Visible to the public Biblio

Filters: Keyword is third-party libraries  [Clear All Filters]
2019-10-30
Meng, Na, Nagy, Stefan, Yao, Danfeng, Zhuang, Wenjie, Arango-Argoty, Gustavo.  2018.  Secure Coding Practices in Java: Challenges and Vulnerabilities. 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). :372-383.

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security - a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverflow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.

2018-04-04
Ran, L., Lu, L., Lin, H., Han, M., Zhao, D., Xiang, J., Yu, H., Ma, X..  2017.  An Experimental Study of Four Methods for Homology Analysis of Firmware Vulnerability. 2017 International Conference on Dependable Systems and Their Applications (DSA). :42–50.

In the production process of embedded device, due to the frequent reuse of third-party libraries or development kits, there are large number of same vulnerabilities that appear in more than one firmware. Homology analysis is often used in detecting this kind of vulnerabilities caused by code reuse or third-party reuse and in the homology analysis, the widely used methods are mainly Binary difference analysis, Normalized compression distance, String feature matching and Fuzz hash. But when we use these methods for homology analysis, we found that the detection result is not ideal and there is a high false positive rate. Focusing on this problem, we analyzed the application scenarios of these four methods and their limitations by combining different methods and different types of files and the experiments show that the combination of methods and files have a better performance in homology analysis.