ABSTRACT
Delivering secure software is a challenge that every software engineering team needs to face and solve. Methods based on static analysis can help programmers identify security risks in the software. Security checkers built using static analysis methods are a great help but they can overload the users with their findings. Today there is no security checker for Erlang that understands the severity of the found vulnerability and uses the information to prioritise the found vulnerabilities when presenting the results to the programmers.
In this paper we discuss how to prioritise vulnerabilities in Erlang programs. We propose a static analysis that determines the severity of a vulnerability. Building on top of our previous work, we extend the trust zone analyser algorithm with the proposed analysis to return prioritised results to the programmers. Our early evaluation shows that the trust zone analyser is able to identify and prioritise the most critical security flaws in an Erlang system.
- Mohamed Almorsy, John Grundy, and Amani S. Ibrahim. 2012. Supporting Automated Vulnerability Analysis Using Formalized Vulnerability Signatures. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (Essen, Germany) (ASE 2012 ). Association for Computing Machinery, New York, NY, USA, 100-109. https://doi.org/10.1145/2351676.2351691 Google ScholarDigital Library
- Leonid Batyuk, Markus Herpich, Seyit Ahmet Camtepe, Karsten Raddatz, Aubrey-Derrick Schmidt, and Sahin Albayrak. 2011. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In 2011 6th International Conference on Malicious and Unwanted Software. 66-72. https://doi.org/10.1109/MALWARE. 2011.6112328 Google ScholarCross Ref
- M. V. Belyaev, N. V. Shimchik, V. N. Ignatyev, and A. A. Belevantsev. 2018. Comparative Analysis of Two Approaches to Static Taint Analysis. Program. Comput. Softw. 44, 6 (Nov. 2018 ), 459-466. https://doi.org/10.1134/S036176881806004X Google ScholarDigital Library
- Baranyai Brigitta, Melinda Tóth, and István Bozó. [n.d.]. Supporting Secure Coding with RefactorErl, Talk at the 19th ACM SIGPLAN International Workshop on Erlang, Virtual Event, 23 August, 2020.Google Scholar
- Baranyai Brigitta, Melinda Tóth, and István Bozó. 2020. Supporting Secure Coding with RefactorErl. In Collection of Abstracts: 13th Joint Conference on Mathematics and Informatics. 24-25.Google Scholar
- Brian Chess and Gary McGraw. 2004. Static analysis for security. IEEE security & privacy 2, 6 ( 2004 ), 76-79. https://doi.org/10.1109/MSP. 2004.111 Google ScholarCross Ref
- Cisco Systems. 2018. Annual Cybersecurity Report. https://www.cisco. com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdfGoogle Scholar
- Elliott Crifasi, Sean Pike, Zechariah Stuedemann, Saleh M Alnaeli, and Zaid Altahat. 2018. Cloud-Based Source Code Security and Vulnerabilities Analysis Tool for C/C++ Software Systems. In 2018 IEEE International Conference on Electro/Information Technology (EIT). IEEE, 0651-0654. https://doi.org/10.1109/EIT. 2018.8500206 Google ScholarCross Ref
- Pär Emanuelsson and Ulf Nilsson. 2008. A Comparative Study of Industrial Static Analysis Tools. Electron. Notes Theor. Comput. Sci. 217 ( July 2008 ), 5-21. https://doi.org/10.1016/j.entcs. 2008. 06.039 Google ScholarCross Ref
- Ericsson AB. 2021. Erlang Reference Manual, User's Guide: Guard Expressions. https://erlang.org/doc/reference_manual/expressions. html#guard-expressionsGoogle Scholar
- Ericsson AB. 2021. Erlang Reference Manual, User's Guide: Guards. https://erlang.org/doc/reference_manual/expressions.html# guard-sequencesGoogle Scholar
- Ericsson AB. 2021. Erlang Reference Manual, User's Guide: Patterns. https://erlang.org/doc/reference_manual/expressions.html#paternsGoogle Scholar
- David Evans and David Larochelle. 2002. Improving security using extensible lightweight static analysis. IEEE software 19, 1 ( 2002 ), 42-51. https://doi.org/10.1109/52.976940 Google ScholarDigital Library
- Federal Bureau of Investigation. 2021. 2020 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdfGoogle Scholar
- Viktória Fördős. 2020. Secure Design and Verification of Erlang Systems. In Proceedings of the 19th ACM SIGPLAN International Workshop on Erlang (Virtual Event, USA) ( Erlang 2020 ). Association for Computing Machinery, New York, NY, USA, 31-40. https://doi.org/10.1145/ 3406085.3409011 Google ScholarDigital Library
- Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why Don't Software Developers Use Static Analysis Tools to Find Bugs?. In Proceedings of the 2013 International Conference on Software Engineering (San Francisco, CA, USA) ( ICSE '13). IEEE Press, 672-681.Google ScholarCross Ref
- N. Jovanovic, C. Kruegel, and E. Kirda. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S P'06). 6 pp.-263. https://doi.org/10.1109/SP. 2006.29 Google ScholarCross Ref
- Lwin Khin Shar. and Hee Beng Kuan Tan. 2010. Auditing the XSS defence features implemented in web application programs. In Proceedings of the International Conference on Security and Cryptography-SECRYPT, ( ICETE 2010). INSTICC, SciTePress, 505-511. https://doi.org/10.5220/0002963905050511 Google ScholarCross Ref
- V Benjamin Livshits and Monica S Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis.. In USENIX Security Symposium, Vol. 14. 18-18.Google Scholar
- V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th Conference on USENIX Security Symposium-Volume 14 ( Baltimore, MD) (SSYM'05). USENIX Association, USA, 18.Google Scholar
- Rahma Mahmood and Qusay H. Mahmoud. 2018. Evaluation of Static Analysis Tools for Finding Vulnerabilities in Java and C/C++ Source Code. CoRR abs/ 1805.09040 ( 2018 ). arXiv: 1805.09040 http://arxiv.org/ abs/ 1805.09040Google Scholar
- Michael Truog. 2016. Primitive Erlang Security Tool. https://github. com/okeuday/pestGoogle Scholar
- H. G. Rice. 1953. Classes of Recursively Enumerable Sets and Their Decision Problems. Trans. Amer. Math. Soc. 74 ( 1953 ), 358-366. https://doi.org/10.2307/1990888 Google ScholarCross Ref
- Alexandre Jorge Barbosa Rodrigues and Viktória Fördős. 2018. Towards Secure Erlang Systems. In Proceedings of the 17th ACM SIGPLAN International Workshop on Erlang (St. Louis, MO, USA) ( Erlang 2018 ). Association for Computing Machinery, New York, NY, USA, 67-70. https://doi.org/10.1145/3239332.3242768 Google ScholarDigital Library
- Julian Thomé, Lwin Khin Shar, Domenico Bianculli, and Lionel Briand. 2018. Security slicing for auditing common injection vulnerabilities. Journal of Systems and Software 137 ( 2018 ), 766-783. https://doi.org/ 10.1016/j.jss. 2017. 02.040 Google ScholarCross Ref
- Melinda Tóth and István Bozó. 2014. Detecting and Visualising Process Relationships in Erlang. Procedia Computer Science 29 ( 2014 ), 1525-1534. https://doi.org/10.1016/j.procs. 2014. 05.138 2014 International Conference on Computational Science.Google Scholar
- Gary Wassermann and Zhendong Su. 2008. Static detection of crosssite scripting vulnerabilities. In 2008 ACM/IEEE 30th International Conference on Software Engineering. 171-180. https://doi.org/10.1145/ 1368088.1368112 Google ScholarDigital Library
- Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In 2014 IEEE Symposium on Security and Privacy. 590-604. https://doi.org/10.1109/SP. 2014.44 Google ScholarDigital Library
Index Terms
- What are the critical security flaws in my system?
Recommendations
Secure design and verification of Erlang systems
Erlang 2020: Proceedings of the 19th ACM SIGPLAN International Workshop on ErlangSecurity is a critical part of software development, companies have the utmost responsibility to protect their customers data against any threat. Secure design is a key enabler, since it cultivates security awareness in software projects from day zero. ...
A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network TechnologiesToday almost all organizations have improved their performance through allowing more information exchange within their organization as well as between their distributers, suppliers, and customers using web support. Databases are central to the modern ...
Static detection of cross-site scripting vulnerabilities
ICSE '08: Proceedings of the 30th international conference on Software engineeringWeb applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted ...
Comments