Skip to main content
SpringerLink
Log in

Provenance-Based Security Audits and Its Application to COVID-19 Contact Tracing Apps

  • Conference paper
  • First Online:
Provenance and Annotation of Data and Processes (IPAW 2020, IPAW 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12839))

Abstract

Software repositories contain information about source code, software development processes, and team interactions. We combine the provenance of development processes with code security analysis results to provide fast feedback on the software’s design and security issues. Results from queries of the provenance graph drives the security analysis, which are conducted on certain events—such as commits or pull requests by external contributors. We evaluate our method on Open Source projects that are developed under time pressure and use Germany’s COVID-19 contact tracing app ‘Corona-Warn-App’ as a case study.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.apple.com/covid19/contacttracing/.

  2. 2.

    https://github.com/corona-warn-app.

  3. 3.

    Data source: https://cauldron.io/project/3860.

  4. 4.

    All numbers are as of \(10^\mathrm{th}\) March, 2021.

  5. 5.

    GrimoireLab: http://chaoss.github.io/grimoirelab.

  6. 6.

    Cauldron: https://cauldron.io.

  7. 7.

    Spikes in the graphs during 08/20–09/20 are due to parallel branch development.

  8. 8.

    cf. https://github.com/corona-warn-app/cwa-app-android/pull/876.

  9. 9.

    https://cwe.mitre.org/.

  10. 10.

    https://github.com/corona-warn-app/cwa-server.

  11. 11.

    All numbers are as of \(10^\mathrm{th}\) March, 2021.

  12. 12.

    For example, https://github.com/corona-warn-app/cwa-server/issues/269.

  13. 13.

    https://github.com/PEPP-PT.

  14. 14.

    https://github.com/DP-3T.

References

  1. Ahmed, N., et al.: A survey of COVID-19 contact tracing apps. IEEE Access 8, 134577–134601 (2020)

    Article  Google Scholar 

  2. Baumgärtner, L., et al.: Mind the gap: security & privacy risks of contact tracing apps (2020)

    Google Scholar 

  3. Carroll, N., Conboy, K.: Normalising the “new normal”: changing tech-driven work practices under pandemic time pressure. Int. J. Inf. Manag. 55, 102186 (2020)

    Article  Google Scholar 

  4. Dar, A.B., Lone, A.H., Zahoor, S., Khan, A.A., Naaz, R.: Applicability of mobile contact tracing in fighting pandemic (COVID-19): issues, challenges and solutions. Comput. Sci. Rev. 38, 100307 (2020)

    Article  Google Scholar 

  5. De Nies, T., et al.: Git2PROV: exposing version control system content as W3C PROV. In: Proceedings of the 12th International Semantic Web Conference (Posters & Demonstrations Track), ISWC-PD 2013, vol. 1035, pp. 125–128. CEUR-WS.org (2013)

    Google Scholar 

  6. Distefano, D., Fähndrich, M., Logozzo, F., O’Hearn, P.W.: Scaling static analyses at Facebook. Commun. ACM 62(8), 62–70 (2019)

    Article  Google Scholar 

  7. Falleri, J., Morandat, F., Blanc, X., Martinez, M., Monperrus, M.: Fine-grained and accurate source code differencing. In: ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, September 15–19, 2014, pp. 313–324. ACM, Vasteras (2014)

    Google Scholar 

  8. Gvili, Y.: Security analysis of the COVID-19 contact tracing specifications by Apple Inc. and Google Inc., Cryptology ePrint Archive, Report 2020/428 (2020)

    Google Scholar 

  9. Habib, A., Pradel, M.: How many of all bugs do we find? A study of static bug detectors. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, September 3–7, 2018, pp. 317–328. ACM (2018)

    Google Scholar 

  10. Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1172–1189 (2020)

    Google Scholar 

  11. Hatamian, M., Wairimu, S., Momen, N., Fritsch, L.: A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps. Empir. Softw. Eng. 26(3), 36 (2021)

    Article  Google Scholar 

  12. He, W., Zhang, Z.J., Li, W.: Information technology solutions, challenges, and suggestions for tackling the COVID-19 pandemic. Int. J. Inf. Manag. 57, 102287 (2021)

    Article  Google Scholar 

  13. Hewett, R., Kijsanayothin, P.: On modeling software defect repair time. Empir. Softw. Eng. 14, 165–186 (2009)

    Article  Google Scholar 

  14. Johnson, B., Song, Y., Murphy-Hill, E.R., Bowdidge, R.W.: Why don’t software developers use static analysis tools to find bugs? In: Notkin, D., Cheng, B.H.C., Pohl, K. (eds.) 35th International Conference on Software Engineering, ICSE 2013, San Francisco, CA, USA, May 18–26, 2013, pp. 672–681. IEEE Computer Society (2013)

    Google Scholar 

  15. Kammüller, F., Lutz, B.: Modeling and analyzing the corona-virus warning app with the Isabelle infrastructure framework. In: Garcia-Alfaro, J., Navarro-Arribas, G., Herrera-Joancomarti, J. (eds.) DPM/CBT -2020. LNCS, vol. 12484, pp. 128–144. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-66172-4_8

    Chapter  Google Scholar 

  16. Krishnamurthy, R., Heinze, T.S., Haupt, C., Schreiber, A., Meinel, M.: Scientific developers v/s static analysis tools: vision and position paper. In: Proceedings of the 12th International Workshop on Cooperative and Human Aspects of Software Engineering, CHASE@ICSE 2019, Montréal, QC, Canada, 27 May 2019, pp. 89–90. IEEE/ACM (2019)

    Google Scholar 

  17. Krishnamurthy, R., Meinel, M., Haupt, C., Schreiber, A., Mäder, P.: DLR secure software engineering: position and vision paper. In: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment, SEAD 2018, pp. 49–50. ACM (2018)

    Google Scholar 

  18. Kuhn, C., Beck, M., Strufe, T.: Covid notions: towards formal definitions–and documented understanding–of privacy goals and claimed protection in proximity-tracing services. CoRR abs/2004.07723 (2020)

    Google Scholar 

  19. Mbunge, E.: Integrating emerging technologies into COVID-19 contact tracing: opportunities, challenges and pitfalls. Diabetes Metab. Syndr.: Clin. Res. Rev. 14(6), 1631–1636 (2020)

    Article  Google Scholar 

  20. Mbunge, E., Akinnuwesi, B., Fashoto, S.G., Metfula, A.S., Mashwama, P.: A critical review of emerging technologies for tackling COVID-19 pandemic. Hum. Behav. Emerg. Technol. 3(1), 25–39 (2021)

    Article  Google Scholar 

  21. McPhillips, T., Bowers, S., Belhajjame, K., Ludäscher, B.: Retrospective provenance without a runtime provenance recorder. In: Proceedings of the 7th USENIX Conference on Theory and Practice of Provenance, TaPP 2015. USENIX Association, USA (2015)

    Google Scholar 

  22. Moreau, L., et al.: The provenance of electronic data. Commun. ACM 51(4), 52–58 (2008)

    Article  Google Scholar 

  23. Nagappan, N., Ball, T.: Static analysis tools as early indicators of pre-release defect density. In: Proceedings of 27th International Conference on Software Engineering, 2005, ICSE 2005, pp. 580–586. ACM (2005)

    Google Scholar 

  24. Nagappan, N., Ball, T.: Use of relative code churn measures to predict system defect density. In: 27th International Conference on Software Engineering (ICSE 2005), 15–21 May 2005, pp. 284–292. ACM, St. Louis (2005)

    Google Scholar 

  25. Oyetoyan, T.D., Milosheska, B., Grini, M., Soares Cruzes, D.: Myths and facts about static application security testing tools: an action research at telenor digital. In: Garbajosa, J., Wang, X., Aguiar, A. (eds.) XP 2018. LNBIP, vol. 314, pp. 86–103. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91602-6_6

    Chapter  Google Scholar 

  26. Packer, H.S., Chapman, A., Carr, L.: GitHub2PROV: provenance for supporting software project management. In: 11th International Workshop on Theory and Practice of Provenance (TaPP 2019). USENIX Association, Philadelphia (June 2019)

    Google Scholar 

  27. Pasquier, T., et al.: Runtime analysis of whole-system provenance. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 1601–1616. ACM, New York (2018)

    Google Scholar 

  28. Robles, G., Gonzalez-Barahona, J.M., Merelo, J.J.: Beyond source code: the importance of other artifacts in software development (a case study). J. Syst. Softw. 79(9), 1233–1248 (2006). Fourth Source Code Analysis and Manipulation Workshop (SCAM 2004)

    Article  Google Scholar 

  29. Schreiber, A., de Boer, C.: Modelling knowledge about software processes using provenance graphs and its application to git-based version control systems. In: 42nd International Conference on Software Engineering Workshops. IEEE/ACM, Seoul, Republic of Korea (May 2020)

    Google Scholar 

  30. Schreiber, A., de Boer, C., von Kurnatowski, L.: GitLab2PROV–provenance of software projects hosted on GitLab. In: 13th International Workshop on Theory and Practice of Provenance (TaPP 2021). USENIX Association (July 2021)

    Google Scholar 

  31. Schreiber, A., Struminski, R.: Visualizing the provenance of personal data using comics. Computers 7(1), 12 (2018)

    Article  Google Scholar 

  32. Smith, J., Do, L.N.Q., Murphy-Hill, E.R.: Why can’t Johnny fix vulnerabilities: a usability evaluation of static analysis tools for security. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS) (2020)

    Google Scholar 

  33. Sonnekalb, T., Heinze, T.S., von Kurnatowski, L., Schreiber, A., Gonzalez-Barahona, J.M., Packer, H.: Towards automated, provenance-driven security audit for git-based repositories: applied to Germany’s Corona-Warn-App. In: Proceedings of the 3rd ACM SIGSOFT International Workshop on Software Security from Design to Deployment (SEAD 2020). ACM, New York (2020)

    Google Scholar 

  34. Sun, R., Wang, W., Xue, M., Tyson, G., Camtepe, S., Ranasinghe, D.C.: An empirical assessment of global COVID-19 contact tracing applications. In: Proceedings of the 43rd International Conference on Software Engineering (ICSE 2021) (June 2021)

    Google Scholar 

  35. Trautsch, A., Herbold, S., Grabowski, J.: A longitudinal study of static analysis warning evolution and the effects of PMD on software quality in apache open source projects. Empir. Softw. Eng. 25(6), 5137–5192 (2020)

    Article  Google Scholar 

  36. Vaudenay, S.: Analysis of DP3T: between scylla and charybdis. Cryptology ePrint Archive, Report 2020/399 (2020)

    Google Scholar 

  37. Vaudenay, S.: Centralized or decentralized? The contact tracing dilemma. Cryptology ePrint Archive, Report 2020/531 (2020)

    Google Scholar 

  38. Verborgh, R., Magliacane, S., Schreiber, A., Korolev, V.: GIT2PROV: improved error handling (July 2020). https://doi.org/10.5281/zenodo.3942169

  39. Wang, Z., Feng, Y., Wang, Y., Jones, J.A., Redmiles, D.: Unveiling elite developers’ activities in open source projects. ACM Trans. Softw. Eng. Methodol. 29(3), 1–35 (2020)

    Google Scholar 

  40. Zimmermann, T., Weisgerber, P., Diehl, S., Zeller, A.: Mining version histories to guide software changes. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 563–572. IEEE (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Software Technology, German Aerospace Center (DLR), Cologne and Weßling, Germany

    Andreas Schreiber & Lynn von Kurnatowski

  2. Institute of Data Science, German Aerospace Center (DLR), Jena, Germany

    Tim Sonnekalb & Thomas S. Heinze

  3. Universidad Rey Juan Carlos, Fuenlabrada, Spain

    Jesus M. Gonzalez-Barahona

  4. University of Southampton, Southampton, SO17 1BJ, UK

    Heather Packer

Authors
  1. Andreas Schreiber
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tim Sonnekalb
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas S. Heinze
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lynn von Kurnatowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jesus M. Gonzalez-Barahona
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Heather Packer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andreas Schreiber .

Editor information

Editors and Affiliations

  1. Illinois Institute of Technology, Chicago, IL, USA

    Boris Glavic

  2. Fluminense Federal University, Niterói, Brazil

    Vanessa Braganholo

  3. Northern Illinois University, DeKalb, IL, USA

    David Koop

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schreiber, A., Sonnekalb, T., Heinze, T.S., von Kurnatowski, L., Gonzalez-Barahona, J.M., Packer, H. (2021). Provenance-Based Security Audits and Its Application to COVID-19 Contact Tracing Apps. In: Glavic, B., Braganholo, V., Koop, D. (eds) Provenance and Annotation of Data and Processes. IPAW IPAW 2020 2021. Lecture Notes in Computer Science(), vol 12839. Springer, Cham. https://doi.org/10.1007/978-3-030-80960-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80960-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80959-1

  • Online ISBN: 978-3-030-80960-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation