Youmei Fan,Dong Wang,Supatsara Wattanakriengkrai,Hathaichanok Damrongsiri,Christoph Treude,Hideaki Hata,Raula Gaikovina Kula

2024-10-18

Abstract:There is growing concern about maintainers self-sabotaging their work in order to take political or economic stances, a practice referred to as "protestware". Our objective is to understand the discourse around discussions on such an attack, how it is received by the community, and whether developers respond to the attack in a timely manner. We study two notable protestware cases i.e., <a class="link-external link-http" href="http://colors.js" rel="external noopener nofollow">this http URL</a> and es5-ext. Results indicate that protestware discussions are spread more quickly on the GitHub platform, while security vulnerabilities are faster on social media. By establishing a taxonomy of protestware discussions, we identify posts that express stances and provide technical mitigation instructions. We applied a thematic analysis to 684 protestware related posts to identify five major themes during the discussions: i. disseminate and response, ii. stance, iii. reputation, iv. communicative styles, v. rights and ethics. This work sheds light on the nuanced landscape of protestware discussions, offering insights for both researchers and developers into maintaining a healthy balance between the political or social actions of developers and the collective well-being of the open-source community.

Software Engineering

Tanner Finken,Jesse Chen,Sazzadur Rahaman

2024-09-30

Abstract:Protests are public expressions of personal or collective discontent with the current state of affairs. Although traditional protests involve in-person events, the ubiquity of computers and software opened up a new avenue for activism: protestware. The roots of protestware date back to the early days of computing. However, recent events in the Russo-Ukrainian war has sparked a new wave of protestware. While news and media are heavily reporting on individual protestware as they are discovered, the understanding of such software as a whole is severely limited. In particular, we do not have a detailed understanding of their characteristics and their impact on the community. To address this gap, we first collect 32 samples of protestware. Then, with these samples, we formulate characteristics of protestware using inductive analysis. In addition, we analyze the aftermath of the protestware which has potential to affect the software supply chain in terms of community sentiment and usage. We report that: (1) protestware has three notable characteristics, namely, i) the "nature of inducing protest" is diverse, ii) the "nature of targeting users" is discriminatory, and iii) the "nature of transparency" is not always respected; (2) disruptive protestware may cause substantial adverse impact on downstream users; (3) developers of protestware may not shift their beliefs even with pushback; (4) the usage of protestware from JavaScript libraries has been seen to generally increase over time.

Software Engineering

Marc Cheong,Raula Gaikovina Kula,Christoph Treude

2024-01-05

Abstract:A key drawback to using a Open Source third-party library is the risk of introducing malicious attacks. In recently times, these threats have taken a new form, when maintainers turn their Open Source libraries into protestware. This is defined as software containing political messages delivered through these libraries, which can either be malicious or benign. Since developers are willing to freely open-up their software to these libraries, much trust and responsibility are placed on the maintainers to ensure that the library does what it promises to do. Using different frameworks commonly used in AI ethics, we illustrate how an open-source maintainer's decision to protest is influenced by different stakeholders (viz., their membership in the OSS community, their personal views, financial motivations, social status, and moral viewpoints), making protestware a multifaceted and intricate matter.

Computers and Society,Cryptography and Security,Software Engineering

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3663529.3663835

2024-01-01

Abstract:Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) poses huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing pro-cess) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.

Yi Wen Heng,Zeyang Ma,Haoxiang Zhang,Zhenhao Li,Tse-Hsun,Chen

2024-11-12

Abstract:Reusing third-party libraries increases productivity and saves time and costs for developers. However, the downside is the presence of vulnerabilities in those libraries, which can lead to catastrophic outcomes. For instance, Apache Log4J was found to be vulnerable to remote code execution attacks. A total of more than 35,000 packages were forced to update their Log4J libraries with the latest version. Although several studies have been conducted to predict software vulnerabilities, the prediction does not cover the vulnerabilities found in third-party libraries. Even if the developers are aware of the forthcoming issue, replicating a function similar to the libraries would be time-consuming and labour-intensive. Nevertheless, it is practically reasonable for software developers to update their third-party libraries (and dependencies) whenever the software vendors have released a vulnerable-free version. In this work, our manual study focuses on the real-world practices (crowd reaction) adopted by software vendors and developer communities when a vulnerability is disclosed. We manually investigated 312 CVEs and identified that the primary trend of vulnerability handling is to provide a fix before publishing an announcement. Otherwise, developers wait an average of 10 days for a fix if it is unavailable upon the announcement. Additionally, the crowd reaction is oblivious to the vulnerability severity. In particular, we identified Oracle as the most vibrant community diligent in releasing fixes. Their software developers also actively participate in the associated vulnerability announcements.

Software Engineering

Shehan Edirimannage,Charitha Elvitigala,Asitha Kottahachchi Kankanamge Don,Wathsara Daluwatta,Primal Wijesekara,Ibrahim Khalil

2024-11-12

Abstract:With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.

Cryptography and Security,Software Engineering

Raula Gaikovina Kula,Christoph Treude

DOI: https://doi.org/10.48550/arXiv.2208.01393

2022-08-01

Software Engineering

Abstract:Reliance on third-party libraries is now commonplace in contemporary software engineering. Being open source in nature, these libraries should advocate for a world where the freedoms and opportunities of open source software can be enjoyed by all. Yet, there is a growing concern related to maintainers using their influence to make political stances (i.e., referred to as protestware). In this paper, we reflect on the impact of world politics on software ecosystems, especially in the context of the ongoing War in Ukraine. We show three cases where world politics has had an impact on a software ecosystem, and how these incidents may result in either benign or malignant consequences. We further point to specific opportunities for research, and conclude with a research agenda with ten research questions to guide future research directions.

Nicholas Boucher,Ross Anderson

DOI: https://doi.org/10.48550/arXiv.2209.10717

2022-09-22

Cryptography and Security

Abstract:While vulnerability research often focuses on technical findings and post-public release industrial response, we provide an analysis of the rest of the story: the coordinated disclosure process from discovery through public release. The industry-wide 'Trojan Source' vulnerability which affected most compilers, interpreters, code editors, and code repositories provided an interesting natural experiment, enabling us to compare responses by firms versus nonprofits and by firms that managed their own response versus firms that outsourced it. We document the interaction with bug bounty programs, government disclosure assistance, academic peer review, and press coverage, among other topics. We compare the response to an attack on source code with the response to a comparable attack on NLP systems employing machine-learning techniques. We conclude with recommendations to improve the global coordinated disclosure system.

Gábor Antal,Márton Keleti,Péter Hegedűs

DOI: https://doi.org/10.48550/arXiv.2006.13652

2020-06-24

Abstract:Software security is undoubtedly a major concern in today's software engineering. Although the level of awareness of security issues is often high, practical experiences show that neither preventive actions nor reactions to possible issues are always addressed properly in reality. By analyzing large quantities of commits in the open-source communities, we can categorize the vulnerabilities mitigated by the developers and study their distribution, resolution time, etc. to learn and improve security management processes and practices. With the help of the Software Heritage Graph Dataset, we investigated the commits of two of the most popular script languages -- Python and JavaScript -- projects collected from public repositories and identified those that mitigate a certain vulnerability in the code (i.e. vulnerability resolution commits). On the one hand, we identified the types of vulnerabilities (in terms of CWE groups) referred to in commit messages and compared their numbers within the two communities. On the other hand, we examined the average time elapsing between the publish date of a vulnerability and the first reference to it in a commit. We found that there is a large intersection in the vulnerability types mitigated by the two communities, but most prevalent vulnerabilities are specific to language. Moreover, neither the JavaScript nor the Python community reacts very fast to appearing security vulnerabilities in general with only a couple of exceptions for certain CWE groups.

Software Engineering,Programming Languages

Karthika Subramani,Jordan Jueckstock,Alexandros Kapravelos,Roberto Perdisci

DOI: https://doi.org/10.1109/EuroSP53844.2022.00041

2021-11-14

Abstract:Service Workers (SWs) are a powerful feature at the core of Progressive Web Apps, namely web applications that can continue to function when the user's device is offline and that have access to device sensors and capabilities previously accessible only by native applications. During the past few years, researchers have found a number of ways in which SWs may be abused to achieve different malicious purposes. For instance, SWs may be abused to build a web-based botnet, launch DDoS attacks, or perform cryptomining; they may be hijacked to create persistent cross-site scripting (XSS) attacks; they may be leveraged in the context of side-channel attacks to compromise users' privacy; or they may be abused for phishing or social engineering attacks using web push notifications-based malvertising. In this paper, we reproduce and analyze known attack vectors related to SWs and explore new abuse paths that have not previously been considered. We systematize the attacks into different categories, and then analyze whether, how, and estimate when these attacks have been published and mitigated by different browser vendors. Then, we discuss a number of open SW security problems that are currently unmitigated, and propose SW behavior monitoring approaches and new browser policies that we believe should be implemented by browsers to further improve SW security. Furthermore, we implement a proof-of-concept version of several policies in the Chromium code base, and also measure the behavior of SWs used by highly popular web applications with respect to these new policies. Our measurements show that it should be feasible to implement and enforce stricter SW security policies without a significant impact on most legitimate production SWs.

Cryptography and Security

Azadeh Nematzadeh,Grace Bang,Xiaomo Liu,Zhiqiang Ma

DOI: https://doi.org/10.48550/arXiv.1909.01093

2019-08-25

Social and Information Networks

Abstract:Companies and financial investors are paying increasing attention to social consciousness in developing their corporate strategies and making investment decisions to support a sustainable economy for the future. Public discussion on incidents and events -- controversies -- of companies can provide valuable insights on how well the company operates with regards to social consciousness and indicate the company's overall operational capability. However, there are challenges in evaluating the degree of a company's social consciousness and environmental sustainability due to the lack of systematic data. We introduce a system that utilizes Twitter data to detect and monitor controversial events and show their impact on market volatility. In our study, controversial events are identified from clustered tweets that share the same 5W terms and sentiment polarities of these clusters. Credible news links inside the event tweets are used to validate the truth of the event. A case study on the Starbucks Philadelphia arrests shows that this method can provide the desired functionality.

Mohamad Fawaz Enaya,Thomas Klingbeil,Jacob Krüger,David Broneske,Frank Feinbube,Gunter Saake

DOI: https://doi.org/10.1016/j.jss.2024.112020

IF: 3.5

2024-03-30

Journal of Systems and Software

Abstract:The COVID-19 pandemic has drastically changed daily life and required fast responses to new situations, such as restricted public life. A major means to limit infections have been contact-tracing apps that inform an individual about a potential infection, helping to initiate countermeasures faster. While different tracing apps have been compared technologically, we are not aware of studies providing insights into their development processes during the pandemic emergency situation. To address this gap, we report an exploratory case study on how the German open-source Corona-Warn-App has been developed at SAP SE—and how other organizations (e.g., Deutsche Telekom AG), researchers, and individual developers contributed. We elicited data on the process, practices, and challenges by interviewing six developers at SAP SE, analyzing documentation, and discussing our data with an expert on the app's development. Overall, we provide insights into how the development process of the Corona-Warn-App differed from other projects at SAP SE (e.g., testing), discuss the causes (i.e., public interest causing researchers to perform tests), and study the consequences (i.e., emergency tickets by researchers). Our findings can guide organizations when developing software in similar emergency situations (e.g., pandemics) in which reliable software needs to be developed within a short period of time.

computer science, theory & methods, software engineering

Duc-Ly Vu,Trevor Dunlap,Karla Obermeier-Velazquez,Paul Gilbert,John Speed Meyers,Santiago Torres-Arias

2024-11-17

Abstract:Malicious attacks on open source software packages are a growing concern. This concern morphed into a panic-inducing crisis after the revelation of the XZ Utils backdoor, which would have provided the attacker with, according to one observer, a "skeleton key" to the internet. This study therefore explores the challenges of preventing and detecting malware in Linux distribution package repositories. To do so, we ask two research questions: (1) What measures have Linux distributions implemented to counter malware, and how have maintainers experienced these efforts? (2) How effective are current malware detection tools at identifying malicious Linux packages? To answer these questions, we conduct interviews with maintainers at several major Linux distributions and introduce a Linux package malware benchmark dataset. Using this dataset, we evaluate the performance of six open source malware detection scanners. Distribution maintainers, according to the interviews, have mostly focused on reproducible builds to date. Our interviews identified only a single Linux distribution, Wolfi OS, that performs active malware scanning. Using this new benchmark dataset, the evaluation found that the performance of existing open-source malware scanners is underwhelming. Most studied tools excel at producing false positives but only infrequently detect true malware. Those that avoid high false positive rates often do so at the expense of a satisfactory true positive. Our findings provide insights into Linux distribution package repositories' current practices for malware detection and demonstrate the current inadequacy of open-source tools designed to detect malicious Linux packages.

Cryptography and Security,Software Engineering

Lauren Olson,Tom P. Humbert,Ricarda Anna-Lena Fischer,Bob Westerveld,Florian Kunneman,Emitzá Guzmán

2024-10-11

Abstract:Many modern software applications present numerous ethical concerns due to conflicts between users' values and companies' priorities. Intersectional communities, those with multiple marginalized identities, are disproportionately affected by these ethical issues, leading to legal, financial, and reputational issues for software companies, as well as real-world harm for intersectional users. Historically, the voices of intersectional communities have been systematically marginalized and excluded from contributing their unique perspectives to software design, perpetuating software-related ethical concerns. This work aims to fill the gap in research on intersectional users' software-related perspectives and provide software practitioners with a starting point to address their ethical concerns. We aggregated and analyzed the intersectional users' ethical concerns over time and developed a prioritization method to identify critical concerns. To achieve this, we collected posts from over 700 intersectional subreddits discussing software applications, utilized deep learning to identify ethical concerns in these posts, and employed state-of-the-art techniques to analyze their content in relation to time and priority. Our findings revealed that intersectional communities report \textit{critical} complaints related to cyberbullying, inappropriate content, and discrimination, highlighting significant flaws in modern software, particularly for intersectional users. Based on these findings, we discuss how to better address the ethical concerns of intersectional users in software development.

Software Engineering,Human-Computer Interaction

Liang Tian,Chengzhi Zhang

DOI: https://doi.org/10.48550/arXiv.2207.06219

2022-07-03

Information Retrieval

Abstract:COVID-19 has had a profound impact on the lives of all human beings. Emerging technologies have made significant contributions to the fight against the pandemic. An extensive review of the application of technology will help facilitate future research and technology development to provide better solutions for future pandemics. In contrast to the extensive surveys of academic communities that have already been conducted, this study explores the IT community of practice. Using GitHub as the study target, we analyzed the main functionalities of the projects submitted during the pandemic. This study examines trends in projects with different functionalities and the relationship between functionalities and technologies. The study results show an imbalance in the number of projects with varying functionalities in the GitHub community, i.e., applications account for more than half of the projects. In contrast, other data analysis and AI projects account for a smaller share. This differs significantly from the survey of the academic community, where the findings focus more on cutting-edge technologies while projects in the community of practice use more mature technologies. The spontaneous behavior of developers may lack organization and make it challenging to target needs.

Gaurav Verma,Rynaa Grover,Jiawei Zhou,Binny Mathew,Jordan Kraemer,Munmun De Choudhury,Srijan Kumar

2024-07-22

Abstract:Violence-provoking speech -- speech that implicitly or explicitly promotes violence against the members of the targeted community, contributed to a massive surge in anti-Asian crimes during the pandemic. While previous works have characterized and built tools for detecting other forms of harmful speech, like fear speech and hate speech, our work takes a community-centric approach to studying anti-Asian violence-provoking speech. Using data from ~420k Twitter posts spanning a 3-year duration (January 1, 2020 to February 1, 2023), we develop a codebook to characterize anti-Asian violence-provoking speech and collect a community-crowdsourced dataset to facilitate its large-scale detection using state-of-the-art classifiers. We contrast the capabilities of natural language processing classifiers, ranging from BERT-based to LLM-based classifiers, in detecting violence-provoking speech with their capabilities to detect anti-Asian hateful speech. In contrast to prior work that has demonstrated the effectiveness of such classifiers in detecting hateful speech ($F_1 = 0.89$), our work shows that accurate and reliable detection of violence-provoking speech is a challenging task ($F_1 = 0.69$). We discuss the implications of our findings, particularly the need for proactive interventions to support Asian communities during public health crises. The resources related to the study are available at <a class="link-external link-https" href="https://claws-lab.github.io/violence-provoking-speech/" rel="external noopener nofollow">this https URL</a>.

Computation and Language,Social and Information Networks

Ravi Sen,Ajay Verma,Gregory R. Heim

DOI: https://doi.org/10.1080/07421222.2019.1705511

IF: 7.582

2020-01-02

Journal of Management Information Systems

Abstract:The number of malicious hacking incidents in our increasingly IT-enabled world has been increasing over the years. Conventional wisdom focuses on negative impacts of these malicious hacker activities. We posit that malicious hacker activities also might lead to some unintended consequences, specifically related to altering of software market structure, and associated stakeholder consequences. In this study, we model the competition between two software platforms in the presence of malicious hackers who perform cyberattacks against one or both software platforms. We compare a benchmark case where malicious hackers are either absent, or if present do not target the software platforms, against a first scenario where only one software platform is targeted, and a second scenario where both software platforms are targeted. Interestingly, we find the presence of malicious hackers' activities is not always detrimental to all software industry stakeholders. In general, the results suggest that the presence of malicious hackers is more likely to result in a competitive market, while their absence is more likely to result in a monopoly. Furthermore, we show that under certain market conditions, the unsecure software platform targeted by hackers potentially can drive its more secure competitor out of the market.

information science & library science,management,computer science, information systems

Darius Moldovan,Simona Riurean

DOI: https://doi.org/10.33847/2686-8296.4.2_1

2022-12-28

Journal of Digital Science

Abstract:The internet has become more or less, for most of us a dangerous place to live, work and relax when no proper measures are taken, and the response to incidents is not very clear and well implemented, both for organizations and individuals. This paper makes a short overview of current types and incidents of cyber-attacks, as well as the current state of threats, and the grade of awareness worldwide. Some methods to prevent cyber-attacks, malware analysis, and threat hunting, are presented, too. The paper also contains an application developed with a series of APIs that link the application to open-source tools and activate them, hence analyzing the content of the possible malicious files.

Vishal Asnani,Xi Yin,Xiaoming Liu

2024-09-25

Abstract:Adversarial attacks in computer vision exploit the vulnerabilities of machine learning models by introducing subtle perturbations to input data, often leading to incorrect predictions or classifications. These attacks have evolved in sophistication with the advent of deep learning, presenting significant challenges in critical applications, which can be harmful for society. However, there is also a rich line of research from a transformative perspective that leverages adversarial techniques for social good. Specifically, we examine the rise of proactive schemes-methods that encrypt input data using additional signals termed templates, to enhance the performance of deep learning models. By embedding these imperceptible templates into digital media, proactive schemes are applied across various applications, from simple image enhancements to complicated deep learning frameworks to aid performance, as compared to the passive schemes, which don't change the input data distribution for their framework. The survey delves into the methodologies behind these proactive schemes, the encryption and learning processes, and their application to modern computer vision and natural language processing applications. Additionally, it discusses the challenges, potential vulnerabilities, and future directions for proactive schemes, ultimately highlighting their potential to foster the responsible and secure advancement of deep learning technologies.

Computer Vision and Pattern Recognition

Ronggui Huang,Xiaoyi Sun

DOI: https://doi.org/10.1080/17544750.2016.1206030

IF: 3.698

2016-01-01

Chinese Journal of Communication

Abstract:This study explores the use of Weibo in a protest against a nuclear fuel processing plant in China. This study argues that social media play an important role in the development of protests in non-democratic societies through the mechanism of preference revelation, which blurs the boundary between offline protests and the individualized expression of preferences on social media. Of Weibo tweets which were posted prior to the occurrence of the offline protest, 11,788 protest-related were examined with the aid of a supervised machine learning technique. The results showed that the revelation of personal preferences in the form of individualized expressions of opposition were more common than mobilization and coordination, and such preferences were legitimized by the personal frames of risk and the distrust in government. The use of Weibo to mobilize potential opponents to the project, primarily by calling for the expression of opposition, was less frequent than the use of Weibo to express personal frames. Furthermore, the prevalence of Weibo usage changed dramatically. In the first few days of the protest, the revelation of personal preferences and personal frames of risk were prominent, whereas personal frames of distrust in government were common in the days leading to the street protest.