| dc.contributor.advisor | Langweg, Hanno | |
| dc.contributor.advisor | Katt, Basel | |
| dc.contributor.author | Schuckert, Felix | |
| dc.date.accessioned | 2024-04-22T11:29:05Z | |
| dc.date.available | 2024-04-22T11:29:05Z | |
| dc.date.issued | 2024 | |
| dc.identifier.isbn | 978-82-326-7805-1 | |
| dc.identifier.issn | 2703-8084 | |
| dc.identifier.uri | https://hdl.handle.net/11250/3127615 | |
| dc.description.abstract | Teaching software security is complex and should involve practical exercises. Practical exercises require software artifacts and projects that contain vulnerabilities. The vulnerabilities can be exploited to understand their impact on how different sanitization methods can be bypassed and how they can be mitigated. A frequent challenge is the creation of realistic projects that contain such vulnerabilities. The projects can be created manually with a lot of effort and can only be used once because exploiting the same vulnerabilities repeatedly will not provide a learning effect. The goal of this thesis is to provide a solution to automatically create such learning examples that are realistic and provide permutations that can be used repeatedly for teaching.
As a solution to create learning examples automatically, we invented Insecurity Refactoring. Insecurity Refactoring is a change to the internal structure of a software to inject a vulnerability without changing the observable behavior in a normal use case scenario. Creating realistic vulnerabilities requires characterizing realistic vulnerabilities and identifying how they look like. To solve this challenge, we have reviewed the source code from 150 vulnerabilities that occurred in open-source projects in the categories SQL Injection, Cross Site Scripting and Buffer Overflow. From these vulnerabilities, we have categorized source code patterns of sources, sanitization, context, sinks, and fixes. Those patterns characterize realistic vulnerabilities and are used for Insecurity Refactoring. Additionally, the types of errors from the developers resulting in a vulnerability have been reviewed. Those point out the issues that should be taught to developers and mitigated in the development phase.
Another challenge is creating learning examples that are difficult to detect by static code analysis tools. Those learning examples can also be used to teach developers what source code patterns should be avoided. The previously reviewed vulnerabilities have been scanned with a set of selected commercial and open-source static code analysis tools to identify patterns that produce false positive and false negative results. This insight allows mitigating such difficult patterns in the development phase to improve the effect of static code analysis. Additionally, these difficult patterns are used in the Insecurity Refactoring approach to create learning examples that cannot be solved by static code analysis tools.
Our method of Insecurity Refactoring has been formalized by using a new defined Adversary Controlled Input Dataflow tree. The formalization allows detecting Possible Injection Paths. Those paths can be transformed into vulnerabilities. All the previously identified source code patterns are used to inject different permutations of vulnerabilities. We developed a tool to realize the formalized method. The tool was tested on open-source projects to check if the approach can inject vulnerabilities. If an open-source project is injectable it does not imply that it is less secure, instead it implies that static code analysis approaches can analyze them to find injection possibilities. The results have indicated that our approach can use 8.1% of the open-source projects found on GitHub to create learning examples.
Projects transformed by our approach have been used as learning examples in two experiments with different groups. The results have shown that the Insecurity Refactoring method does not change the behavior of the program, except when the vulnerability is exploited. Accordingly, the definition of Insecurity Refactoring was confirmed. A survey of the attendees of the experiments has revealed that the transformed projects can be used as learning examples and that the examples are realistic.
Another aspect of this thesis is to improve static code analysis tools. All the identified patterns have been combined to create two static code analysis benchmark data sets. The data sets have been scanned by commercial static code analysis tools. By calculating established static code analysis metrics,
the data sets can be used to identify problems of the tools like high false alarm rate, low precision, low recall, etc. Additionally, we have provided a solution to identify patterns that the tools do not cover. The generation process has been discussed in an interview with experts from Software Assurance Metrics And Tool Evaluation (SAMATE) at the National Institute of Standards and Technology (NIST). They have approved that the generation process is solid. The two generated data sets are being hosted as an official Software Assurance Reference Dataset (SARD). This allows all developers of static code analysis tools to test their tools and improve it based on our research. | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | NTNU | en_US |
| dc.relation.ispartofseries | Doctoral theses at NTNU;2024:106 | |
| dc.relation.haspart | Paper 1: Schuckert, Felix; Katt, Basel; Langweg, Hanno. Source Code Patterns of SQL Injection Vulnerabilities. I: ARES'17. Proceedings of The 12th International Conference on Availability, Reliability and Security, Reggio Calabria, Italy — August 29 - September 01, 2017. Association for Computing Machinery (ACM) 2017 ISBN 978-1-4503-5257-4. Copyright © 2017 ACM, Inc. Available at: http://dx.doi.org/10.1145/3098954.3103173 | en_US |
| dc.relation.haspart | Paper 2: Schuckert, Felix; Hildner, Max; Katt, Basel; Langweg, Hanno. Source Code Patterns of Buffer Overflow Vulnerabilities in Firefox. I: SICHERHEIT 2018. Bonn: Gesellschaft für Informatik e.V. 2018 ISBN 978-3-88579-675-6. s. 107-118. Published by Gesellschaft für Informatik e.V. . This is an open access article under the CC BY license. Available at: http://dx.doi.org/10.18420/sicherheit2018_08 | en_US |
| dc.relation.haspart | Paper 3: Schuckert, Felix; Hildner, Max; Katt, Basel; Langweg, Hanno. Source Code Patterns of Cross Site Scripting in PHP Open Source Projects. Norsk Informasjonssikkerhetskonferanse (NISK) 2018 ;Volum 11. s. – Published by Akademika. | en_US |
| dc.relation.haspart | Paper 4: Schuckert, Felix; Katt, Basel; Langweg, Hanno. Difficult XSS Code Patterns for Static Code Analysis Tools. Lecture Notes in Computer Science (LNCS) 2020 ;Volum 11981 LNCS. s. 123-139. © 2020 Springer Nature. Available at: http://dx.doi.org/10.1007/978-3-030-42051-2_9 | en_US |
| dc.relation.haspart | Paper 5: Schuckert, Felix; Katt, Basel; Langweg, Hanno. Difficult SQLi Code Patterns for Static Code Analysis Tools. Norsk Informasjonssikkerhetskonferanse (NISK) 2021 ;Volum 3. Published by Norsk Informasjonssikkerhetskonferanse (NISK). | en_US |
| dc.relation.haspart | Paper 6: Schuckert, Felix; Katt, Basel; Langweg, Hanno. Insecurity Refactoring: Automated Injection of Vulnerabilities in Source Code. Computers & Security 2023 ;Volum 128. s. - Published by Elsevier Ltd. This is an open access article under the CC BY license. Available at: http://dx.doi.org/10.1016/j.cose.2023.103121 | en_US |
| dc.relation.haspart | Paper 7: Schuckert, Felix; Langweg, Hanno; Katt, Basel. Systematic Generation of XSS and SQLi Vulnerabilities in PHP as Test Cases for Static Code Analysis. I: 2022 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). IEEE conference proceedings 2022 ISBN 9781665496285. s. 261-268. © Copyright 2022 IEEE. Available at: http://dx.doi.org/10.1109/ICSTW55395.2022.00053 | en_US |
| dc.title | Opportunities of Insecurity Refactoring for Training and Software Development | en_US |
| dc.type | Doctoral thesis | en_US |
| dc.subject.nsi | VDP::Teknologi: 500::Informasjons- og kommunikasjonsteknologi: 550 | en_US |
