research-article

Insecurity Refactoring: : Automated Injection of Vulnerabilities in Source Code

Authors:

Felix Schuckert,

Hanno LangwegAuthors Info & Claims

Volume 128, Issue C

https://doi.org/10.1016/j.cose.2023.103121

Published: 01 May 2023 Publication History

Abstract

Insecurity Refactoring is a change to the internal structure of software to inject a vulnerability without changing the observable behavior in a normal use case scenario. An implementation of Insecurity Refactoring is formally explained to inject vulnerabilities in source code projects by using static code analysis. It creates learning examples with source code patterns from known vulnerabilities.

Insecurity Refactoring is achieved by creating an Adversary Controlled Input Dataflow tree based on a Code Property Graph. The tree is used to find possible injection paths. Transformation of the possible injection paths allows to inject vulnerabilities. Insertion of data flow patterns introduces different code patterns from related Common Vulnerabilities and Exposures (CVE) reports. The approach is evaluated on 307 open source projects. Additionally, insecurity-refactored projects are deployed in virtual machines to be used as learning examples. Different static code analysis tools, dynamic tools and manual inspections are used with modified projects to confirm the presence of vulnerabilities.

The results show that in 8.1% of the open source projects it is possible to inject vulnerabilities. Different inspected code patterns from CVE reports can be inserted using corresponding data flow patterns. Furthermore the results reveal that the injected vulnerabilities are useful for a small sample size of attendees (n=16). Insecurity Refactoring is useful to automatically generate learning examples to improve software security training. It uses real projects as base whereas the injected vulnerabilities stem from real CVE reports. This makes the injected vulnerabilities unique and realistic.

References

[1]

A. Alhuzali, R. Gjomemo, B. Eshete, V.N. Venkatakrishnan, NAVEX: Precise and scalable exploit generation for dynamic web applications, Proceedings of the 27th USENIX Security Symposium (2018) 377–392.

[2]

M. Backes, K. Rieck, M. Skoruppa, B. Stock, F. Yamaguchi, Efficient and Flexible Discovery of PHP Application Vulnerabilities, Proceedings - 2nd IEEE European Symposium on Security and Privacy, EuroS and P 2017 (2017) 334–349,.

[3]

T. Boland, P.E. Black, Juliet 1.1 C/C++ and Java Test Suite, Computer 45 (10) (2012) 88–90,.

Digital Library

[4]

J. Burket, P. Chapman, T. Becker, C. Ganas, D. Brumley, Automatic problem generation for C a p t u r e − t h e − F l a g competitions, 2015 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 15), 2015.

[5]

P. Chapman, J. Burket, D. Brumley, {PicoCTF}: A {Game-Based} computer security competition for high school students, 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14), 2014.

[6]

N. Deo, Graph Theory with Applications to Engineering and Computer Science (Prentice Hall Series in Automatic Computation), Prentice-Hall, Inc., USA, 1974.

[7]

B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, R. Whelan, LAVA: Large-Scale Automated Vulnerability Addition, Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016 (2016) 110–121,.

[8]

W. Du, SEED: Hands-on lab exercises for computer security education, IEEE Security and Privacy 9 (5) (2011) 70–73,.

Digital Library

[9]

M. Fowler, Refactoring: Improving the design of existing code, Addison-Wesley Professional, 1999.

Digital Library

[10]

Github, 2022. https://github.com/.

[11]

Insecurity Refactoring, 2022. https://github.com/fschuckert/insecurity-refactoring.

[12]

Insecurity Refactoring code samples, 2022. https://github.com/fschuckert/insec_samples.

[13]

G. Klees, A. Ruef, B. Cooper, S. Wei, M. Hicks, Evaluating fuzz testing, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, New York, NY, USA, 2018, pp. 2123–2138,.

Digital Library

[14]

M. Martin, B. Livshits, M.S. Lam, Finding application errors and security flaws using PQL: a Program Query Language, ACM SIGPLAN Notices 40 (10) (2005) 365,.

Digital Library

[15]

K. Maruyama, T. Omori, A Security-Aware Refactoring Tool for Java Programs, Proceedings - International Conference on Software Engineering (2011) 22–28,.

Digital Library

[16]

T. Mens, T. Tourwé, A survey of software refactoring, IEEE Transactions on software engineering 30 (2) (2004) 126–139,.

Digital Library

[17]

W.F. Opdyke, Refactoring object-oriented frameworks, University of Illinois at Urbana-Champaign, 1992.

Digital Library

[18]

J. Pewny, T. Holz, Evilcoder: Automated bug injection, Proceedings of the 32nd Annual Conference on Computer Security Applications, 2016, pp. 214–225.

[19]

PHP Documentation, 2021. https://www.php.net/manual/.

[20]

PHP repository - backdoor commit, 2021. https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d.

[21]

S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giuffrida, H. Bos, Vuzzer: Application-aware evolutionary fuzzing, NDSS, Vol. 17, 2017, pp. 1–14,.

[22]

Z.C. Schreuders, T. Shaw, M. Shan-A-Khuda, G. Ravichandran, J. Keighley, M. Ordean, Security scenario generator (SecGen): A framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events, 2017 USENIX Workshop on Advances in Security Education (ASE 17), USENIX Association, Vancouver, BC, 2017.

[23]

F. Schuckert, M. Hildner, B. Katt, H. Langweg, Source Code Patterns of Buffer Overflow Vulnerabilities in Firefox, Proceedings of Sicherheit 2018 (2018) 107–118,.

[24]

F. Schuckert, B. Katt, H. Langweg, Source Code Patterns of SQL Injection Vulnerabilities, International Conference on Availability, Reliability and Security (2017),.

Digital Library

[25]

F. Schuckert, B. Katt, H. Langweg, Difficult XSS code patterns for static code analysis tools, Computer Security - ESORICS 2019 International Workshops, IOSec, MSTEC, and FINSEC, Luxembourg City, Luxembourg, September 26-27, 2019, Revised Selected Papers, Springer, 2019, pp. 123–139,.

Digital Library

[26]

F. Schuckert, B. Katt, H. Langweg, Difficult SQLi Code Patterns for Static Code Analysis Tools, Norsk IKT-konferanse for forskning og utdanning – NISK Norsk informasjonssikkerhetskonferanse 2020 (3) (2020).

[27]

B. Stivalet, E. Fong, Large Scale Generation of Complex and Faulty PHP Test Cases, Proceedings - 2016 IEEE International Conference on Software Testing, Verification and Validation, ICST 2016 (2016) 409–415,.

[28]

S. Thomas, L. Williams, T. Xie, On automated prepared statement generation to remove SQL injection vulnerabilities, Information and Software Technology 51 (3) (2009) 589–598,.

Digital Library

[29]

F. Yamaguchi, N. Golde, D. Arp, K. Rieck, Modeling and discovering vulnerabilities with code property graphs, Proceedings - IEEE Symposium on Security and Privacy (2014) 590–604,.

Digital Library

[30]

M.M. Yamin, B. Katt, Modeling and executing cyber security exercise scenarios in cyber ranges, Computers and Security 116 (2022) 102635,.

Digital Library

[31]

M.M. Yamin, B. Katt, Use of cyber attack and defense agents in cyber ranges: A case study, Computers & Security 122 (2022) 102892,.

Digital Library

Cited By

Akhoundali JNouri SRietveld KGadyatskaya OShang WLamothe MWan Z(2024)MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository DiscoveryProceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering10.1145/3663533.3664036(42-51)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663533.3664036

Index Terms

Insecurity Refactoring: Automated Injection of Vulnerabilities in Source Code

Index terms have been assigned to the content through auto-classification.

Recommendations

Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Eliminating SQL injection and cross site scripting using aspect oriented programming
ESSoS'13: Proceedings of the 5th international conference on Engineering Secure Software and Systems

Security vulnerabilities in the web applications that we use to shop, bank, and socialize online expose us to exploits that cost billions of dollars each year. This paper describes the design and implementation of AspectShield, a system designed to ...
Code Reuse Attacks in PHP: Automated POP Chain Generation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Memory corruption vulnerabilities that lead to control-flow hijacking attacks are a common problem for binary executables and such attacks are known for more than two decades. Over the last few years, especially code reuse attacks attracted a lot of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 128, Issue C

May 2023

739 pages

ISSN:0167-4048

Issue’s Table of Contents

The Authors.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 May 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Akhoundali JNouri SRietveld KGadyatskaya OShang WLamothe MWan Z(2024)MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository DiscoveryProceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering10.1145/3663533.3664036(42-51)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663533.3664036

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents