Abordagem refinada para detectar e corrigir vulnerabilidades (SecurityAware)

Type: National Project

Duration: from 2020 Nov 01 to 2021 Oct 31

Financed by: FCT

Prime Contractor: INESC-ID (Other)

Software vulnerabilities lead to massive financial losses for software companies as a result of business disruption, loss of privacy, reputational damage, legal implications, and life-threatening situations . For instance, in 2014, an Apple bug ('goto fail') in a widely used SSL implementation caused applications to accept invalid certificates. Remarkably, this bug was statically detectable and yet made it into production. Previous work reported several experiences on applying static analysis tools to production software. Although several success stories exist, there are also several concerning limitations --- hindering wide adoption: viz. high number of false positives and warnings that are innocuous and difficult to act upon. Continuous Integration (CI), is an increasingly popular practice among modern development teams, as it enables a team to safely build, test, and deploy their code. However,due to the overwhelming amount of information generated by all of these phases and tools, software engineers feel that some of the production phases are frustrating and tend to ignore valuable output. Following the CodeAware vision (CodeAware is sensor-based fine-grained monitoring and management of software that can easily be integrated into the CI pipeline), we propose the development of a novel framework for automatically and efficiently detecting security issues that can be integrated with confidence on the CI pipelines through the implementation of more fine-grained approaches to CI static analysis. This research aims to (i) understand and evaluate how current static analysis techniques fare in vulnerability detection performance, and (ii) craft a unified technique that intelligently combines the output of several promising techniques to improve flexibility, and (iii) develop novel techniques to rank warnings to improve software engineers’ CI experience. All these exploratory approaches will be available as open-source within the CodeAware framework to pave the way to other research works.


  • INESC-ID (Other)

Principal Investigators