Your search keyword '"COMPUTER software security"' showing total 520 results

1. Review of Techniques for Integrating Security in Software Development Lifecycle.

Author

Saeed, Hassan, Shafi, Imran, Ahmad, Jamil, Khan, Adnan Ahmed, Khurshaid, Tahir, and Ashraf, Imran

Subjects

COMPUTER software security, COMPUTER software development, NATIONAL security, WEB-based user interfaces, COLUMBIA-Suicide Severity Rating Scale, DEEP learning

Abstract

Software-related security aspects are a growing and legitimate concern, especially with 5G data available just at our palms. To conduct research in this field, periodic comparative analysis is needed with the new techniques coming up rapidly. The purpose of this study is to review the recent developments in the field of security integration in the software development lifecycle (SDLC) by analyzing the articles published in the last two decades and to propose a way forward. This review follows Kitchenham's review protocol. The review has been divided into three main stages including planning, execution, and analysis. From the selected 100 articles, it becomes evident that need of a collaborative approach is necessary for addressing critical software security risks (CSSRs) through effective risk management/estimation techniques. Quantifying risks using a numeric scale enables a comprehensive understanding of their severity, facilitating focused resource allocation and mitigation efforts. Through a comprehensive understanding of potential vulnerabilities and proactive mitigation efforts facilitated by protection poker, organizations can prioritize resources effectively to ensure the successful outcome of projects and initiatives in today's dynamic threat landscape. The review reveals that threat analysis and security testing are needed to develop automated tools for the future. Accurate estimation of effort required to prioritize potential security risks is a big challenge in software security. The accuracy of effort estimation can be further improved by exploring new techniques, particularly those involving deep learning. It is also imperative to validate these effort estimation methods to ensure all potential security threats are addressed. Another challenge is selecting the right model for each specific security threat. To achieve a comprehensive evaluation, researchers should use well-known benchmark checklists. [ABSTRACT FROM AUTHOR]

Published

2025

2. Quantum-resilient software security: A fuzzy AHP-based assessment framework in the era of quantum computing.

Author

Almotiri, Sultan H.

Subjects

*COMPUTER software security, *INFORMATION technology, *ANALYTIC hierarchy process, *QUBITS, *MULTIPLE criteria decision making

Abstract

The introduction of quantum computing has transformed the setting of information technology, bringing both unprecedented opportunities and significant challenges. As quantum technologies continue to evolve, addressing their implications for software security has become an essential area of research. This paradigm change provides an unprecedented chance to strengthen software security from the start, presenting a plethora of novel alternatives. We use a multi-criteria decision-making methodology in this work to evaluate the efficacy of quantum computing approaches in improving software security. As the number of electronic applications grows, software developers strive to produce more sophisticated and user-friendly alternatives. However, in the pursuit of complexity, vulnerabilities may be introduced inadvertently, posing a substantial danger to software security. Our study addresses five major components of the quantum method to overcome these challenges: lattice-based cryptography, fully homomorphic algorithms, quantum key distribution, quantum hash functions, and blind quantum algorithms. The rapid development of quantum bits (qubits) regarded as basic quantum entities adds complexity and risk to the software security landscape. As a result, in the age of quantum computing, evaluating software security becomes not only necessary but also critical. To accomplish this objective, we propose the Fuzzy Analytic Hierarchy Process (F-AHP), a soft computing method, as a reliable tool for accomplishing this goal. Our research aims to prioritise security variables using quantum security criteria, providing an innovative viewpoint on software security evaluation in the quantum computing era. [ABSTRACT FROM AUTHOR]

Published

2024

3. Vulnerability detection based on transformer and high‐quality number embedding.

Author

Cao, Yang, Dong, Yunwei, and Peng, Jiajie

Subjects

COMPUTER security vulnerabilities, TRANSFORMER models, COMPUTER software security, PROGRAMMING languages, SOURCE code, DEEP learning

Abstract

Summary: Software vulnerability detection is an important problem in software security. In recent years, deep learning offers a novel approach for source code vulnerability detection. Due to the similarities between programming languages and natural languages, many natural language processing techniques have been applied to vulnerability detection tasks. However, specific problems within vulnerability detection tasks, such as buffer overflow, involve numerical reasoning. For these problems, the model needs to not only consider long dependencies and multiple relationships between statements of code but also capture the magnitude property of numerical literals in the program through high‐quality number embeddings. Therefore, we propose VDTransformer, a Transformer‐based method that improves source code embedding by integrating word and number embeddings. Furthermore, we employ Transformer encoders to construct a hierarchical neural network that extracts semantic features from the code and enables line‐level vulnerability detection. To evaluate the effectiveness of the method, we construct a dataset named OverflowGen based on templates for buffer overflow. Experimental comparisons on OverflowGen with a well‐known static vulnerability detector and two state‐of‐the‐art deep learning‐based methods confirm the effectiveness of VDTransformer and the importance of high‐quality number embeddings in vulnerability detection tasks involving numerical features. [ABSTRACT FROM AUTHOR]

Published

2024

4. Enhancing DevSecOps practice with Large Language Models and Security Chaos Engineering.

Author

Bedoya, Martin, Palacios, Sara, Díaz-López, Daniel, Laverde, Estefania, and Nespoli, Pantaleone

Subjects

*LANGUAGE models, *COMPUTER software security, *RATE of return, *CLOUD computing, *FOREIGN language education

Abstract

Recently, the DevSecOps practice has improved companies' agile production of secure software, reducing problems and improving return on investment. However, overreliance on security tools and traditional security techniques can facilitate the implementation of vulnerabilities in different stages of the software lifecycle.. Thus, this paper proposes the integration of a Large Language Model to help automate threat discovery at the design stage and Security Chaos Engineering to support the identification of security flaws that may be undetected by security tools. A specific use case is described to demonstrate how our proposal can be applied to a retail company that has the business need to produce rapidly secure software. [ABSTRACT FROM AUTHOR]

Published

2024

5. Defect-scanner: a comparative empirical study on language model and deep learning approach for software vulnerability detection.

Author

Pham, Van-Hau, Hien, Do Thi Thu, Hoang, Hien Do, and Duy, Phan The

Subjects

*LANGUAGE models, *COMPUTER security vulnerabilities, *COMPUTER software security, *PROGRAMMING languages, *SOURCE code, *DEEP learning, *NATURAL language processing

Abstract

The complex and rapidly evolving nature of modern software landscapes introduces challenges such as increasingly sophisticated cyber threats, the diversity in programming languages and coding styles, and the need to identify subtle patterns indicative of vulnerabilities. These hurdles underscore the necessity for advanced techniques that can effectively cope with the intricacies of software security. Hence, this paper gives a comparative empirical study in harnessing the potential of cutting-edge natural language processing (NLP) advancements, namely Word2Vec and CodeBERT to detect vulnerabilities in C and C++ programs in the proposed Defect-Scanner framework. With the capability of converting code components and source code into contextual embedding vectors, various potential NLP techniques are combined with several DL models to evaluate the precision and accuracy of identifying vulnerabilities within software systems. Moreover, the experimentations are conducted using datasets with different representation types of codes, aiming to figure out the best combination of NLP techniques and DL models to work with each form of input. As a result, besides the outperformance of CodeBERT-based models with accuracies of approximately 90%, this comparative study also provides a comprehensive evaluation of NLP-based software vulnerability detection in the face of intricate security challenges. [ABSTRACT FROM AUTHOR]

Published

2024

6. The Impact of Competition Intensity on Software Security: An Empirical Analysis of Web Browser Patch Releases.

Author

Jo, Arrah-Marie

Subjects

INFORMATION technology security, COMPUTER security vulnerabilities, INTERNET security, COMPUTER software security, FREEWARE (Computer software), SOFTWARE upgrades

Abstract

This paper investigates the relationship between competition intensity and the security level provided by software vendors, in particular when the software is free of charge to users. We examine the case of web browsers, a key component of internet security where vendors compete on quality and generate revenue through advertising. Using a pooled cross-sectional dataset on web browser security patch releases from 2009 to 2018, we analyze how competition affects the promptness of these releases. Our findings reveal that higher market concentration can enhance a vendor's responsiveness in addressing vulnerabilities, though this positive effect weakens when a vendor becomes excessively dominant. [ABSTRACT FROM AUTHOR]

Published

2024

7. Slicing Through the Noise: Efficient Crash Deduplication via Trace Reconstruction and Fuzzy Hashing.

Author

Pang, Ling, Qian, Cheng, Kuang, Xiaohui, Qin, Jiuren, Zang, Yujie, and Zhang, Jiapeng

Subjects

COMPUTER software security, COMPUTER software testing, RESEARCH personnel, NOISE

Abstract

In contemporary software security testing, fuzzing is a pervasive methodology employed to identify vulnerabilities. However, one of the most significant challenges is the vast number of crash reports, many of which are repetitive, resulting in an increased analysis burden for security researchers. To address this issue, we propose a novel method for reducing crash redundancy and grouping similar crashes based on their execution traces. By leveraging the Intel Processor Trace (PT), we can reconstruct the instruction flow of the last executed function in each crash and extract its relevant instruction slice through data dependency backward slicing. The registers are abstracted, and the immediate values are generalized to normalize the instruction sequence. Subsequently, fuzzy hashing is applied to the generalized instruction sequences, and a similarity-based greedy strategy is employed for grouping. The method effectively reduces the workload by clustering crashes with similar root causes, leaving analysts with only representative samples to investigate. Furthermore, compared with conventional stack hashing techniques, our methodology demonstrates an average improvement in accuracy of 15.38% across four programs, with a total of 281 crashes. [ABSTRACT FROM AUTHOR]

Published

2024

8. MultiTagging: A Vulnerable Smart Contract Labeling and Evaluation Framework.

Author

Alsunaidi, Shikah J., Aljamaan, Hamoud, and Hammoudeh, Mohammad

Subjects

COMPUTER security vulnerabilities, COMPUTER software security, DATA analysis, VOTING, TAXONOMY

Abstract

Identifying vulnerabilities in Smart Contracts (SCs) is crucial, as they can lead to significant financial losses if exploited. Although various SC vulnerability identification methods exist, selecting the most effective approach remains challenging. This article examines these challenges and introduces solutions to enhance SC vulnerability identification. It introduces MultiTagging, a modular SC multi-labeling framework designed to overcome limitations in existing SC vulnerability identification approaches. MultiTagging automates SC vulnerability tagging by parsing analysis reports and mapping tool-specific tags to standardized labels, including SC Weakness Classification (SWC) codes and Decentralized Application Security Project (DASP) ranks. Its mapping strategy and the proposed vulnerability taxonomy resolve tool-level labeling inconsistencies, where different tools use distinct labels for identical vulnerabilities. The framework integrates an evaluation module to assess SC vulnerability identification methods. MultiTagging enables both tool-based and vote-based SC vulnerability labeling. To improve labeling accuracy, the article proposes Power-based voting, a method that systematically defines voter roles and voting thresholds for each vulnerability. MultiTagging is used to evaluate labeling across six tools: MAIAN, Mythril, Semgrep, Slither, Solhint, and VeriSmart. The results reveal high coverage for Mythril, Slither, and Solhint, which identified eight, seven, and six DASP classes, respectively. Tool performance varied, underscoring the impracticality of relying on a single tool to identify all vulnerability classes. A comparative evaluation of Power-based voting and two threshold-based methods—AtLeastOne and Majority voting—shows that while voting methods can increase vulnerability identification coverage, they may also reduce detection performance. Power-based voting proved more effective than pure threshold-based methods across all vulnerability classes. [ABSTRACT FROM AUTHOR]

Published

2024

9. A Fuzzing Tool Based on Automated Grammar Detection.

Author

Song, Jia and Alves-Foss, Jim

Subjects

COMPUTER security vulnerabilities, COMPUTER software security, COMPUTER software development, SOURCE code, COMPUTER software quality control

Abstract

Software testing is an important step in the software development life cycle to ensure the quality and security of software. Fuzzing is a security testing technique that finds vulnerabilities automatically without accessing the source code. We built a fuzzer, called JIMA-Fuzzing, which is an effective fuzzing tool that utilizes grammar detected from sample input. Based on the detected grammar, JIMA-Fuzzing selects a portion of the valid user input and fuzzes that portion. For example, the tool may greatly increase the size of the input, truncate the input, replace numeric values with new values, replace words with numbers, etc. This paper discusses how JIMA-Fuzzing works and shows the evaluation results after testing against the DARPA Cyber Grand Challenge (CGC) dataset. JIMA-Fuzzing is capable of extracting grammar from sample input files, meaning that it does not require access to the source code to generate effective fuzzing files. This feature allows it to work with proprietary or non-open-source programs and significantly reduces the effort needed from human testers. In addition, compared to fuzzing tools guided with symbolic execution or taint analysis, JIMA-Fuzzing takes much less computing power and time to analyze sample input and generate fuzzing files. However, the limitation is that JIMA-Fuzzing relies on good sample inputs and works primarily on programs that require user interaction/input. [ABSTRACT FROM AUTHOR]

Published

2024

10. A SWOT Analysis of Software Development Life Cycle Security Metrics.

Author

Khalid, Ayesha, Raza, Mushtaq, Afsar, Palwasha, Khan, Rafiq Ahmad, Mohmand, Muhammad Ismail, and Rahman, Hanif Ur

Subjects

*SOFTWARE engineering, *COMPUTER software security, *COMPUTER software development, *SECURITY systems, *INTERNET security

Abstract

ABSTRACT Cyber security is an ongoing and critical concern due to persistent threats posed by threat actors, such as hackers and crackers. With the development of information and communication technologies (ICT), the widespread usage of software systems has transformed modern society in many ways but also created new issues in protecting confidential and sensitive information. The quantification of security measures can provide evidence to support decision‐making in software security, particularly when assessing the security performance of software systems. This entails understanding the key quality criteria of security metrics, which can assist in constructing security models aligned with practical requirements. To delve deeper into this subject, the current study conducted a systematic literature review (SLR) on security metrics and measures within the realm of secure software development (SSD). The study selected 61 research publications for data extraction based on the specific inclusion and exclusion criteria. The study identified 215 software security metrics and classified them into different phases of software development life cycle (SDLC). In order to evaluate the most cited metrics in each phase of SDLC, the strengths, weaknesses, opportunities, and threats (SWOT) analysis was performed. The SWOT analysis offers a structured framework enabling researchers to make more effective, well‐informed decisions and mitigate potential risks, ultimately contributing to more valuable research findings. The study's findings provide researchers guidance for exploring emerging trends and addressing existing gaps in SDLC. This study also provides software professionals with a more comprehensive understanding of security measurements, constraints, and open‐ended specific and general issues. [ABSTRACT FROM AUTHOR]

Published

2024

11. DSHGT: Dual-Supervisors Heterogeneous Graph Transformer—A Pioneer Study of Using Heterogeneous Graph Learning for Detecting Software Vulnerabilities.

Author

Zhang, Tiehua, Xu, Rui, Zhang, Jianping, Liu, Yuze, Chen, Xin, Yin, Jun, and Zheng, Xi

Subjects

GRAPH neural networks, COMPUTER security vulnerabilities, COMPUTER software security, REPRESENTATIONS of graphs, DEEP learning

Abstract

Vulnerability detection is a critical problem in software security and attracts growing attention both from academia and industry. Traditionally, software security is safeguarded by designated rule-based detectors that heavily rely on empirical expertise, requiring tremendous effort from software experts to generate rule repositories for large code corpus. Recent advances in deep learning, especially Graph Neural Networks (GNN), have uncovered the feasibility of automatic detection of a wide range of software vulnerabilities. However, prior learning-based works only break programs down into a sequence of word tokens for extracting contextual features of codes, or apply GNN largely on homogeneous graph representation (e.g., AST) without discerning complex types of underlying program entities (e.g., methods, variables). In this work, we are one of the first to explore heterogeneous graph representation in the form of Code Property Graph and adapt a well-known heterogeneous graph network with a dual-supervisor structure for the corresponding graph learning task. Using the prototype built, we have conducted extensive experiments on both synthetic datasets and real-world projects. Compared with the state-of-the-art baselines, the results demonstrate superior performance in vulnerability detection (average F1 improvements over 10% in real-world projects) and language-agnostic transferability from C/C \({+}{+}\) to other programming languages (average F1 improvements over 11%). [ABSTRACT FROM AUTHOR]

Published

2024

12. Classifying software security requirements into confidentiality, integrity, and availability using machine learning approaches.

Author

Bagies, Taghreed

Subjects

MACHINE learning, K-nearest neighbor classification, SUPPORT vector machines, COMPUTER software security, SOFTWARE engineers

Abstract

Security requirements are considered one of the most important non-functional requirements of software. The CIA (confidentiality, integrity, and availability) triad forms the basis for the development of security systems. Each dimension is expressed as having many security requirements that should be designed, implemented, and tested. However, requirements are written in a natural language and may suffer from ambiguity and inconsistency, which makes it harder to distinguish between different security dimensions. Recognizing the security dimensions in a requirements document should facilitate tracing the requirements and ensuring that a dimension has been implemented in a software system. This process should be automated to reduce time and effort for software engineers. In this paper, we propose to classify the security requirements into CIA triads using Term frequency-inverse document frequency and sentence-transformer embedding as two different technologies for feature extraction. For both techniques, we developed five models by using five well-known machine learning algorithms: (1) support vector machine (SVM), (2) K-nearest neighbors (KNN), (3) Random Forest (RF), (4) gradient boosting (GB), and (5) Bernoulli Naive Bayes (BNB). Also, we developed a web interface that facilitates real-time analysis and classifies security requirements into CIA triads. Our results revealed that SVM with the sentence-transformer technique outperformed all classifiers by 87% accuracy in predicting a type of security dimension. [ABSTRACT FROM AUTHOR]

Published

2024

13. A Secure Auditable Remote Registry Pattern for IoT Systems.

Author

Maña, Antonio, Jaime, Francisco J., and Gutiérrez, Lucía

Subjects

COMPUTER software security, LEGACY systems, FOOD industry, LINGUISTICS, INTERNET of things, SOFTWARE engineering

Abstract

In software engineering, pattern papers serve the purpose of providing a description of a generalized, reusable solution to recurring design problems, based on practical experience and established best practices. This paper presents an architectural pattern for a Secure Auditable Registry service based on Message-Oriented Middleware to be used in large-scale IoT systems that must provide auditing capabilities to external entities. To prepare the pattern, the direct experience in applying the pattern solution in an industry-funded R&D project has been a key aspect because it has allowed us to gain a deep understanding of the problem and the solution, and it has contributed to the correctness and real-world applicability of the pattern as described. To further improve the quality of the paper, we have followed the commonly accepted practices in pattern development (including peer reviews) to ensure that the core aspects of the solution are correctly represented and that the description allows it to be applicable to similar problems in other domains, such as healthcare, autonomous devices, banking, food tracing or manufacturing to name a few. The work done in applying this pattern confirms that it solves a recurring problem for IoT systems, but also that it can be adopted in other domains, providing an effective solution in order to achieve enhancement of the auditability capabilities of the target systems. This pattern will be part of a pattern language (i.e., a family of related patterns) that we are developing for transitioning from legacy systems to IoT with an emphasis on security. [ABSTRACT FROM AUTHOR]

Published

2024

14. Using Artificial Intelligence and SDN for Dynamic Scalable Control of Security Rules: An IoT Security Solution.

Author

Karim, Abderrazek, Zeroual, Mustapha, Baddi, Youssef, Toumi, Hicham, and Bensalah, Faysal

Subjects

ARTIFICIAL intelligence, SOFTWARE-defined networking, SOFTWARE maintenance, COMPUTER software security, ELECTRONIC data processing

Abstract

Introduction The widespread uptake of the Internet of Things (IoT) has brought forth numerous security concerns as IoT environments become more heterogeneous, larger, and complex.Because of the evolving threats and large-scale management needed for IoT, traditional security models are often ill-equipped to keep up. In this context, researchers have started exploring the integration of Artificial Intelligence (AI) and Software-Defined Networking as an alternative solution for adapting and scaling IoT security management. In this article, we take a look at how both technologies are used together and contribute to increasing security for IoT. It starts by describing the major challenges and issues that are seen in securing IoT systems, like device heterogeneity, mass scale updating software security patches etc., visibility and control. It next explores the benefits of AI and SDN separately, describing how security rule settings can be automated using an AI-based method to enhance threat detection (through better performance prediction) and provide intelligent resource orchestration with respect to IoT networks as well as centralized programming by employing a single control plane that seamlessly scales for data processing. The article also went on to explain the promise of AI-SDN hybrid solutions in which data from both technologies is correlated creating a comprehensive IoT security environment that can power automated decision making and quick application of security policies. Apart from that, it documents some relevant case studies and also provides several practical insights into enforcing AI/SDN-driven IoT security solutions with the help of existing infrastructure in tandem with discussing future trends hitting cybersecurity perimeter. The presented work reveals that integration of AI and SDN has the vast capability to combat security issues in IoT environment. [ABSTRACT FROM AUTHOR]

Published

2024

15. Towards a security‐optimized approach for the microservice‐oriented decomposition.

Author

Liu, Xiaodong, Chen, Zhikun, Qian, Yu, Zhong, Chenxing, Huang, Huang, Li, Shanshan, and Shao, Dong

Subjects

*OPTIMIZATION algorithms, *DATA security, *ARCHITECTURAL style, *EVIDENCE gaps, *COMPUTER software security

Abstract

Microservice architecture (MSA) is a mainstream architectural style due to its high maintainability and scalability. In practice, an appropriate microservice‐oriented decomposition is the foundation to make a system enjoy the benefits of MSA. In terms of decomposing monolithic systems into microservices, researchers have been exploring many optimization objectives, of which modularity is a predominantly focused quality attribute. Security is also a critical quality attribute, that measures the extent to which a system protects data from malicious access or use by attackers. Considering security in microservices‐oriented decomposition can help avoid the risk of leaking critical data and other unexpected software security issues. However, few researchers consider the security objective during microservice‐oriented decomposition, because the measurement of security and the trade‐off with other objectives are challenging in reality. To bridge this research gap, we propose a security‐optimized approach for microservice‐oriented decomposition (So4MoD). In this approach, we adapt five metrics from previous studies for the measurement of the data security of candidate microservices. A multi‐objective optimization algorithm based on NSGA‐II is designed to search for microservices with optimized security and modularity. To validate the effectiveness of the proposed So4MoD, we perform several experiments on eight open‐source projects and compare the decomposition results to other three state‐of‐the‐art approaches, that is, FoSCI, CO‐GCN, and MSExtractor. The experiment results show that our approach can achieve at least an 11.5% improvement in terms of security metrics. Moreover, the decomposition results of So4MoD outperform other approaches in four modularity metrics, demonstrating that So4MoD can optimize data security while pursuing a well‐modularized MSA. [ABSTRACT FROM AUTHOR]

Published

2024

16. StackGuard+$\text{StackGuard}^+$: Interoperable alternative to canary‐based protection of stack smashing.

Author

Kim, Kangmin, Kim, Jeong‐Nyeo, and Lee, Seungkwang

Subjects

*COMPUTER software security, *SOURCE code, *CANARIES, *SCRIPTS, *HARDWARE

Abstract

This paper introduces a novel software‐based approach to enhancing stack smashing protection in C/C++ applications, specifically targeting return‐oriented programming attacks, which remain a significant threat to firmware and software security. Traditional canary‐based protections are vulnerable to brute‐force and format string attacks. Additionally, many stack protection mechanisms require access to the source code or recompilation, complicating the security of existing binaries. This paper proposes a new method, aptly named StackGuard+$\text{StackGuard}^+$, that modifies the canary‐based protection mechanism by altering the code responsible for canary insertion and verification. This change ensures the integrity of the return address while maintaining the original code size, allowing for seamless interoperability without the need for recompilation or additional hardware. The approach can be automated using a Python script, which modifies existing canary‐based binaries with only 26 bytes of machine code on the ×$\times$86‐64 platform. Moreover, this approach can be easily adapted to other platforms, including ×$\times$86 and ARM64. [ABSTRACT FROM AUTHOR]

Published

2024

17. Early mitigation of CPU-optimized ransomware using monitoring encryption instructions.

Author

Enomoto, Shuhei, Kuzuno, Hiroki, Yamada, Hiroshi, Shiraishi, Yoshiaki, and Morii, Masakatu

Subjects

*ANTIVIRUS software, *COMPUTER software security, *COMMUNICATION infrastructure, *COMPUTER systems, *CLOUD computing, *RANSOMWARE

Abstract

Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications. [ABSTRACT FROM AUTHOR]

Published

2024

18. TACSan: Enhancing Vulnerability Detection with Graph Neural Network.

Author

Zeng, Qingyao, Xiong, Dapeng, Wu, Zhongwang, Qian, Kechang, Wang, Yu, and Su, Yinghao

Subjects

GRAPH neural networks, SOURCE code, COMPUTER software security, LEXICAL access, COMPUTER software

Abstract

With the increasing scale and complexity of software, the advantages of using neural networks for static vulnerability detection are becoming increasingly prominent. Before inputting into a neural network, the source code needs to undergo word embedding, transforming discrete high-dimensional text data into low-dimensional continuous vectors suitable for training in neural networks. However, analysis has revealed that different implementation ideas by code writers for the same functionality can lead to varied code implementation methods. Embedding different code texts into vectors results in distinctions that can reduce the robustness of a model. To address this issue, this paper explores the impact of converting source code into different forms on word embedding and finds that a TAC (Three-Address Code) can significantly eliminate noise caused by different code implementation approaches. Given the excellent capability of a GNN (Graph Neural Network) in handling non-Euclidean space data and complex features, this paper subsequently employs a GNN to learn and classify vulnerabilities by capturing the implicit syntactic structure information in a TAC. Based on this, this paper introduces TACSan, a novel static vulnerability detection system based on a GNN designed to detect vulnerabilities in C/C++ programs. TACSan transforms the preprocessed source code into a TAC representation, adds control and data edges to create a graph structure, and then inputs it into the GNN for training. Comparative testing and evaluation of TACSan against other renowned static analysis tools, such as VulDeePecker and Devign, demonstrate that TACSan's detection capabilities not only exceed those methods but also achieve substantial enhancements in accuracy and F1 score. [ABSTRACT FROM AUTHOR]

Published

2024

19. Automotive Cybersecurity: A Survey on Frameworks, Standards, and Testing and Monitoring Technologies.

Author

Kifor, Claudiu Vasile and Popescu, Aurelian

Subjects

*DATA privacy, *EVIDENCE gaps, *COMPUTER software security, *SOFTWARE engineers, *RESEARCH personnel

Abstract

Modern vehicles are increasingly interconnected through various communication channels, which requires secure access for authorized users, the protection of driver assistance and autonomous driving system data, and the assurance of data integrity against misuse or manipulation. While these advancements offer numerous benefits, recent years have exposed many intrusion incidents, revealing vulnerabilities and weaknesses in current systems. To sustain and enhance the performance, quality, and reliability of vehicle systems, software engineers face significant challenges, including in diverse communication channels, software integration, complex testing, compatibility, core reusability, safety and reliability assurance, data privacy, and software security. Addressing cybersecurity risks presents a substantial challenge in finding practical solutions to these issues. This study aims to analyze the current state of research regarding automotive cybersecurity, with a particular focus on four main themes: frameworks and technologies, standards and regulations, monitoring and vulnerability management, and testing and validation. This paper highlights key findings, identifies existing research gaps, and proposes directions for future research that will be useful for both researchers and practitioners. [ABSTRACT FROM AUTHOR]

Published

2024

20. Multi-class vulnerability prediction using value flow and graph neural networks.

Author

McLaughlin, Connor and Lu, Yi

Subjects

*GRAPH neural networks, *MACHINE learning, *KNOWLEDGE representation (Information theory), *COMPUTER security vulnerabilities, *COMPUTER software security

Abstract

In recent years, machine learning models have been increasingly used to detect security vulnerabilities in software, due to their ability to achieve high performance and lower false positive rates compared to traditional program analysis tools. However, these models often lack the capability to provide a clear explanation for why a program has been flagged as vulnerable, leaving developers with little reasoning to work with. We present a new method which not only identifies the presence of vulnerabilities in a program, but also the specific type of error, considering the whole program rather than just individual functions. Our approach utilizes graph neural networks that employ inter-procedural value flow graphs, and instruction embedding from the LLVM Intermediate Representation, to predict a class. By mapping these classes to the Common Weakness Enumeration list, we provide a clear indication of the security issue found, saving developers valuable time which would otherwise be spent analyzing a binary vulnerable/non-vulnerable label. To evaluate our method's effectiveness, we used two datasets: one containing memory-related errors (out of bound array accesses), and the other a range of vulnerabilities from the Juliet Test Suite, including buffer and integer overflows, format strings, and invalid frees. Our model, implemented using PyTorch and the Gated Graph Sequence Neural Network from Torch-Geometric, achieved a precision of 96.35 and 91.59% on the two datasets, respectively. Compared to common static analysis tools, our method produced roughly half the number of false positives, while identifying approximately three times the number of vulnerable samples. Compared to recent machine learning systems, we achieve similar performance while offering the added benefit of differentiating between classes. Overall, our approach represents a meaningful improvement in software vulnerability detection, providing developers with valuable insights to better secure their code. [ABSTRACT FROM AUTHOR]

Published

2024

21. NG_MDERANK: A software vulnerability feature knowledge extraction method based on N‐gram similarity.

Author

Wu, Xiaoxue, Weng, Shiyu, Zheng, Bin, Zheng, Wei, Chen, Xiang, and Sun, Xiaobin

Subjects

*COMPUTER security vulnerabilities, *COMPUTER software security, *KNOWLEDGE graphs, *FEATURE extraction, *PROBLEM solving, *DATA extraction

Abstract

As software grows in size and complexity, software vulnerabilities are increasing, leading to a range of serious insecurity issues. Open‐source software vulnerability reports and documentation can provide researchers with great convenience for analysis and detection. However, the quality of different data sources varies, the data are duplicated and lack of correlation, which often requires a lot of manual management and analysis. In order to solve the problems of scattered and heterogeneous data and lack of correlation in traditional vulnerability repositories, this paper proposes a software vulnerability feature knowledge extraction method that combines the N‐gram model and mask similarity. The method generates mask text data based on the extraction of N‐gram candidate keywords and extracts vulnerability feature knowledge by calculating the similarity of mask text. This method analyzes the samples efficiently and stably in the environment of large sample size and complex samples and can obtain high‐value semi‐structured data. Then, the final node, relationship, and attribute information are obtained by secondary knowledge cleaning and extraction of the extracted semi‐structured data results. And based on the extraction results, the corresponding software vulnerability domain knowledge graph is constructed to deeply explore the semantic information features and entity relationships of vulnerabilities, which can help to efficiently study software security problems and solve vulnerability problems. The effectiveness and superiority of the proposed method is verified by comparing it with several traditional keyword extraction algorithms on Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) vulnerability data. [ABSTRACT FROM AUTHOR]

Published

2024

22. Survey on identification and prediction of security threats using various deep learning models on software testing.

Author

., Suman and Khan, Raees Ahmad

Subjects

DEEP learning, COMPUTER software testing, GENERATIVE adversarial networks, CAPSULE neural networks, CONVOLUTIONAL neural networks, COMPUTER software security

Abstract

In this research, authors give a literature analysis of the methods used to detect and anticipate security risks in software testing by using a number of deep learning models. The purpose of this study is to conduct a literature review on the use of deep learning models in software testing for the purpose of detecting and predicting security issues. Moreover, the motive of this work is to analyze the exiting techniques related as software testing model and its application oriented performance. A thorough search of the available literature across several databases and resources forms the basis of this evaluation. There are a total of 69 publications found via the search, 34 of which are original research. Convolutional neural networks, long short-term memory networks, generative adversarial networks, and capsule networks are only some of the state-of-the-art methods for identifying and predicting security risks that are the topic of this research study. Datasets, performance indicators, and assessment criteria are all dissected for this examination. Finally, the benefits and drawbacks of using deep learning models to detect and anticipate software security flaws during testing are outlined in this article. Software testing experts and academics will benefit from this study since it will shed light on the present state of the art in the area and provide direction for the creation of innovative approaches to the detection and forecasting of security risks in software testing. [ABSTRACT FROM AUTHOR]

Published

2024

23. A catalog of metrics at source code level for vulnerability prediction: A systematic mapping study.

Author

Codabux, Zadia, Zakia Sultana, Kazi, and Chowdhury, Md Naseef‐Ur‐Rahman

Subjects

*MACHINE learning, *SOFTWARE measurement, *SOURCE code, *COMPUTER software security, *RANDOM forest algorithms, *COMPUTER security vulnerabilities

Abstract

Industry practitioners assess software from a security perspective to reduce the risks of deploying vulnerable software. Besides following security best practice guidelines during the software development life cycle, predicting vulnerability before roll‐out is crucial. Software metrics are popular inputs for vulnerability prediction models. The objective of this study is to provide a comprehensive review of the source code‐level security metrics presented in the literature. Our systematic mapping study started with 1451 studies obtained by searching the four digital libraries from ACM, IEEE, ScienceDirect, and Springer. After applying our inclusion/exclusion criteria as well as the snowballing technique, we narrowed down 28 studies for an in‐depth study to answer four research questions pertaining to our goal. We extracted a total of 685 code‐level metrics. For each study, we identified the empirical methods, quality measures, types of vulnerabilities of the prediction models, and shortcomings of the work. We found that standard machine learning models, such as decision trees, regressions, and random forests, are most frequently used for vulnerability prediction. The most common quality measures are precision, recall, accuracy, and F‐measure. Based on our findings, we conclude that the list of software metrics for measuring code‐level security is not universal or generic yet. Nonetheless, the results of our study can be used as a starting point for future studies aiming at improving existing security prediction models and a catalog of metrics for vulnerability prediction for software practitioners. [ABSTRACT FROM AUTHOR]

Published

2024

24. Deep Domain Adaptation With Max-Margin Principle for Cross-Project Imbalanced Software Vulnerability Detection.

Author

Nguyen, Van, Le, Trung, Tantithamthavorn, Chakkrit, Grundy, John, and Phung, Dinh

Subjects

COMPUTER security vulnerabilities, ARTIFICIAL intelligence, COMPUTER software, COMPUTER software security, APPLICATION software, COMPUTER software testing

Abstract

Software vulnerabilities (SVs) have become a common, serious, and crucial concern due to the ubiquity of computer software. Many AI-based approaches have been proposed to solve the software vulnerability detection (SVD) problem to ensure the security and integrity of software applications (in both the development and testing phases). However, there are still two open and significant issues for SVD in terms of (i) learning automatic representations to improve the predictive performance of SVD, and (ii) tackling the scarcity of labeled vulnerability datasets that conventionally need laborious labeling effort by experts. In this paper, we propose a novel approach to tackle these two crucial issues. We first exploit the automatic representation learning with deep domain adaptation for SVD. We then propose a novel cross-domain kernel classifier leveraging the max-margin principle to significantly improve the transfer learning process of SVs from imbalanced labeled into imbalanced unlabeled projects. Our approach is the first work that leverages solid body theories of the max-margin principle, kernel methods, and bridging the gap between source and target domains for imbalanced domain adaptation (DA) applied in cross-project SVD. The experimental results on real-world software datasets show the superiority of our proposed method over state-of-the-art baselines. In short, our method obtains a higher performance on F1-measure, one of the most important measures in SVD, from 1.83% to 6.25% compared to the second highest method in the used datasets. [ABSTRACT FROM AUTHOR]

Published

2024

25. Enhancing Software Code Vulnerability Detection Using GPT-4o and Claude-3.5 Sonnet: A Study on Prompt Engineering Techniques.

Author

Bae, Jaehyeon, Kwon, Seoryeong, and Myeong, Seunghwan

Subjects

COMPUTER security vulnerabilities, LANGUAGE models, SONNET, COMPUTER software security, GENERATIVE pre-trained transformers

Abstract

This study investigates the efficacy of advanced large language models, specifically GPT-4o, Claude-3.5 Sonnet, and GPT-3.5 Turbo, in detecting software vulnerabilities. Our experiment utilized vulnerable and secure code samples from the NIST Software Assurance Reference Dataset (SARD), focusing on C++, Java, and Python. We employed three distinct prompting techniques as follows: Concise, Tip Setting, and Step-by-Step. The results demonstrate that GPT-4o and Claude-3.5 Sonnet significantly outperform GPT-3.5 Turbo in vulnerability detection. GPT-4o showed the highest improvement with the Step-by-Step prompt, achieving an F1 score of 0.9072. Claude-3.5 Sonnet exhibited consistent high performance across all prompt types, with its Step-by-Step prompt yielding the best overall results (F1 score: 0.8933, AUC: 0.74). In contrast, GPT-3.5 Turbo showed minimal performance changes across prompts, with the Tip Setting prompt performing best (AUC: 0.65, F1 score: 0.6772), yet significantly lower than the other models. Our findings highlight the potential of advanced models in enhancing software security and underscore the importance of prompt engineering in optimizing their performance. [ABSTRACT FROM AUTHOR]

Published

2024

26. A Game-Theoretical Self-Adaptation Framework for Securing Software-Intensive Systems.

Author

Li, Nianyu, Zhang, Mingyue, Li, Jialong, Adepu, Sridhar, Kang, Eunsuk, and Jin, Zhi

Subjects

MACHINE translating, MULTIPLAYER games, WATER purification, GAME theory, MODEL theory, PHYSIOLOGICAL adaptation, COMPUTER software security

Abstract

Security attacks present unique challenges to the design of self-adaptation mechanism for software-intensive systems due to the adversarial nature of the environment. Game-theoretical approaches have been explored in security to model malicious behaviors and design reliable defense for the system in a mathematically grounded manner. However, modeling the system as a single player, as done in prior works, is insufficient for the system under partial compromise and for the design of fine-grained defensive policies where the rest of the system with autonomy can cooperate to mitigate the impact of attacks. To address such issues, we propose a new self-adaptation framework incorporating Bayesian game theory and model the defender (i.e., the system) at the granularity of components. Under security attacks, the architecture model of the system is automatically translated, by the proposed translation process with designed algorithms, into a multi-player Bayesian game. This representation allows each component to be modeled as an independent player, while security attacks are encoded as variant types for the components. By solving for pure equilibrium (i.e., adaptation response), the system's optimal defensive strategy is dynamically computed, enhancing system resilience against security attacks by maximizing system utility. We validate the effectiveness of our framework through two sets of experiments using generic benchmark tasks tailored for the security domain. Additionally, we exemplify the practical application of our approach through a real-world implementation in the Secure Water Treatment System to demonstrate the applicability and potency in mitigating security risks. [ABSTRACT FROM AUTHOR]

Published

2024

27. Assessment of Software Vulnerability Contributing Factors by Model-Agnostic Explainable AI.

Author

Li, Ding, Liu, Yan, and Huang, Jun

Subjects

COMPUTER security vulnerabilities, ARTIFICIAL intelligence, COMPUTER software security, SOFTWARE reliability, INFORMATION retrieval

Abstract

Software vulnerability detection aims to proactively reduce the risk to software security and reliability. Despite advancements in deep-learning-based detection, a semantic gap still remains between learned features and human-understandable vulnerability semantics. In this paper, we present an XAI-based framework to assess program code in a graph context as feature representations and their effect on code vulnerability classification into multiple Common Weakness Enumeration (CWE) types. Our XAI framework is deep-learning-model-agnostic and programming-language-neutral. We rank the feature importance of 40 syntactic constructs for each of the top 20 distributed CWE types from three datasets in Java and C++. By means of four metrics of information retrieval, we measure the similarity of human-understandable CWE types using each CWE type's feature contribution ranking learned from XAI methods. We observe that the subtle semantic difference between CWE types occurs after the variation in neighboring features' contribution rankings. Our study shows that the XAI explanation results have approximately 78% Top-1 to 89% Top-5 similarity hit rates and a mean average precision of 0.70 compared with the baseline of CWE similarity identified by the open community experts. Our framework allows for code vulnerability patterns to be learned and contributing factors to be assessed at the same stage. [ABSTRACT FROM AUTHOR]

Published

2024

28. RepFTI: Representation-Fused Function-Type Inference for Vehicular Secure Software Systems.

Author

Yi, Xiaoyu, Li, Gaolei, Li, Jianhua, and Ding, Ao

Subjects

SYSTEMS software, SECURITY systems software, COMPUTER software security, REVERSE engineering, PROBLEM solving

Abstract

To enhance the security of vehicular software systems, inversely identifying the underlying function types of binary files plays a key role in threat discovery. However, existing function-type inference (FTI) methods can only provide a suboptimal performance because of splitting binary files into multiple sub-blocks as inputs, which results in breaking the program context logic and complete data dependency. To solve this problem, we propose a novel representation-fused function-type inference (RepFTI) framework for secure vehicular software systems. First, the RepFTI learns semantic representations of assembly codes and then extracts node representations in the function call graph by the multi-head attention mechanism of Graph-Attention Transformer (GAT) models. Second, the RepFTI fuses these representations to accurately infer the function type. With RepFTI, the specific limits of in-vehicle software will be bypassed, which proposes a promising direction for other work that relies on reverse engineering to improve software security. [ABSTRACT FROM AUTHOR]

Published

2024

29. WolfFuzz: A Dynamic, Adaptive, and Directed Greybox Fuzzer.

Author

Zeng, Qingyao, Xiong, Dapeng, Wu, Zhongwang, Qian, Kechang, Wang, Yu, and Su, Yinghao

Subjects

GREY Wolf Optimizer algorithm, COMPUTER software security

Abstract

As the directed greybox fuzzing (DGF) technique advances, it is being extensively utilized in various fields such as defect reproduction, patch testing, and vulnerability identification. Nevertheless, current DGFs waste a significant amount of resources due to their simplistic distance definitions and overly straightforward energy distribution for the seeds. To address these issues, a dynamic distance-weighting-based distance estimation strategy is proposed first, which facilitates strategies for seed distribution that take energy into consideration. Second, to overcome the limitations of current seed energy distribution strategies, the gray wolf optimizer (GWO) is improved by integrating four strategies, leading to the development of the improved gray wolf optimizer (IGWO). Lastly, an adaptive search algorithm is proposed, and the WolfFuzz prototype tool is implemented. In vulnerability recurrence scenarios, WolfFuzz is 3.2× faster on average compared with the baseline and reproduces 76.4% of existing bugs faster. WolfFuzz also discovers nine different types of bugs in seven real-world programs. [ABSTRACT FROM AUTHOR]

Published

2024

30. GRASE: Granulometry Analysis With Semi Eager Classifier to Detect Malware.

Author

Deore, Mahendra, Tarambale, Manoj, Kumar, Jambi Ratna Raja, and Sakhare, Sachin

Subjects

TECHNOLOGICAL innovations, DATABASES, MALWARE, COMPUTER software security, MACHINE learning, CYBERSPACE

Abstract

Technological advancement in communication leading to 5G, motivates everyone to get connected to the internet including 'Devices', a technology named Web of Things (WoT). The community benefits from this large-scale network which allows monitoring and controlling of physical devices. But many times, it costs the security as MALicious softWARE (MalWare) developers try to invade the network, as for them, these devices are like a 'backdoor' providing them easy 'entry'. To stop invaders from entering the network, identifying malware and its variants is of great significance for cyberspace. Traditional methods of malware detection like static and dynamic ones, detect the malware but lack against new techniques used by malware developers like obfuscation, polymorphism and encryption. A machine learning approach to detect malware, where the classifier is trained with handcrafted features, is not potent against these techniques and asks for efforts to put in for the feature engineering. The paper proposes a malware classification using a visualization methodology wherein the disassembled malware code is transformed into grey images. It presents the efficacy of Granulometry texture analysis technique for improving malware classification. Furthermore, a Semi Eager (SemiE) classifier, which is a combination of eager learning and lazy learning technique, is used to get robust classification of malware families. The outcome of the experiment is promising since the proposed technique requires less training time to learn the semantics of higher-level malicious behaviours. Identifying the malware (testing phase) is also done faster. A benchmark database like malimg and Microsoft Malware Classification challenge (BIG-2015) has been utilized to analyse the performance of the system. An overall average classification accuracy of 99.03 and 99.11% is achieved, respectively. [ABSTRACT FROM AUTHOR]

Published

2024

31. HotCFuzz: Enhancing Vulnerability Detection through Fuzzing and Hotspot Code Coverage Analysis.

Author

Du, Chunlai, Guo, Yanhui, Feng, Yifan, and Zheng, Shijie

Subjects

COMPUTER security vulnerabilities, BLOCK codes, SELECTION (Plant breeding), COMPUTER software security, INTERNET security, ALGORITHMS

Abstract

Software vulnerabilities present a significant cybersecurity threat, particularly as software code grows in size and complexity. Traditional vulnerability-mining techniques face challenges in keeping pace with this complexity. Fuzzing, a key automated vulnerability-mining approach, typically focuses on code branch coverage, overlooking syntactic and semantic elements of the code. In this paper, we introduce HotCFuzz, a novel vulnerability-mining model centered on the coverage of hot code blocks. Leveraging vulnerability syntactic features to identify these hot code blocks, we devise a seed selection algorithm based on their coverage and integrate it into the established fuzzing test framework AFL. Experimental results demonstrate that HotCFuzz surpasses AFL, AFLGo, Beacon, and FairFuzz in terms of efficiency and time savings. [ABSTRACT FROM AUTHOR]

Published

2024

32. Similarity Regression Of Functions In Different Compiled Forms With Neural Attentions On Dual Control-Flow Graphs.

Author

Zhang, Yun, Liu, Yuling, Cheng, Ge, and Wang, Jie

Subjects

*GRAPH theory, *COMPUTER software security, *REGRESSION analysis, *ARTIFICIAL neural networks, *EMBEDDINGS (Mathematics)

Abstract

Detecting if two functions in different compiled forms are similar has a wide range of applications in software security. We present a method that leverages both semantic and structural features of functions, learned by a neural-net model on the underlying control-flow graphs (CFGs). In particular, we devise a neural function-similarity regressor (NFSR) with attentions on dual CFGs. We train and evaluate NFSR on a dataset consisting of nearly 4 million functions from over 14 900 binary files. Experiments show that NFSR is superior to the SOTA models of SAFE, Gemini and GMN, especially for binary functions with large CFGs. An ablation study shows that attention on dual CFGs plays a significant role in detecting function similarities. [ABSTRACT FROM AUTHOR]

Published

2024

33. Evaluation of requirement engineering best practices for secure software development in GSD: An ISM analysis.

Author

Khan, Rafiq Ahmad, Akbar, Muhammad Azeem, Rafi, Saima, Almagrabi, Alaa Omran, and Alzahrani, Musaad

Subjects

*COMPUTER software development, *REQUIREMENTS engineering, *TECHNOLOGICAL innovations, *COMPUTER software security, *BEST practices

Abstract

Technological advancement makes the world a global village. Security is an evergreen and everlasting area, because of the continuous threat from Hackers and Crackers. The immense use of software systems has modernized human society in every aspect. Thus, it is crucial to devise new processes, techniques, and tools to support teams in the development of secure code from the early stages of the software development process, while potentially reducing the costs and shortening the time to market. Considering the significance of software security, it is important to consider the security practices from the early phase of the software development life cycle (SDLC), that is, requirements engineering (RE). Hence, this study aims to identify and categorize RE practices important to apply for secure software development (SSD) in a geographically distributed development environment. To study the RE practices concerning SSD, we conducted a questionnaire survey with industrial experts in the global software development (GSD) context. Furthermore, the interpretive structure modeling (ISM) approach was applied to evaluate the relationship between the RE security practice core categories. This paper identifies 70 practices and classifies them into 11 fundamental dimensions (categories) to assist GSD organizations in specifying the requirements for SSD. The ISM results show that the "Awareness of Secure Requirement Engineering (SRE)" category has the most decisive influence on the other 10 core categories of the identified RE security practices. With the help of empirical evidence and the ISM approach, this work attempts to identify potential security practices and to give a set of secure RE practices that can be used to improve the security of the software development process. [ABSTRACT FROM AUTHOR]

Published

2024

34. Maturity model for secure software testing.

Author

Alam, Gulzar, Mahmood, Sajjad, Alshayeb, Mohammad, Niazi, Mahmood, and Zafar, Saad

Subjects

*LITERATURE reviews, *COMPUTER software development, *COMPUTER software security, *GREY literature, *APPLICATION software, *COMPUTER software testing

Abstract

Security is an essential attribute of high‐quality software. However, effectively incorporating security practices into different phases of the software development life cycle (SDLC) remains challenging. Owing to less mature secure testing processes, organizations are prone to ineffective testing practices for defect detection, including severe security‐related failures. Thus, in this study, we present a maturity model for secure software testing (MMSST) to assist software development organizations in improving the secure testing of software applications. We conducted a multivocal literature review and identified 68 primary studies from the formal and gray literature. Then, based on the available evidence, 27 process areas were identified to develop the proposed MMSST. The MMSST includes five main categories: governance, contrive and design, execution, deployment and configuration, and mature. The MMSST was subsequently evaluated using case studies related to practical environments. Results demonstrate that the proposed MMSST is useful for estimating the maturity level of an organization with respect to the secure testing phase of the SDLC. The participants of the case studies also agreed that the proposed MMSST is useful in terms of structure, user satisfaction, and ease of use. We believe that the proposed MMSST can help organizations evaluate and improve software security testing practices. In addition, the proposed MMSST is expected to provide researchers and industry practitioners with an effective foundation for developing new secure testing approaches and tools. [ABSTRACT FROM AUTHOR]

Published

2024

35. A Survey of Binary Code Similarity Detection Techniques.

Author

Ruan, Liting, Xu, Qizhen, Zhu, Shunzhi, Huang, Xujing, and Lin, Xinyang

Subjects

BINARY codes, COMPUTER software security, COMPUTER software development, SOURCE code, MATHEMATICAL optimization

Abstract

Binary Code Similarity Detection is a method that involves comparing two or more binary code segments to identify their similarities and differences. This technique plays a crucial role in areas such as software security, vulnerability detection, and software composition analysis. With the extensive use of binary code in software development and system optimization, binary code similarity detection has become an important area of research. Traditional methods of source code similarity detection face challenges when dealing with the unreadable and complex nature of binary code, necessitating specialized techniques and algorithms. This review compares and summarizes various techniques and methods of binary code similarity detection, highlighting their strengths and limitations in handling different characteristics of binary code. Additionally, the article suggests potential future research directions. As research and innovation in this technology continue to advance, binary code similarity detection is expected to play an increasingly significant role in fields like software security. [ABSTRACT FROM AUTHOR]

Published

2024

36. SOFTWARE INFORMATION SECURITY MANAGEMENT FOR GOVERNMENT AUTHORITIES.

Author

DRAGOVIĆ, Rade, STANISAVLJEV, Sanja, DOBRILOVIĆ, Dalibor, DRAGOVIĆ, Dragan, and MILOŠEV, Vladimir

Subjects

*INTERNET security, *COMPUTER software development, *COMPUTER software security, *SECURITY management, *STATE power

Abstract

This article treats two very important items in the functional matrix of the state bodies work: information security and software development. Information security is not only a recommendation with content in the domain of organization, technology, and procedure but is also defined by legal and by-laws. Lately, software development has been increasingly outsourced, so it is important for state authorities to know that software development is no longer a free assessment of the client and programmer, how and what will be developed, and to what extent the software will be delivered. [ABSTRACT FROM AUTHOR]

Published

2024

37. Vulnerability analysis based on Software Bill of Materials (SBOM): A model proposal for automated vulnerability scanning for CI/CD pipelines.

Author

Kağızmandere, Omercan and Arslan, Halil

Subjects

*SUPPLY chain management software, *COMPUTER security vulnerabilities, *PENETRATION testing (Computer security), *COMPUTER software security, *INTERNET security

Abstract

The software bill of materials (SBOM) emerged in 2018 as an important component in software security and software supply chain management. SBOM is an inventory presented as a list of the components that make up software. In recent years, whether software products contain vulnerabilities is a phenomenon that should be checked regularly by the users of that product. This paper deals with the systematic identification and vulnerability analysis of software components based on the concept of software bill of materials. The fact that a software product itself does not contain vulnerabilities does not mean that the software product is secure. Even if software projects do not contain any vulnerabilities when examined alone, there may be vulnerabilities in their components. Vulnerabilities in the dependencies or components of the product may be sufficient for cyber attackers to exploit that product. Minimizing the damage caused by vulnerabilities in software components is the basis of cyber security efforts. In this study, the necessity of automatically generating software bill of materials in software development/deployment environments and performing vulnerability analysis on this bill of materials is demonstrated and a suitable model is proposed. [ABSTRACT FROM AUTHOR]

Published

2024

38. A systematic review of fuzzing.

Author

Zhao, Xiaoqi, Qu, Haipeng, Xu, Jianliang, Li, Xiaohui, Lv, Wenjie, and Wang, Gai-Ge

Subjects

*COMPUTER software testing, *COMPUTER software security, *RESEARCH & development

Abstract

Fuzzing is an important technique in software and security testing that involves continuously generating a large number of test cases against target programs to discover unexpected behaviors such as bugs, crashes, and vulnerabilities. Recently, fuzzing has advanced considerably owing to the emergence of new methods and corresponding tools. However, it still suffers from low coverage, ineffective detection of specific vulnerabilities, and difficulty in deploying complex applications. Therefore, to comprehensively survey the development of fuzzing techniques and analyze their advantages and existing challenges, this paper provides a comprehensive survey of the development of fuzzing techniques, summarizes the main research issues, and provides a categorized overview of the latest research advances and applications. The paper first introduces the background and related work on fuzzing. Research issues are subsequently addressed and summarized, along with the latest research developments. Furthermore, various customized fuzzing techniques in different applications are presented. Finally, the paper discusses future research directions. [ABSTRACT FROM AUTHOR]

Published

2024

39. A Novel Seed Generation Approach for Vulnerability Mining Based on Generative Adversarial Networks and Attention Mechanisms.

Author

Du, Chunlai, Xu, Guizhi, Guo, Yanhui, Wang, Zhongru, and Yu, Weiqiang

Subjects

*GENERATIVE adversarial networks, *GERMINATION, *SEED quality, *COMPUTER software security, *SELECTION (Plant breeding), *SEEDS

Abstract

Coverage-guided fuzzing has been widely applied in software error and security vulnerability detection. The fuzzing technique based on AFL (American Fuzzy Loop) is a common coverage-guided fuzzing method. The code coverage during AFL fuzzing is highly dependent on the quality of the initial seeds. If the selected seeds' quality is poor, the AFL may not be able to detect program paths in a targeted manner, resulting in wasted time and computational resources. To solve the problems that the seed selection strategy in traditional AFL fuzzing cannot quickly and effectively generate high-quality seed sets and the mutated test cases cannot reach deeper paths and trigger security vulnerabilities, this paper proposes an attention mechanism-based generative adversarial network (GAN) seed generation approach for vulnerability mining, which can learn the characteristics and distribution of high-quality test samples during the testing process and generate high-quality seeds for fuzzing. The proposed method improves the GAN by introducing fully connected neural networks to balance the competitive adversarial process between discriminators and generators and incorporating attention mechanisms, greatly improving the quality of generated seeds. Our experimental results show that the seeds generated by the proposed method have significant improvements in coverage, triggering unique crashes and other indicators and improving the efficiency of AFL fuzzing. [ABSTRACT FROM AUTHOR]

Published

2024

40. Security risks of global software development life cycle: Industry practitioner's perspective.

Author

Khan, Rafiq Ahmad, Khan, Siffat Ullah, Akbar, Muhammad Azeem, and Alzahrani, Musaad

Subjects

*COMPUTER software development, *ANALYTIC hierarchy process, *COMPUTER software security, *COMPUTER systems, *BUSINESS software

Abstract

Software security has become increasingly important because the malicious attack and other hacker risks of a computer system have grown popularity in the last few years. As a result, several researchers have examined security solutions as early as the requirement engineering phase. With the growth of the software business and the internet, there is a need to understand the security risks against each phase of the software development life cycle (SDLC). This study aims to empirically investigate and prioritize the risks that could negatively impact the software security aspects of SDLC in the context of global software development (GSD). To achieve the study objectives, we conducted an industrial empirical study to determine the impact of software security threats against each phase of SDLC. Furthermore, the fuzzy analytical hierarchy process (FAHP) was used to prioritize the list of software security risks against the SDLC. The results and analysis of this study provide a ranked‐based decision‐making framework, which assists the practitioners in considering the most critical security risks on priority. The results show "improper plan for secure requirement identification, inception, authentication, authorization, and privacy," "lack of threat models updating," "lack of output validation," "lack of certification in the final release and archive," and "spoofing" as the top‐ranked security risks of SDLC in GSD. In addition, the application of FAHP is novel in this domain as it is helpful to address multicriteria decision‐making problems. [ABSTRACT FROM AUTHOR]

Published

2024

41. Systematic Security Guideline Framework through Intelligently Automated Vulnerability Analysis.

Author

Dahyeon Kim, Namgi Kim, and Junho Ahn

Subjects

VIRTUAL private networks, COMPUTER security vulnerabilities, COMPUTER software security, DISCLOSURE, FLOW charts

Abstract

This research aims to propose a practical framework designed for the automatic analysis of a product's comprehensive functionality and security vulnerabilities, generating applicable guidelines based on real-world software. The existing analysis of software security vulnerabilities often focuses on specific features or modules. This partial and arbitrary analysis of the security vulnerabilities makes it challenging to comprehend the overall security vulnerabilities of the software. The key novelty lies in overcoming the constraints of partial approaches. The proposed framework utilizes data from various sources to create a comprehensive functionality profile, facilitating the derivation of real-world security guidelines. Security guidelines are dynamically generated by associating functional security vulnerabilities with the latest Common Vulnerabilities and Exposure (CVE) and Common Vulnerability Scoring System (CVSS) scores, resulting in automated guidelines tailored to each product. These guidelines are not only practical but also applicable in real-world software, allowing for prioritized security responses. The proposed framework is applied to virtual private network (VPN) software, wherein a validated Level 2 data flow diagram is generated using the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE) technique with references to various papers and examples from related software. The analysis resulted in the identification of a total of 121 vulnerabilities. The successful implementation and validation demonstrate the framework's efficacy in generating customized guidelines for entire systems, subsystems, and selected modules. [ABSTRACT FROM AUTHOR]

Published

2024

42. Compositional Verification of First-Order Masking Countermeasures against Power Side-Channel Attacks.

Author

Gao, Pengfei, Song, Fu, and Chen, Taolue

Subjects

COMPUTER software security, DATA security failures, RANDOM variables, IMPLEMENTS, utensils, etc.

Abstract

Power side-channel attacks allow an adversary to efficiently and effectively steal secret information (e.g., keys) by exploiting the correlation between secret data and runtime power consumption, hence posing a serious threat to software security, particularly cryptographic implementations. Masking is a commonly used countermeasure against such attacks, which breaks the statistical dependence between secret data and side-channel leaks via randomization. In a nutshell, a variable is represented by a vector of shares armed with random variables, called masking encoding, on which cryptographic computations are performed. While compositional verification for the security of masked cryptographic implementations has received much attention because of its high efficiency, existing compositional approaches either use implicitly fixed pre-conditions that may not be fulfilled by state-of-the-art efficient implementations, or require user-provided hard-coded pre-conditions that are time consuming and highly non-trivial, even for an expert. In this article, we tackle the compositional verification problem of first-order masking countermeasures, where first-order means that the adversary is allowed to access only one intermediate computation result. Following the literature, we consider countermeasures given as gadgets, which are special procedures whose inputs are masking encodings of variables. We introduce a new security notion parameterized by an explicit pre-condition for each gadget, as well as composition rules for reasoning about masking countermeasures against power side-channel attacks. We propose accompanying efficient algorithms to automatically infer proper pre-conditions, based on which our new compositional approach can efficiently and automatically prove security for masked implementations. We implement our approaches as a tool MaskCV and conduct experiments on publicly available masked cryptographic implementations including 10 different full AES implementations. The experimental results confirm the effectiveness and efficiency of our approach. [ABSTRACT FROM AUTHOR]

Published

2024

43. Vision Transformer Inspired Automated Vulnerability Repair.

Author

Fu, Michael, Nguyen, Van, Tantithamthavorn, Chakkrit, Phung, Dinh, and Le, Trung

Subjects

TRANSFORMER models, OBJECT recognition (Computer vision), COMPUTER vision, COMPUTER software security, REPAIRING

Abstract

Recently, automated vulnerability repair approaches have been widely adopted to combat increasing software security issues. In particular, transformer-based encoder-decoder models achieve competitive results. Whereas vulnerable programs may only consist of a few vulnerable code areas that need repair, existing AVR approaches lack a mechanism guiding their model to pay more attention to vulnerable code areas during repair generation. In this article, we propose a novel vulnerability repair framework inspired by the Vision Transformer based approaches for object detection in the computer vision domain. Similar to the object queries used to locate objects in object detection in computer vision, we introduce and leverage vulnerability queries (VQs) to locate vulnerable code areas and then suggest their repairs. In particular, we leverage the cross-attention mechanism to achieve the cross-match between VQs and their corresponding vulnerable code areas. To strengthen our cross-match and generate more accurate vulnerability repairs, we propose to learn a novel vulnerability mask (VM) and integrate it into decoders' cross-attention, which makes our VQs pay more attention to vulnerable code areas during repair generation. In addition, we incorporate our VM into encoders' self-attention to learn embeddings that emphasize the vulnerable areas of a program. Through an extensive evaluation using the real-world 5,417 vulnerabilities, our approach outperforms all of the automated vulnerability repair baseline methods by 2.68% to 32.33%. Additionally, our analysis of the cross-attention map of our approach confirms the design rationale of our VM and its effectiveness. Finally, our survey study with 71 software practitioners highlights the significance and usefulness of AI-generated vulnerability repairs in the realm of software security. The training code and pre-trained models are available at https://github.com/awsm-research/VQM. [ABSTRACT FROM AUTHOR]

Published

2024

44. Mitigating Software Vulnerabilities through Secure Software Development with a Policy-Driven Waterfall Model.

Author

Hussain, Shariq, Anwaar, Haris, Sultan, Kashif, Mahmud, Umar, Farooqui, Sherjeel, Karamat, Tehmina, and Toure, Ibrahima Kalil

Subjects

COMPUTER security vulnerabilities, COMPUTER software development, COMPUTER software security, WATERFALLS

Abstract

For the past few years, software security has become a pressing issue that needs to be addressed during software development. In practice, software security is considered after the deployment of software rather than considered as an initial requirement. This delayed action leads to security vulnerabilities that can be catered for during the early stages of the software development life cycle (SDLC). To safeguard a software product from security vulnerabilities, security must be given equal importance with functional requirements during all phases of SDLC. In this paper, we propose a policy-driven waterfall model (PDWM) for secure software development describing key points related to security aspects in the software development process. The security requirements are the security policies that are considered during all phases of waterfall-based SDLC. A framework of PDWM is presented and applied to the e-travel scenario to ascertain its effectiveness. This scenario is a case of small to medium-sized software development project. The results of case study show that PDWM can identify 33% more security vulnerabilities as compared to other secure software development techniques. [ABSTRACT FROM AUTHOR]

Published

2024

45. Software Development Teams Knowledge and Awareness of Security Requirement Engineering and Security Requirement Elicitation and Analysis.

Author

Janisar, Aftab Alam, Shafee bin Kalid, Khairul, Sarlan, Aliza Bt, and Maiwada, Umar Danjuma

Subjects

REQUIREMENTS engineering, COMPUTER software development, COMPUTER software security, AWARENESS, TEAMS

Abstract

Software security is a concern due to software's pervasiveness and how rapid software's are developed. Although studies have emphasized the importance of addressing security requirements during the early phases of requirement engineering, it is often overlooked. This oversight may stem from limited knowledge and awareness among software development teams regarding security requirement engineering (SRE) and security requirement elicitation analysis (SREA). To assess this, a quantitative study was conducted. Respondents completed a survey, and the data was analysed using descriptive statistics. The results indicate that software development teams possessed an average knowledge of SRE but demonstrated good knowledge of SREA. [ABSTRACT FROM AUTHOR]

Published

2024

46. A Survey of Software Dynamic Analysis Methods.

Author

Kuliamin, V. V.

Subjects

*COMPUTER software security, *SYSTEMS software, *COMPUTER software, *SOFTWARE development tools, *PROBLEM solving, *SOFTWARE verification

Abstract

A review of software dynamic analysis methods is presented, mainly focusing on the methods supported by tools targeted on software security verification and applicable to system software. Fuzzing, runtime verification and dynamic symbolic execution techniques are considered in detail. Dynamic taint data analysis methods and tools are excluded since gathering technical details on them is complicated. The review of fuzzing and dynamic symbolic execution is focused mostly on the techniques to solve various problems that arise during operation of the tools rather than the particular tools that amount to a number greater than 100. In addition, the fuzzing counteraction techniques are considered. [ABSTRACT FROM AUTHOR]

Published

2024

47. Estimating vulnerability metrics with word embedding and multiclass classification methods.

Author

Kekül, Hakan, Ergen, Burhan, and Arslan, Halil

Subjects

*COMPUTER security vulnerabilities, *COMPUTER software security, *INTERNET security, *DATABASES, *CLASSIFICATION algorithms, *NATURAL language processing

Abstract

Cyber security has an increasing importance since the day when information technologies are an invariable part of modern human life. One of the fundamental areas of cyber security is the concept of software security. Security vulnerabilities in software are one of the main reasons for the exploitation of information systems. For this reason, it has been systematically reported, analyzed and classified for a long time, with a protocol established between the states and the stakeholders of the issue at the level. All these processes are carried out manually by humans today. This situation causes errors and delays caused by human nature. Therefore, the current study aims to help the experts and increase the accuracy of the analysis results by speeding up the processes. To achieve this goal, a model is proposed that uses technical explanations of security reports written in natural language. Our model basically proposes a method that uses word embedding approaches and multi-class classification algorithms from natural language processing techniques. In order to compare the proposed model more accurately, the NVD database, which is open to everyone and accepted as a reference, was chosen. In addition, previous studies in the literature and the model we propose were compared. In order for the results of the compared models to be analyzed more accurately, our model was trained with the data sets of the studies it was compared and the results were presented clearly. The proposed method showed estimation success in the range of 87.34–96.25% for CVSS 2.0 metrics, and in the range of 84–90% for CVSS 3.1. This study, in which different word embedding and classification algorithms are used together, is one of the limited studies on the latest version of the official scoring system used for classification of software security vulnerabilities. Moreover, it is the most comprehensive and original study in its field due to the size of the dataset it uses and the number of databases evaluated. [ABSTRACT FROM AUTHOR]

Published

2024

48. BiT5: A Bidirectional NLP Approach for Advanced Vulnerability Detection in Codebase.

Author

GS, Prabith, M, Rohit Narayanan, A, Arya, R, Aneesh Nadh, and PK, Binu

Subjects

NATURAL language processing, COMPUTER software security

Abstract

In this research paper, a detailed investigation presents the utilization of the BiT5 Bidirectional NLP model for detecting vulnerabilities within codebases. The study addresses the pressing need for techniques enhancing software security by effectively identifying vulnerabilities. Methodologically, the paper introduces BiT5, specifically designed for code analysis and vulnerability detection, encompassing dataset collection, preprocessing steps, and model fine-tuning. The key findings underscore BiT5's efficacy in pinpointing vulnerabilities within code snippets, notably reducing both false positives and false negatives. This research contributes by offering a methodology for leveraging BiT5 in vulnerability detection, thus significantly bolstering software security and mitigating risks associated with code vulnerabilities. [ABSTRACT FROM AUTHOR]

Published

2024

49. Binary Program Vulnerability Mining Based on Neural Network.

Author

Zhenhui Li, Shuangping Xing, Lin Yu, Huiping Li, Fan Zhou, Guangqiang Yin, Xikai Tang, and Zhiguo Wang

Subjects

COMPILERS (Computer programs), MINING methodology, COMPUTER software security, FEATURE extraction, SOURCE code, SECURITIES analysts

Abstract

Software security analysts typically only have access to the executable program and cannot directly access the source code of the program. This poses significant challenges to security analysis. While it is crucial to identify vulnerabilities in such non-source code programs, there exists a limited set of generalized tools due to the low versatility of current vulnerability mining methods. However, these tools suffer from some shortcomings. In terms of targeted fuzzing, the path searching for target points is not streamlined enough, and the completely random testing leads to an excessively large search space. Additionally, when it comes to code similarity analysis, there are issues with incomplete code feature extraction, which may result in information loss. In this paper, we propose a cross-platform and cross-architecture approach to exploit vulnerabilities using neural network obfuscation techniques. By leveraging the Angr framework, a deobfuscation technique is introduced, along with the adoption of a VEX-IR-based intermediate language conversionmethod. This combination allows for the unified handling of binary programs across various architectures, compilers, and compilation options. Subsequently, binary programs are processed to extract multi-level spatial features using a combination of a skip-gram model with self-attention mechanismand a bidirectional Long Short-TermMemory (LSTM) network. Finally, the graph embedding network is utilized to evaluate the similarity of program functionalities. Based on these similarity scores, a target function is determined, and symbolic execution is applied to solve the target function. The solved content serves as the initial seed for targeted fuzzing. The binary program is processed by using the de-obfuscation technique and intermediate language transformation method, and then the similarity of program functions is evaluated by using a graph embedding network, and symbolic execution is performed based on these similarity scores. This approach facilitates cross-architecture analysis of executable programs without their source codes and concurrently reduces the risk of symbolic execution path explosion. [ABSTRACT FROM AUTHOR]

Published

2024

50. Learning to Detect Memory-related Vulnerabilities.

Author

Cao, Sicong, Sun, Xiaobing, Bo, Lili, Wu, Rongxin, Li, Bin, Wu, Xiaoxue, Tao, Chuanqi, Zhang, Tao, and Liu, Wei

Subjects

DEEP learning, LEARNING strategies, COMPUTER software security, DETECTORS

Abstract

Memory-related vulnerabilities can result in performance degradation or even program crashes, constituting severe threats to the security of modern software. Despite the promising results of deep learning (DL)-based vulnerability detectors, there exist three main limitations: (1) rich contextual program semantics related to vulnerabilities have not yet been fully modeled; (2) multi-granularity vulnerability features in hierarchical code structure are still hard to be captured; and (3) heterogeneous flow information is not well utilized. To address these limitations, in this article, we propose a novel DL-based approach, called MVD+, to detect memory-related vulnerabilities at the statement-level. Specifically, it conducts both intraprocedural and interprocedural analysis to model vulnerability features, and adopts a hierarchical representation learning strategy, which performs syntax-aware neural embedding within statements and captures structured context information across statements based on a novel Flow-Sensitive Graph Neural Networks, to learn both syntactic and semantic features of vulnerable code. To demonstrate the performance, we conducted extensive experiments against eight state-of-the-art DL-based approaches as well as five well-known static analyzers on our constructed dataset with 6,879 vulnerabilities in 12 popular C/C++ applications. The experimental results confirmed that MVD+ can significantly outperform current state-of-the-art baselines and make a great trade-off between effectiveness and efficiency. [ABSTRACT FROM AUTHOR]

Published

2024