Blogs (1) >>
ICSE 2019
Sat 25 - Fri 31 May 2019 Montreal, QC, Canada
Wed 29 May 2019 12:00 - 12:10 at Van-Horne - Security 1 Chair(s): Corina S. Păsăreanu

[Problem:] Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the [deployed] FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older deployed version. [Challenge:] Vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes are expected to react quickly on disclosed vulnerabilities—in some case such as Heartbleed, within hours. [Technical Solution:] We propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. [Empirical Validation:] Our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, etc.), scanning thousands of commits and hundred thousand lines of code in minutes. Further, we provide insights on the empirical probability that, on 166 FOSS projects, a potentially vulnerable component might not actually be vulnerable after all. [Interest for ICSE and Industry:] code analysis methods usually presented at ICSE are based on precise but costly semantic analysis (symbolic execution, concolic testing, etc.). Our radical alternative deliberately trades accuracy for speed. Its application by our industry partner is not intended to replace semantics analysis but to prioritize its application to versions most at risk.

Wed 29 May

Displayed time zone: Eastern Time (US & Canada) change

11:00 - 12:30
Security 1Journal-First Papers / Papers / Technical Track / New Ideas and Emerging Results / Software Engineering in Practice at Van-Horne
Chair(s): Corina S. Păsăreanu Carnegie Mellon University Silicon Valley, NASA Ames Research Center
11:00
20m
Talk
Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for DevelopersSEIPIndustry Program
Software Engineering in Practice
Charles Weir Lancaster University, Lynne Blair Lancaster University, Ingolf Becker University College London, M. Angela Sasse University College London, James Noble Victoria University of Wellington, Awais Rashid University of Bristol, UK
11:20
20m
Talk
Towards Better Utilizing Static Application Security TestingSEIPIndustry Program
Software Engineering in Practice
Jinqiu Yang Concordia University, Montreal, Canada, Lin Tan Purdue University, John Peyton HCL America, Kristofer A Duer AppScan Source
11:40
20m
Talk
LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program MetricsTechnical Track
Technical Track
Xiaoning Du Nanyang Technological University, Bihuan Chen Fudan University, Yuekang Li Nanyang Technological University, Jianmin Guo Tsinghua University, Yaqin Zhou Nanyang Technological University, Yang Liu Nanyang Technological University, Singapore, Yu Jiang
12:00
10m
Talk
A Screening Test for Disclosed Vulnerabilities in FOSS ComponentsIndustry ProgramJournal-First
Journal-First Papers
Stanislav Dashevskyi University of Luxembourg, Achim D. Brucker The University of Sheffield, Fabio Massacci University of Trento
Link to publication DOI Pre-print
12:10
10m
Talk
VULTRON: Catching Vulnerable Smart Contracts Once and for AllNIER
New Ideas and Emerging Results
Haijun Wang Nanyang Technological University, Yi Li Nanyang Technological University, Shang-Wei Lin Nanyang Technological University, Lei Ma Kyushu University, Yang Liu Nanyang Technological University, Singapore
12:20
10m
Talk
Discussion Period
Papers