attack paths. In this paper, we propose Graphene, an advanced system designed to provide a detailed analysis of the security posture of computing infrastructures. Using user-provided information, such as device details and software versions, Graphene performs a comprehensive security assessment. This assessment includes identifying associated vulnerabilities and constructing potential attack graphs that adversaries can exploit. Furthermore, Graphene evaluates the exploitability of these attack paths and quantifies the overall security posture through a scoring mechanism. The system takes a holistic approach by analyzing security layers encompassing hardware, system, network, and cryptography. Furthermore, Graphene delves into the interconnections between these layers, exploring how vulnerabilities in one layer can be leveraged to exploit vulnerabilities in others. In this paper, we present the end-to-end pipeline implemented in Graphene, showcasing the systematic approach adopted for conducting this thorough security analysis.

Cryptography and Security,Computation and Language,Machine Learning

Srivatsan Sridhar,Onur Ascigil,Navin Keizer,François Genon,Sébastien Pierre,Yiannis Psaras,Etienne Rivière,Michał Król

2023-12-05

Abstract:The InterPlanetary File System (IPFS) is currently the largest decentralized storage solution in operation, with thousands of active participants and millions of daily content transfers. IPFS is used as remote data storage for numerous blockchain-based smart contracts, Non-Fungible Tokens (NFT), and decentralized applications. We present a content censorship attack that can be executed with minimal effort and cost, and that prevents the retrieval of any chosen content in the IPFS network. The attack exploits a conceptual issue in a core component of IPFS, the Kademlia Distributed Hash Table (DHT), which is used to resolve content IDs to peer addresses. We provide efficient detection and mitigation mechanisms for this vulnerability. Our mechanisms achieve a 99.6\% detection rate and mitigate 100\% of the detected attacks with minimal signaling and computational overhead. We followed responsible disclosure procedures, and our countermeasures are scheduled for deployment in the future versions of IPFS.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Stav Cohen,Ron Bitton,Ben Nassi

2024-09-12

Abstract:In this paper, we show that with the ability to jailbreak a GenAI model, attackers can escalate the outcome of attacks against RAG-based GenAI-powered applications in severity and scale. In the first part of the paper, we show that attackers can escalate RAG membership inference attacks and RAG entity extraction attacks to RAG documents extraction attacks, forcing a more severe outcome compared to existing attacks. We evaluate the results obtained from three extraction methods, the influence of the type and the size of five embeddings algorithms employed, the size of the provided context, and the GenAI engine. We show that attackers can extract 80%-99.8% of the data stored in the database used by the RAG of a Q&A chatbot. In the second part of the paper, we show that attackers can escalate the scale of RAG data poisoning attacks from compromising a single GenAI-powered application to compromising the entire GenAI ecosystem, forcing a greater scale of damage. This is done by crafting an adversarial self-replicating prompt that triggers a chain reaction of a computer worm within the ecosystem and forces each affected application to perform a malicious activity and compromise the RAG of additional applications. We evaluate the performance of the worm in creating a chain of confidential data extraction about users within a GenAI ecosystem of GenAI-powered email assistants and analyze how the performance of the worm is affected by the size of the context, the adversarial self-replicating prompt used, the type and size of the embeddings algorithm employed, and the number of hops in the propagation. Finally, we review and analyze guardrails to protect RAG-based inference and discuss the tradeoffs.

Cryptography and Security,Artificial Intelligence

Qingyuan Gong,Yushan Liu,Jiayun Zhang,Yang Chen,Qi Li,Yu Xiao,Xin Wang,Pan Hui

DOI: https://doi.org/10.1109/tkde.2023.3237838

IF: 9.235

2023-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Online developer communities like GitHub allow a massive number of developers to collaborate. However, the openness of the communities makes them vulnerable to different types of malicious attacks, since attackers can easily join these communities and interact with legitimate users. In this work, we propose GitSec, a deep learning-based solution for detecting malicious accounts in online developer communities. GitSec distinguishes malicious accounts from legitimate ones based on the account profiles, dynamic activity characteristics, as well as social interactions. First, GitSec introduces two user activity sequences and applies a parallel neural network design with an attention mechanism to process the sequences. Second, GitSec constructs two graphs to represent the interactions between users according to their repository operations. Especially, graph neural networks and structural hole theory are employed to deal with the two constructed graphs. Third, GitSec makes use of the descriptive features to enhance the detection performance. The final judgement is made by a decision maker implemented by a supervised machine learning-based classifier. Based on the real-world data of GitHub users, our comprehensive evaluations show that GitSec achieves a better performance than state-of-the-art solutions, with an AUC value of 0.916.

computer science, information systems, artificial intelligence,engineering, electrical & electronic