research-article

What are the critical security flaws in my system?

Author:
Viktória Fördős

Cisco Systems, Sweden / Eötvös Loránd University, Hungary

Cisco Systems, Sweden / Eötvös Loránd University, Hungary

0000-0001-6403-9797
View Profile

Erlang 2021: Proceedings of the 20th ACM SIGPLAN International Workshop on ErlangAugust 2021Pages 64–71https://doi.org/10.1145/3471871.3472965

Published:18 August 2021Publication History

Erlang 2021: Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang

Pages 64–71

ABSTRACT

Delivering secure software is a challenge that every software engineering team needs to face and solve. Methods based on static analysis can help programmers identify security risks in the software. Security checkers built using static analysis methods are a great help but they can overload the users with their findings. Today there is no security checker for Erlang that understands the severity of the found vulnerability and uses the information to prioritise the found vulnerabilities when presenting the results to the programmers.

In this paper we discuss how to prioritise vulnerabilities in Erlang programs. We propose a static analysis that determines the severity of a vulnerability. Building on top of our previous work, we extend the trust zone analyser algorithm with the proposed analysis to return prioritised results to the programmers. Our early evaluation shows that the trust zone analyser is able to identify and prioritise the most critical security flaws in an Erlang system.

References

Mohamed Almorsy, John Grundy, and Amani S. Ibrahim. 2012. Supporting Automated Vulnerability Analysis Using Formalized Vulnerability Signatures. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (Essen, Germany) (ASE 2012 ). Association for Computing Machinery, New York, NY, USA, 100-109. https://doi.org/10.1145/2351676.2351691 Google ScholarDigital Library
Leonid Batyuk, Markus Herpich, Seyit Ahmet Camtepe, Karsten Raddatz, Aubrey-Derrick Schmidt, and Sahin Albayrak. 2011. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In 2011 6th International Conference on Malicious and Unwanted Software. 66-72. https://doi.org/10.1109/MALWARE. 2011.6112328 Google ScholarCross Ref
M. V. Belyaev, N. V. Shimchik, V. N. Ignatyev, and A. A. Belevantsev. 2018. Comparative Analysis of Two Approaches to Static Taint Analysis. Program. Comput. Softw. 44, 6 (Nov. 2018 ), 459-466. https://doi.org/10.1134/S036176881806004X Google ScholarDigital Library
Baranyai Brigitta, Melinda Tóth, and István Bozó. [n.d.]. Supporting Secure Coding with RefactorErl, Talk at the 19th ACM SIGPLAN International Workshop on Erlang, Virtual Event, 23 August, 2020.Google Scholar
Baranyai Brigitta, Melinda Tóth, and István Bozó. 2020. Supporting Secure Coding with RefactorErl. In Collection of Abstracts: 13th Joint Conference on Mathematics and Informatics. 24-25.Google Scholar
Brian Chess and Gary McGraw. 2004. Static analysis for security. IEEE security & privacy 2, 6 ( 2004 ), 76-79. https://doi.org/10.1109/MSP. 2004.111 Google ScholarCross Ref
Cisco Systems. 2018. Annual Cybersecurity Report. https://www.cisco. com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdfGoogle Scholar
Elliott Crifasi, Sean Pike, Zechariah Stuedemann, Saleh M Alnaeli, and Zaid Altahat. 2018. Cloud-Based Source Code Security and Vulnerabilities Analysis Tool for C/C++ Software Systems. In 2018 IEEE International Conference on Electro/Information Technology (EIT). IEEE, 0651-0654. https://doi.org/10.1109/EIT. 2018.8500206 Google ScholarCross Ref
Pär Emanuelsson and Ulf Nilsson. 2008. A Comparative Study of Industrial Static Analysis Tools. Electron. Notes Theor. Comput. Sci. 217 ( July 2008 ), 5-21. https://doi.org/10.1016/j.entcs. 2008. 06.039 Google ScholarCross Ref
Ericsson AB. 2021. Erlang Reference Manual, User's Guide: Guard Expressions. https://erlang.org/doc/reference_manual/expressions. html#guard-expressionsGoogle Scholar
Ericsson AB. 2021. Erlang Reference Manual, User's Guide: Guards. https://erlang.org/doc/reference_manual/expressions.html# guard-sequencesGoogle Scholar
Ericsson AB. 2021. Erlang Reference Manual, User's Guide: Patterns. https://erlang.org/doc/reference_manual/expressions.html#paternsGoogle Scholar
David Evans and David Larochelle. 2002. Improving security using extensible lightweight static analysis. IEEE software 19, 1 ( 2002 ), 42-51. https://doi.org/10.1109/52.976940 Google ScholarDigital Library
Federal Bureau of Investigation. 2021. 2020 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdfGoogle Scholar
Viktória Fördős. 2020. Secure Design and Verification of Erlang Systems. In Proceedings of the 19th ACM SIGPLAN International Workshop on Erlang (Virtual Event, USA) ( Erlang 2020 ). Association for Computing Machinery, New York, NY, USA, 31-40. https://doi.org/10.1145/ 3406085.3409011 Google ScholarDigital Library
Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why Don't Software Developers Use Static Analysis Tools to Find Bugs?. In Proceedings of the 2013 International Conference on Software Engineering (San Francisco, CA, USA) ( ICSE '13). IEEE Press, 672-681.Google ScholarCross Ref
N. Jovanovic, C. Kruegel, and E. Kirda. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S P'06). 6 pp.-263. https://doi.org/10.1109/SP. 2006.29 Google ScholarCross Ref
Lwin Khin Shar. and Hee Beng Kuan Tan. 2010. Auditing the XSS defence features implemented in web application programs. In Proceedings of the International Conference on Security and Cryptography-SECRYPT, ( ICETE 2010). INSTICC, SciTePress, 505-511. https://doi.org/10.5220/0002963905050511 Google ScholarCross Ref
V Benjamin Livshits and Monica S Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis.. In USENIX Security Symposium, Vol. 14. 18-18.Google Scholar
V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th Conference on USENIX Security Symposium-Volume 14 ( Baltimore, MD) (SSYM'05). USENIX Association, USA, 18.Google Scholar
Rahma Mahmood and Qusay H. Mahmoud. 2018. Evaluation of Static Analysis Tools for Finding Vulnerabilities in Java and C/C++ Source Code. CoRR abs/ 1805.09040 ( 2018 ). arXiv: 1805.09040 http://arxiv.org/ abs/ 1805.09040Google Scholar
Michael Truog. 2016. Primitive Erlang Security Tool. https://github. com/okeuday/pestGoogle Scholar
H. G. Rice. 1953. Classes of Recursively Enumerable Sets and Their Decision Problems. Trans. Amer. Math. Soc. 74 ( 1953 ), 358-366. https://doi.org/10.2307/1990888 Google ScholarCross Ref
Alexandre Jorge Barbosa Rodrigues and Viktória Fördős. 2018. Towards Secure Erlang Systems. In Proceedings of the 17th ACM SIGPLAN International Workshop on Erlang (St. Louis, MO, USA) ( Erlang 2018 ). Association for Computing Machinery, New York, NY, USA, 67-70. https://doi.org/10.1145/3239332.3242768 Google ScholarDigital Library
Julian Thomé, Lwin Khin Shar, Domenico Bianculli, and Lionel Briand. 2018. Security slicing for auditing common injection vulnerabilities. Journal of Systems and Software 137 ( 2018 ), 766-783. https://doi.org/ 10.1016/j.jss. 2017. 02.040 Google ScholarCross Ref
Melinda Tóth and István Bozó. 2014. Detecting and Visualising Process Relationships in Erlang. Procedia Computer Science 29 ( 2014 ), 1525-1534. https://doi.org/10.1016/j.procs. 2014. 05.138 2014 International Conference on Computational Science.Google Scholar
Gary Wassermann and Zhendong Su. 2008. Static detection of crosssite scripting vulnerabilities. In 2008 ACM/IEEE 30th International Conference on Software Engineering. 171-180. https://doi.org/10.1145/ 1368088.1368112 Google ScholarDigital Library
Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In 2014 IEEE Symposium on Security and Privacy. 590-604. https://doi.org/10.1109/SP. 2014.44 Google ScholarDigital Library

Index Terms

What are the critical security flaws in my system?
1. Security and privacy
  1. Formal methods and theory of security
    1. Logic and verification
    2. Trust frameworks
  2. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Software design engineering

Recommendations

Secure design and verification of Erlang systems
Erlang 2020: Proceedings of the 19th ACM SIGPLAN International Workshop on Erlang

Security is a critical part of software development, companies have the utmost responsibility to protect their customers data against any threat. Secure design is a key enabler, since it cultivates security awareness in software projects from day zero. ...
Read More
A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network Technologies

Today almost all organizations have improved their performance through allowing more information exchange within their organization as well as between their distributers, suppliers, and customers using web support. Databases are central to the modern ...
Read More
Static detection of cross-site scripting vulnerabilities
ICSE '08: Proceedings of the 30th international conference on Software engineering

Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
Erlang 2021: Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang
August 2021
71 pages
ISBN:9781450386128
DOI:10.1145/3471871
General Chairs:
Stavros Aronis
Erlang Solutions, Sweden
,
Annette Bieniusa
TU Kaiserslautern, Germany
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 August 2021
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Erlang
Input validation
Security posture verification
Static analysis
Trust zones
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate51of68submissions,75%
Upcoming Conference
ICFP '24

Sponsor:

sigplan

ACM SIGPLAN International Conference on Functional Programming

September 9 - 13, 2024

Milan , Italy
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 76
  Total Downloads
- Downloads (Last 12 months)16
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

What are the critical security flaws in my system?

Erlang 2021: Proceedings of the 20th ACM SIGPLAN International Workshop on Erlang

ABSTRACT

References

Cited By

Index Terms

Recommendations

Secure design and verification of Erlang systems

A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection

Static detection of cross-site scripting vulnerabilities