SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods
作者: Goran Piskachev , Lisa Nguyen Quang Do , Oshando Johnson , Eric Bodden
关键词:
摘要: To detect specific types of bugs and vulnerabilities, static analysis tools must be correctly configured with security-relevant methods (SRM), e.g., sources, sinks, sanitizers authentication methods–usually a very labour-intensive error-prone process. This work presents the semi-automated tool SWAN_ASSIST, which aids configuration an IntelliJ plugin based on active machine learning. It integrates our novel automated machine-learning approach SWAN, identifies classifies Java SRM. SWAN_ASSIST further user feedback through iterative developers by asking them to classify at each point in time exactly those whose classification best impact result. Our experiments show that SRM high precision, requires relatively low effort from user. A video demo can found https://youtu.be/fSyD3V6EQOY. The source code is available https://github.com/secure-software-engineering/swan.
sci-hub.se 参考文章(7)
Siegfried Rasthofer, Eric Bodden, Steven Arzt, SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks ,(2013)
Andrea J. Paul-Bonham, Merlin Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation - PLDI '09. ,vol. 44, pp. 75- 86 ,(2009) , 10.1145/1542476.1542485
Steven Arzt, Siegfried Rasthofer, Eric Bodden, The soot-based toolchain for analyzing Android apps 2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft). pp. 13- 24 ,(2017) , 10.1109/MOBILESOFT.2017.2
Julian Thomé, Lwin Khin Shar, Domenico Bianculli, Lionel C. Briand, JoanAudit: a tool for auditing common injection vulnerabilities foundations of software engineering. pp. 1004- 1008 ,(2017) , 10.1145/3106237.3122822
Mark A. Hall, Ian H. Witten, Eibe Frank, Christopher J. Pal, Data Mining, Fourth Edition: Practical Machine Learning Tools and Techniques Morgan Kaufmann Publishers Inc.. ,(2016)
Darius Sas, Marco Bessi, Francesca Arcelli Fontana, [Research Paper] Automatic Detection of Sources and Sinks in Arbitrary Java Libraries source code analysis and manipulation. pp. 103- 112 ,(2018) , 10.1109/SCAM.2018.00019
Goran Piskachev, Lisa Nguyen Quang Do, Eric Bodden, Codebase-adaptive detection of security-relevant methods international symposium on software testing and analysis. pp. 181- 191 ,(2019) , 10.1145/3293882.3330556