Yan Wu,Jingyi Su,David D. Moran,Chris D. Near

DOI: https://doi.org/10.48550/arXiv.2301.06215

2023-01-15

Software Engineering

Abstract:The mass production of complex software has made it impossible to manually test it for security vulnerabilities. Automated security testing tools come in a variety of flavors, function at various stages of software development, and target different categories of software vulnerabilities. It is great that we have a plethora of automated tools to choose from, but it is a problem that their adoption and recognition are not prominent. The purpose of this study is to explore the possibilities of existing techniques while also broadening the horizon by exploring the future of security testing tools and related techniques.

Zhidong Shen,Si Chen

DOI: https://doi.org/10.1155/2020/8858010

IF: 1.968

2020-09-29

Security and Communication Networks

Abstract:Open source software has been widely used in various industries due to its openness and flexibility, but it also brings potential software security problems. Together with the large-scale increase in the number of software and the increase in complexity, the traditional manual methods to deal with these security issues are inefficient and cannot meet the current cyberspace security requirements. Therefore, it is an important research topic for researchers in the field of software security to develop more intelligent technologies to apply to potential security issues in software. The development of deep learning technology has brought new opportunities for the study of potential security issues in software, and researchers have successively proposed many automation methods. In this paper, these automation technologies are evaluated and analysed in detail from three aspects: software vulnerability detection, software program repair, and software defect prediction. At the same time, we point out some problems of these research methods, give corresponding solutions, and finally look forward to the application prospect of deep learning technology in automated software vulnerability detection, automated program repair, and automated defect prediction.

computer science, information systems,telecommunications

Qian Wang,Jinan Sun,Chen Wang,Shikun Zhang,Sisi Xuanyuan,Bin Zheng

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00016

2020-01-01

Abstract:In this paper we review the research progress of the mainstream approaches of detecting access control vulnerabilities and classify them based on the key techniques for web application components. And we compare different detection methods, analyze their advantages and flaws. Then we discuss the experimental results of relevant detection tools for realistic usage. Finally, we summarize the general framework of detection method and provide future research directions in this area.

Marc Rennhard,Malte Kushnir,Olivier Favre,Damiano Esposito,Valentin Zahnd

DOI: https://doi.org/10.1007/s42979-022-01271-1

2022-07-16

SN Computer Science

Abstract:The importance of automated and reproducible security testing of web applications is growing, driven by increasing security requirements, short software development cycles, and constraints with respect to time and budget. Existing automated security testing tools are already well suited to detect some types of vulnerabilities, e.g., SQL injection or cross-site scripting vulnerabilities. However, other vulnerability types are much harder to uncover in an automated way. One important representative of this type are access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect HTTP GET request-based access control vulnerabilities in web applications is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort, which in turn enables frequent and reproducible testing. An evaluation with seven web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives low.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Guan-Yan Yang,Yi-Heng Ko,Farn Wang,Kuo-Hui Yeh,Haw-Shiang Chang,Hsueh-Yi Chen

2024-10-29

Abstract:Our work explores the utilization of deep learning, specifically leveraging the CodeBERT model, to enhance code security testing for Python applications by detecting SQL injection vulnerabilities. Unlike traditional security testing methods that may be slow and error-prone, our approach transforms source code into vector representations and trains a Long Short-Term Memory (LSTM) model to identify vulnerable patterns. When compared with existing static application security testing (SAST) tools, our model displays superior performance, achieving higher precision, recall, and F1-score. The study demonstrates that deep learning techniques, particularly with CodeBERT's advanced contextual understanding, can significantly improve vulnerability detection, presenting a scalable methodology applicable to various programming languages and vulnerability types.

Cryptography and Security,Artificial Intelligence,Software Engineering

ZENG Huajun,Shen Ruimin,Shen Liping,ZHANG Tongzhen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2001.03.052

2001-01-01

Abstract:Web-based distance testing system brings out a series of security problems. The security of Web-test includes not only normal information security problems like authentication. privacy, access control, integrality, etc, but also unique ones such as cheat-preventing, paper-protecting, etc. We suggest a half-closed Web-test environment, and use a particular testing gateway to apply security mechanism. The functions and running process of the testing gateway is also presented in detail.

Ting Yu,Dhivya Sivasubramanian,Tao Xie

DOI: https://doi.org/10.1145/1558607.1558623

2009-01-01

Abstract:Access control is one of the fundamental security mechanisms for information systems. It determines the availability of resources to principals, operations that can be performed, and under what circumstances. Traditionally the enforcement of access control is often hardcoded in applications or systems; such hardcoding makes it hard to verify the correctness of access control and to accommodate changes of security requirements. Recently, access control policies have been increasingly separated from enforcement mechanisms. An access control policy is explicitly specified using certain policy languages with well-defined syntax and semantics. An application then consults the policy during runtime to determine whether an access request from a principal should be allowed or denied. There are two main advantages of this approach. First, security officers can now perform systematic and formal security analysis on access control policies. Second, by separating policies from enforcement mechanisms, it is possible to change policies without affecting the underlying mechanisms, and vice versa.

Peng-cheng ZHOU,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.02.025

2017-01-01

Abstract:Continuous integration is commonly used in today's software development.Due to the lack of security awareness and the wrong security strategy,the attacker can easily exploit defect and achieve higher rights,acquire sensitive data,execute remote command and reach other purposes.Based on introduction of the architecture and basic components of continuous integration tools,this paper focuses on the existing defects and common attack surface of the continuous integration tools,also discusses the password cracking,remote command execution,and Java deserialization vulnerabilities on this platform.By using the defect detection technology to detect these components and achieving integrated integration and implementation of automated testing platform,a more intuitive and comprehensive assessment of system security could be acquired.

ZHAO Dong-ping,ZHENG Wei-bin,ZHANG De-yun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.035

2005-01-01

Abstract:To address the problem of application-level web security,an adaptive intrusion detection system is proposed,which is embedded directly in the Web server.In order to define all the valid requests for anomaly detection and misuse detection,the techniques which observe the clients' access behavior relevancy and adjust their personal policies dynamically are employed.The experiments indicate that the proposed system can not only confirm the valid request but also defend the new attack behavior and detect the old attack event.Based on the proposed method,the detecting rate is over 95.8% under common attack scanning.

Jiaxin Yu,Liming Fu,Peng Liang,Amjed Tahir,Mojtaba Shahin

2023-07-05

Abstract:Background: Despite the widespread use of automated security defect detection tools, software projects still contain many security defects that could result in serious damage. Such tools are largely context-insensitive and may not cover all possible scenarios in testing potential issues, which makes them susceptible to missing complex security defects. Hence, thorough detection entails a synergistic cooperation between these tools and human-intensive detection techniques, including code review. Code review is widely recognized as a crucial and effective practice for identifying security defects. Aim: This work aims to empirically investigate security defect detection through code review. Method: To this end, we conducted an empirical study by analyzing code review comments derived from four projects in the OpenStack and Qt communities. Through manually checking 20,995 review comments obtained by keyword-based search, we identified 614 comments as security-related. Results: Our results show that (1) security defects are not prevalently discussed in code review, (2) more than half of the reviewers provided explicit fixing strategies/solutions to help developers fix security defects, (3) developers tend to follow reviewers' suggestions and action the changes, (4) Not worth fixing the defect now and Disagreement between the developer and the reviewer are the main causes for not resolving security defects. Conclusions: Our research results demonstrate that (1) software security practices should combine manual code review with automated detection tools, achieving a more comprehensive coverage to identifying and addressing security defects, and (2) promoting appropriate standardization of practitioners' behaviors during code review remains necessary for enhancing software security.

Software Engineering

Jie-Ci Yang,Chin-Lun Lai,Hsin-Teng Sheu,Jiann-Jone Chen

DOI: https://doi.org/10.3390/s130505923

2013-05-10

Abstract:This paper presents an innovative access control system, based on human detection and path analysis, to reduce false automatic door system actions while increasing the added values for security applications. The proposed system can first identify a person from the scene, and track his trajectory to predict his intention for accessing the entrance, and finally activate the door accordingly. The experimental results show that the proposed system has the advantages of high precision, safety, reliability, and can be responsive to demands, while preserving the benefits of being low cost and high added value.

DING Hongda,ZENG Qingkai,BAO Bixian

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.01.056

2007-01-01

Abstract:Test and validation of access control is a crucial part of the security evaluation of the system.A testing approach by extending GFAC is proposed,automatically to test the access control service according to requirements of security evaluation based on common criteria.The implementation of testing on Linux+RSBAC demonstrates the approach available.

Xiaowei Li,Xujie Si,Yuan Xue

DOI: https://doi.org/10.1145/2557547.2557552

2014-01-01

Abstract:Access control vulnerabilities within web applications pose serious security threats to the sensitive information stored at back-end databases. Existing approaches are limited from several aspects, including the coarse granularity at which the access control is modeled, the incapability of handling complex relationship between data entities and the requirement of source code and the specific application platform. In this paper, we present an automated black-box technique for identifying a broad range of access control vulnerabilities, which can be applied to applications that are developed using different languages and platforms. We model the access control policy based on a novel virtual SQL query concept, which captures both the database access operations (i.e., through SQL queries) and the post-processing filters within the web application. We leverage a crawler to automatically explore the application and collect execution traces. From the traces, we identify the set of database access operations that are allowed for each role (i.e., role-level policy inference) and extract the constraints over the operation parameters to characterize the relationship between the users and the accessed data (i.e., user-level policy inference). Based on the inferred policy, we construct test inputs to exploit the application for potential access control flaws. We implement a prototype system BATMAN and evaluate it over a set of PHP and JSP web applications. The experiment results demonstrate the effectiveness and accuracy of our approach.

Deqiang Gan,Yasuhiro Hayashi,Koichi Nara,Zhengchun Du,Xiaolu Wang,Xifan Wang

1998-01-01

International Journal of Power and Energy Systems

Abstract:A method for the on-line implementation of dynamic security assessment has been pursued for long time. Now the key problem lies in how to reduce the computation burden. This paper presents a method abased on the concept of automatic contingency selection to speed up dynamic security assessment. Six kinds of performance indices are developed to quantitatively evaluate the severity of contingencies. Combining the proposed automatic contingency selection algorithm with fast integration procedure, a new frame work for dynamic security assessment is introduced. Simulation results show the rapidity and robustness of the proposed procedure.

WANG Zhi-hao,ZHAO Bao-hua,ZHAO Ting

DOI: https://doi.org/10.3969/j.issn.1672-4844.2012.11.002

2012-01-01

Abstract:In order to change single software security testing into a planned process consisting of security testing design, security coding testing, security audit testing and online security testing, this paper proposes a software security testing method based on software development lifecycle (SDL), and describes its modules design and method analysis in detail. Compared with the traditional methods, the systematic test idea used by the method can effectively reduce the huge cost of testing after the software accomplished and the numbers of patches after the test, further improve the development efficiency.

CHEN Yulai,SHAN Rongsheng,BAI Yingcai

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.02.062

2007-01-01

Abstract:This paper presents a dynamic defense model of network security, based on which a prototype system is implemented. The system integrates the mechanisms of detection and access control, and has close loop response to the results of attack detection. The system obtains some changes of the service port by network service discrimination and active scan technologies, and then dynamically adjusts and loads the detection module according to these changes, so that the accuracy and efficiency of detection are improved. The experimental results show that the system has a closed-loop dynamic protection mechanism.

Lian Yu,Jun Zhou,Yue Yi,Jianchu Fan,Qianxiang Wang

DOI: https://doi.org/10.1109/qsic.2009.10

2009-01-01

Abstract:Static analysis works well at checking defects that clearly map to source code constructs. Model checking can find defects of deadlocks and routing loops that are not easily detected by static analysis, but faces the problem of state explosion. This paper proposes a hybrid approach to detecting security defects in programs. Fuzzy Inference System is used to infer selection among the two detection approaches. A cluster algorithm is developed to divide a large system into several clusters in order to apply model checking. Ontology based static analysis employs logic reasoning to intelligently detect the defects. We also put forwards strategies to improve performance of the static analysis. At last, we perform experiments to evaluate the accuracy and performance of the hybrid approach.

Zehui Zhang,Futai Zou,Jianan Hong,Libo Chen,Ping Yi

DOI: https://doi.org/10.1109/jiot.2024.3400858

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:At present, there is less research on the detection of broken access control vulnerabilities in the Internet of Things (IoT) systems, mostly using state machines to analyse abnormal state transitions and no systematic tools have been developed. The main challenges include the inaccessibility of communication messages, a lack of effective detection for broken access control vulnerabilities, and excessive manual involvement. Moreover, due to the existence of encryption, signatures, and other fields, it is challenging to directly port the Web-based detection tools to IoT. In response to these challenges, we propose a framework for detecting broken access control vulnerabilities based on the interaction between the applications and cloud platforms. The framework employs man-in-the-middle techniques to obtain communication messages between the two entities, enabling fast and effective fuzz testing through the keyword extraction, database-guided fuzzing, and response-based detection algorithms. In addition, a combination of dynamic and static reverse analysis techniques are used to overcome anti-tampering measures, such as encryption and signatures. Following the detection framework, we implemented the semi-automated broken access control detector (BACDetector) system and tested it on six applications from four manufacturers. BACDetector discovered nine broken access control vulnerabilities, including risks of device hijacking and privacy leakage. This validated its effectiveness in detecting vulnerabilities in IoT.

Zhen-yu ZHANG,Dong-lai ZHU,Zhe-min YANG,Min YANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2019.08.037

2019-01-01

Abstract:Anti-analysis techniques refers to a series of mechanisms to evade program analysis. Benign application authors use anti-a-nalysis techniques to protect their application from cracking by other developers,while malware authors use anti-analysis techniques to evade detection. However,there isn′t any systematic study on the influence of anti-analysis techniques on the security of Android eco-system. To conduct this study,we design and implement AATPacker,which can apply dynamic code loading,anti-emulator,anti-debug and integrity check techniques to APK files automatically. We are the first to evaluate the anti-anti-analysis ability of the commercial packing services. We conduct our experiment on 239 application samples which are hardened from 31 original samples with different combinations of anti-analysis techniques by AATPacker. We observed that current anti-anti-analysis researches are not fully used,and using anti-analysis techniques will dramatically hinder the security check in Android ecosystem. By applying anti-analysis techniques, the detection rate of malware significantly decreased;on the other side,benign application was falsely detected. Among all the anti-a-nalysis techniques,dynamic code loading has the greatest impact on the security of Android ecosystem.