CopypastaVulGuard – A browser extension to prevent copy and paste spreading of vulnerable source code in forum posts
Authors: 
Holger Schmidt, Max van Aerssen, Christian Leich, Abdulkader Benni, Salar Al Ali, Jakob TanzAuthors Info & Claims
Holger Schmidt, Max van Aerssen, Christian Leich, Abdulkader Benni, Salar Al Ali, Jakob TanzAuthors Info & ClaimsARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security
Article No.: 148, Pages 1 - 8
Abstract
Forums such as Stack Overflow are used by many software developers to find a solution for a given coding problem. Found solutions, i.e. forum posts containing relevant source code, are utilized in a copy and paste manner. This behavior carries the risk that vulnerabilities contained in the source code of the forum posts are spread. Software developers should be able to identify vulnerable source code at an early stage, thereby preventing copying the corresponding source code. In this paper, we introduce the tool CopypastaVulGuard that identifies vulnerable source code in forum posts and allows software developers to omit the source code by marking the forum posts as dangerous. Our tool consists of a browser extension and a management application capable to address as examples SQL injections, remote code executions and deprecated functions based on a dump of the archive.org Stack Overflow data set. We present an evaluation of our tool’s possible impact and relevance considering pros/cons and selected research questions.
References
[1]
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016. You Get Where You’re Looking for: The Impact of Information Sources on Code Security. In Proceedings of the IEEE Symposium on Security and Privacy (SP). IEEE, 289–305. https://doi.org/10.1109/SP.2016.25
[2]
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. How Internet Resources Might Be Helping You Develop Faster but Less Securely. IEEE Security & Privacy 15, 2 (2017), 50–60. https://doi.org/10.1109/MSP.2017.24
[3]
Andrew van der Stock, Brian Glas, Neil Smithline, and Torsten Gigler. 2021. OWASP TOP 10. https://owasp.org/Top10/
[4]
Wei Bai, Omer Akgul, and Michelle L. Mazurek. 2019. A Qualitative Investigation of Insecure Code Propagation from Online Forums. In Proceedings of the IEEE Cybersecurity Development Conference (SecDev). IEEE, 34–48. https://doi.org/10.1109/SecDev.2019.00016
[5]
Nicholas Boucher and Ross J. Anderson. 2021. Trojan Source: Invisible Vulnerabilities. CoRR abs/2111.00169(2021). arXiv:2111.00169https://arxiv.org/abs/2111.00169
[6]
Lingwei Chen, Shifu Hou, Yanfang Ye, Thirimachos Bourlai, Shouhuai Xu, and Liang Zhao. 2019. iTrustSO: An Intelligent System for Automatic Detection of Insecure Code Snippets in Stack Overflow. In Proceedings of the IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 1097–1104. https://doi.org/10.1145/3341161.3343524
[7]
Mengsu Chen, Felix Fischer, Na Meng, Xiaoyin Wang, and Jens Grossklags. 2019. How Reliable is the Crowdsourced Knowledge of Security Implementation?. In Proceedings of the IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 536–547. https://doi.org/10.1109/ICSE.2019.00065
[8]
Felix Fischer, Konstantin Bottinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security. In Proceedings of the IEEE Symposium on Security and Privacy (SP). IEEE. https://doi.org/10.1109/sp.2017.31
[9]
Hironori Imai and Akira Kanaoka. 2018. Time Series Analysis of Copy-and-Paste Impact on Android Application Security. In Proceedings of the 13th Asia Joint Conference on Information Security (AsiaJCIS). IEEE, 15–22. https://doi.org/10.1109/AsiaJCIS.2018.00012
[10]
Tamara Lopez, Thein Tun, Arosha Bandara, Levine Mark, Bashar Nuseibeh, and Helen Sharp. 2019. An Anatomy of Security Conversations in Stack Overflow. In Proceedings of the IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS). IEEE, 31–40. https://doi.org/10.1109/ICSE-SEIS.2019.00012
[11]
Saraj Singh Manes and Olga Baysal. 2019. How Often and What Stack Overflow Posts Do Developers Reference in Their GitHub Projects?. In Proceedings of the IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE. https://doi.org/10.1109/msr.2019.00047
[12]
Hiroki Nakano, Fumihiro Kanei, Yuta Takata, Mitsuaki Akiyama, and Katsunari Yoshioka. 2018. Towards Finding Code Snippets on a Question and Answer Website Causing Mobile App Vulnerabilities. IEICE Transasctions on Information and Systems 101-D (2018), 2576–2583.
[13]
Ben Popper and David Gibson. 2021. How often do people actually copy and paste from Stack Overflow? Now we know.https://stackoverflow.blog/2021/04/19/how-often-do-people-actually-copy-and-paste-from-stack-overflow-now-we-know/
[14]
Chaiyong Ragkhitwetsagul, Jens Krinke, Matheus Paixao, Giuseppe Bianco, and Rocco Oliveto. 2021. Toxic Code Snippets on Stack Overflow. IEEE Transactions on Software Engineering 47, 3 (2021), 560–581. https://doi.org/10.1109/TSE.2019.2900307
[15]
Dirk van der Linden, Emma Williams, Joseph Hallett, and Awais Rashid. 2020. The impact of surface features on choice of (in)secure answers by Stack Overflow readers. IEEE Transactions on Software Engineering(2020), 1–1. https://doi.org/10.1109/tse.2020.2981317
[16]
Morteza Verdi, Ashkan Sami, Jafar Akhondali, Foutse Khomh, Gias Uddin, and Alireza Karami Motlagh. 2019. An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples. CoRR abs/1910.01321(2019). arXiv:1910.01321http://arxiv.org/abs/1910.01321
[17]
Haoxiang Zhang, Shaowei Wang, Heng Li, Tse-Hsun Peter Chen, and Ahmed E. Hassan. 2021. A Study of C/C++ Code Weaknesses on Stack Overflow. IEEE Transactions on Software Engineering(2021), 1–1. https://doi.org/10.1109/tse.2021.3058985
[18]
Tianyi Zhang, Ganesha Upadhyaya, Anastasia Reinhardt, Hridesh Rajan, and Miryung Kim. 2018. Are code examples on an online Q&A forum reliable?. In Proceedings of the 40th International Conference on Software Engineering (ICSE). ACM. https://doi.org/10.1145/3180155.3180260
Index Terms
- CopypastaVulGuard – A browser extension to prevent copy and paste spreading of vulnerable source code in forum posts
Recommendations
Automatic identification of informative code in stack overflow posts
NLBSE '22: Proceedings of the 1st International Workshop on Natural Language-based Software EngineeringDespite Stack Overflow's popularity as a resource for solving coding problems, identifying relevant information from an individual post remains a challenge. The overload of information in a post can make it difficult for developers to identify specific ...
Optimising the fit of stack overflow code snippets into existing code
GECCO '20: Proceedings of the 2020 Genetic and Evolutionary Computation Conference CompanionSoftware developers often reuse code from online sources such as Stack Overflow within their projects. However, the process of searching for code snippets and integrating them within existing source code can be tedious. In order to improve efficiency ...
An empirical study of code reuse between GitHub and stack overflow during software development
AbstractWith the rise of programming Q&A websites (e.g., Stack Overflow) and the open-source movement, code reuse has become a common phenomenon. Our study aims to provide a comprehensive study of the code reuse behavior of programmers during software ...
Highlights- Code reuse between Stack Overflow and GitHub.
- Code reuse will significantly increase in the future.
- Practical insights for different stakeholders: researchers, developers, SO platform.
Comments
Information & Contributors
Information
Published In
August 2022
1371 pages
ISBN:9781450396707
DOI:10.1145/3538969
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 August 2022
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2022
ARES 2022: The 17th International Conference on Availability, Reliability and Security
August 23 - 26, 2022
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 444Total Downloads
- Downloads (Last 12 months)198
- Downloads (Last 6 weeks)21
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in