Blogs (1) >>
ICSE 2019
Sat 25 - Fri 31 May 2019 Montreal, QC, Canada
Wed 29 May 2019 12:00 - 12:10 at Van-Horne - Security 1 Chair(s): Corina S Pasareanu

[Problem:] Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the [deployed] FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older deployed version. [Challenge:] Vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes are expected to react quickly on disclosed vulnerabilities—in some case such as Heartbleed, within hours. [Technical Solution:] We propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. [Empirical Validation:] Our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, etc.), scanning thousands of commits and hundred thousand lines of code in minutes. Further, we provide insights on the empirical probability that, on 166 FOSS projects, a potentially vulnerable component might not actually be vulnerable after all. [Interest for ICSE and Industry:] code analysis methods usually presented at ICSE are based on precise but costly semantic analysis (symbolic execution, concolic testing, etc.). Our radical alternative deliberately trades accuracy for speed. Its application by our industry partner is not intended to replace semantics analysis but to prioritize its application to versions most at risk.

Wed 29 May (GMT-04:00) Eastern Time (US & Canada) change

11:00 - 12:30: Papers - Security 1 at Van-Horne
Chair(s): Corina S PasareanuCarnegie Mellon University Silicon Valley, NASA Ames Research Center
icse-2019-Software-Engineering-in-Practice11:00 - 11:20
Charles WeirLancaster University, Lynne BlairLancaster University, Ingolf BeckerUniversity College London, M. Angela SasseUniversity College London, James NobleVictoria University of Wellington, Awais RashidUniversity of Bristol, UK
icse-2019-Software-Engineering-in-Practice11:20 - 11:40
Jinqiu YangConcordia University, Montreal, Canada, Lin TanPurdue University, John PeytonHCL America, Kristofer A DuerAppScan Source
icse-2019-Technical-Papers11:40 - 12:00
Xiaoning DuNanyang Technological University, Bihuan ChenFudan University, Yuekang LiNanyang Technological University, Jianmin GuoTsinghua University, Yaqin ZhouNanyang Technological University, Yang LiuNanyang Technological University, Singapore, Yu Jiang
icse-2019-Journal-First-Paper12:00 - 12:10
Stanislav DashevskyiUniversity of Luxembourg, Achim D. BruckerThe University of Sheffield, Fabio MassacciUniversity of Trento
Link to publication DOI Pre-print
icse-2019-New-Ideas-and-Emerging-Reults12:10 - 12:20
Haijun WangNanyang Technological University, Yi LiNanyang Technological University, Shang-Wei LinNanyang Technological University, Lei MaKyushu University, Yang LiuNanyang Technological University, Singapore
icse-2019-Paper-Presentations12:20 - 12:30