Loading [a11y]/accessibility-menu.js
A Credential Usage Study: Flow-Aware Leakage Detection in Open-Source Projects | IEEE Journals & Magazine | IEEE Xplore

A Credential Usage Study: Flow-Aware Leakage Detection in Open-Source Projects


Abstract:

Authentication and cryptography are critical security functions and, thus, are very often included as part of code. These functions require using credentials, such as pas...Show More

Abstract:

Authentication and cryptography are critical security functions and, thus, are very often included as part of code. These functions require using credentials, such as passwords, security tokens, and cryptographic keys. However, developers often incorrectly implement/use credentials in their code because of a lack of secure coding skills. This paper analyzes open-source projects concerning the correct use of security credentials. We developed a semantic-rich, language-independent analysis approach for analyzing many projects automatically. We implemented a detection tool, SEAGULL, to automatically check open-source projects based on string literal and code structure information. Instead of analyzing the entire project code, which might result in path explosion when constructing data and control dependencies, SEAGULL pinpoints all literal constants to identify credential candidates and then analyzes the code snippets correlated to these candidates. SEAGULL accurately identifies the leaked credentials by obtaining semantic and syntax information about the code. We applied SEAGULL to 377 open-source projects. SEAGULL successfully reported 19 real-world credential leakages out of those projects. Our analysis shows that some developers protected or erased the credentials in the current project versions, but previously used credentials can still be extracted from the project’s historical versions. Although the implementations of credential leakages seem to be fixed in the current projects, attackers could successfully log into accounts if developers keep using the same credentials as before. Additionally, we found that such credential leakages still affect some projects. By exploiting leaked credentials, attackers can log into particular accounts.
Page(s): 722 - 734
Date of Publication: 23 October 2023

ISSN Information:

Funding Agency:


References

References is not available for this document.