ABSTRACT
Security vulnerabilities are commonly caused by security bugs introduced by developers during code construction. Static analysis tools can detect such vulnerabilities, yet are often not utilized by developers, leaving them out of the security loop. We are investigating interactive static analysis, to assist developers in detecting and mitigating security vulnerabilities during code construction. We propose interactive code annotation as a technique to gather security-related decisions from developers to aid in vulnerability detection. In this paper, we discuss the lessons we have learned in a technical and user evaluation of our current prototype, and the resulting design of our code annotation interface. The design decisions we present can help to inform the design of other annotation and security tools.
- Mario Berón, Pedro R. Henriques, Maria J. V. Pereira, and Roberto Uzal. Static and Dynamic Strategies to Understand C Programs by Code Annotation In OpenCert'07, 1st Int. Workshop on Fondations and Techniques for Open Source Software Certification (collocated with ETAPS'07) (2007)Google Scholar
- Brian Cole, Daniel Hakim, David Hovemeyer, Reuven Lazarus, William Pugh, and Kristin Stephens. 2006. Improving your software using static analysis to find bugs. In Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications (OOPSLA '06). ACM, New York, NY, USA, 673--674. DOI=10.1145/1176617.1176667 http://doi.acm.org/10.1145/1176617.1176667 Google ScholarDigital Library
- Uri Dekel and James D. Herbsleb. 2008. Pushing relevant artifact annotations in collaborative software development. In Proceedings of the 2008 ACM conference on Computer supported cooperative work (CSCW '08). ACM, New York, NY, USA, 1--4. DOI=10.1145/1460563.1460565 http://doi.acm.org/10.1145/1460563.1460565 Google ScholarDigital Library
- Glauber Ferreira, Emerson Loureiro, and Elthon Oliveira. 2007. A Java code annotation approach for model checking software systems. In Proceedings of the 2007 ACM symposium on Applied computing (SAC '07). ACM, New York, NY, USA, 1536--1537. DOI=10.1145/1244002.1244330 http://doi.acm.org/10.1145/1244002.1244330 Google ScholarDigital Library
- Cormac Flanagan and K. Rustan M. Leino. 2001. Houdini, an Annotation Assistant for ESC/Java. In Proceedings of the International Symposium of Formal Methods Europe on Formal Methods for Increasing Software Productivity (FME '01), J. N. Oliveira and Pamela Zave (Eds.). Springer-Verlag, London, UK, UK, 500--517. Google ScholarDigital Library
- Brian Grant, Markus Mock, Matthai Philipose, Craig Chambers, and Susan J. Eggers. 2000. DyC: an expressive annotation-directed dynamic compiler for C. Theor. Comput. Sci. 248, 1--2 (October 2000), 147--199. DOI=10.1016/S0304--3975(00)00051--7 http://dx.doi.org/10.1016/S0304--3975(00)00051--7 Google ScholarDigital Library
- Andreas Hartmann, Wolfram Amme, Jeffery von Ronne, Michael Franz, Code Annotation for Safe and Efficient Dynamic Object Resolution, Electronic Notes in Theoretical Computer Science, Volume 82, Issue 2, April 2004, Pages 362--376, ISSN 1571-0661, http://dx.doi.org/10.1016/S1571-0661(05)825976.(http://www.sciencedirect.com/science/article/pii/S1571066105825976)Google Scholar
- Michael Howard and David LeBlanc. 2009. Writing secure code. O'Reilly Media, Inc. Google ScholarDigital Library
- Sarfraz Khurshid, Darko Marinov, and Daniel Jackson. 2002. An analyzable annotation language. SIGPLAN Not. 37, 11 (November 2002), 231--245. DOI=10.1145/583854.582441 http://doi.acm.org/10.1145/583854.582441 Google ScholarDigital Library
- Microsoft. Using SAL Annotations to Reduce C/C++ Code Defects. Available at: http://msdn.microsoft.com/en-us/library/ms182032.aspxGoogle Scholar
- Emerson Murphy-Hill and Andrew P. Black. 2008. Breaking the barriers to successful refactoring: observations and tools for extract method. In Proceedings of the 30th international conference on Software engineering (ICSE '08). ACM, New York, NY, USA, 421--430. DOI=10.1145/1368088.1368146 http://doi.acm.org/10.1145/1368088.1368146 Google ScholarDigital Library
- Owasp.org, 2013. OWASP secure coding practices quick reference guide, version 2.0, http://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf.Google Scholar
- Richard Priest and Beryl Plimmer. 2006. RCA: experiences with an IDE annotation tool. In Proceedings of the 7th ACM SIGCHI New Zealand chapter's international conference on Computer-human interaction: design centered HCI (CHINZ '06). ACM, New York, NY, USA, 53--60. DOI=10.1145/1152760.1152767 http://doi.acm.org/10.1145/1152760.1152767 Google ScholarDigital Library
- Xiaohu Qie, Ruoming Pang, and Larry Peterson. 2002. Defensive programming: using an annotation toolkit to build DoS-resistant software. SIGOPS Oper. Syst. Rev. 36, SI (December 2002), 45--60. Google ScholarDigital Library
- Van Wyk, K.R., 2003. Secure coding: principles and practices. O'Reilly Media, Inc. Google ScholarDigital Library
- Jing Xie, Bill Chu, and Heather Lipford. Aside: IDE Support for Web Application Security. In Proceedings of the 27th Annual Computer Security Applications Conference, 2011. Google ScholarDigital Library
- Jing Xie, Heather Lipford, and Bill Chu. Why do programmers make security errors? In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC '11), Pittsburgh, PA, USA, 2011, pp. 161--164.Google Scholar
- Jing Xie, Heather Lipford, and Bill Chu. Evaluating interactive support for secure programming. In Proceedings of the 2012 Annual Conference on Human Factors in Computing Systems, 2012. Google ScholarDigital Library
- Jun Zhu, Bill Chu, and Heather Lipford. Mitigating Access Control Errors through Interactive Static Analysis. Submitted for publication, June 2014.Google Scholar
- Jun Zhu, Jing Xie, Heather Lipford, and Bill Chu, Supporting secure programming in web applications through interactive static analysis, Journal of Advanced Research, Volume 5, Issue 4, July 2014, Pages 449--462, ISSN 2090-1232.Google ScholarCross Ref
Index Terms
- Interactive Code Annotation for Security Vulnerability Detection
Recommendations
Security During Application Development: an Application Security Expert Perspective
CHI '18: Proceedings of the 2018 CHI Conference on Human Factors in Computing SystemsMany of the security problems that people face today, such as security breaches and data theft, are caused by security vulnerabilities in application source code. Thus, there is a need to understand and improve the experiences of those who can prevent ...
CoaCor: Code Annotation for Code Retrieval with Reinforcement Learning
WWW '19: The World Wide Web ConferenceTo accelerate software development, much research has been performed to help people understand and reuse the huge amount of available code resources. Two important tasks have been widely studied: code retrieval, which aims to retrieve code snippets ...
A Process for Performing Security Code Reviews
No one really likes reviewing source code for security vulnerabilities, but it's a critical componentof shipping secure software. Howard describes his approach to tackling the process. It won't identify allsecurity vulnerabilities in your code, but it's ...
Comments