Files
logseq/pages/hls__msr2024-technical-paper100-SATD_1702046660022_0.md
T
2025-06-05 22:07:12 +02:00

7.4 KiB
Raw Blame History

file:: msr2024-technical-paper100-SATD_1702046660022_0.pdf file-path:: ../assets/msr2024-technical-paper100-SATD_1702046660022_0.pdf

  • This work investigates the security implications of SATD from a technical and developer-centred perspective. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657b0337-6189-4b88-828a-a4e41e886c07
  • it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 657b034a-6da8-4c4e-9589-da4b20a0d5bc
  • it delves into developers perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 657b035f-880e-400d-b6bc-52cfc54836df
  • analysis of a preexisting dataset containing 94,455 SATD instances ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657b037c-e116-4902-af66-9151ee9ac98e
  • online survey with 222 OSS practitioners ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657b0383-b5ac-4672-a89d-3fa8c3dcdf15
  • We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration(CWE) identifiers. ls-type:: annotation hl-page:: 1 hl-color:: blue id:: 657b03d6-fc1a-4889-9316-a0048d186dcf
  • 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITREs Top-25 most dangerous ones ls-type:: annotation hl-page:: 1 hl-color:: blue id:: 657b03f5-da8f-43b9-b6f9-f9dd4ac56d3a
  • The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives. ls-type:: annotation hl-page:: 1 hl-color:: yellow id:: 657b0418-e290-4295-b8ea-881eb58074ad
  • Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks. ls-type:: annotation hl-page:: 1 hl-color:: yellow id:: 657b046c-1931-43c5-a9bc-86d76e4e5c78
  • circumvent with spurious design workarounds and sub-optimal implementations ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657dc10b-c38b-4a52-b157-494912c8d7c5
  • low-quality artefacts that can impair the future maintenance and evolution of the system being developed ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657dc119-1283-4d18-a8eb-7ef4e1eaaa4b
  • TD can incur extra work in the longterm, not to mention additional costs. ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657dc13b-c9f7-4126-b876-5ad92d0bbc4f
  • it is deemed a critical issue for software development and considered ubiquitous to most software projects across all industry segments ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 657dc145-ed1e-4fea-b3d7-f08c4c30fe94
  • security incurs extra costs as it is frequently seen as an “after-thought” instead of an actual priority in the software development life cycle ls-type:: annotation hl-page:: 1 hl-color:: green id:: 657dc170-7bea-4bff-bae2-a4de42595c02
  • intersection between TD and security ls-type:: annotation hl-page:: 1 hl-color:: blue id:: 657dc187-f390-45fe-986f-312a1ccc2ab6
  • significant part of TD is explicitly reported by developers themselves in the form of “self-admissions”, namely through software artefacts such as code comments ls-type:: annotation hl-page:: 1 hl-color:: blue id:: 657dc1ad-caf0-4cff-8619-2ae58d6fbd8a
  • Particularly, an attacker could take advantage of security pointers disclosed inside these sources (e.g., a code comment like “TODO: Make it thread-safe”) to spot exploitable weaknesses in the system threatening its availability, confidentiality and integrity. ls-type:: annotation hl-page:: 1 hl-color:: purple id:: 657dc1e2-9695-46ff-b97d-1149ee389da5
  • the security implications of SATD have not been investigated nor documented throughout the literature up to our knowledge ls-type:: annotation hl-page:: 1 hl-color:: blue id:: 657dc427-af89-4c6b-bce5-4cb9d1a4c390
  • implications of security pointers inside SATD instances across multiple sources ls-type:: annotation hl-page:: 2 hl-color:: purple id:: 657dc6fb-e377-4918-99cb-750ab2872eaa
  • whether explicit references to security vulnerabilities inside code comments, commits, issue reports, and pull requests can help characterise exploitable weaknesses inside Open-Source Software (OSS ls-type:: annotation hl-page:: 2 hl-color:: blue id:: 657dc710-9843-4cbd-ac68-61370542bd06
  • OSS projects and repositories as they become easy targets of security attacks by making their artefacts visible and available to the public in general ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dc74f-1a59-490f-89d9-dd3bd5143987
  • RQ1: Can SATD sources contain pointers to security weaknesses and vulnerabilities inside OSS repositories? ls-type:: annotation hl-page:: 2 hl-color:: blue id:: 657dc794-12d3-4c51-91b8-77e5a5ef87d4
  • 546 security-relevant SATD candidates and inspected them manually for security pointers ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dc7a1-e7f0-4bcc-af73-58094e6608af
  • 201 Security Self-Admitted Technical Debt (SSATD) observations that we considered for further analysis ls-type:: annotation hl-page:: 2 hl-color:: yellow id:: 657dc7ac-5da8-4f6f-b13d-53927c27ef57
  • RQ2: Which particular weakness and vulnerabilities are frequently exposed through different SATD sources? ls-type:: annotation hl-page:: 2 hl-color:: blue id:: 657dc7d0-92a6-4e6b-af25-a2a30bff0079
  • 25 different CWE types across commit messages, code comments, pull requests, and issue reports. Moreover, 8 of these 25 CWEs appear listed among MITREs Top-25 most dangerous software weaknesses in 2023. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dc806-5f06-4633-a890-e5639a826fa5
  • RQ3: What is developers perspective on security-related SATD in OSS repositories? ls-type:: annotation hl-page:: 2 hl-color:: blue id:: 657dc80c-3168-4d1e-a104-2ae61b0ce9b4
  • many practitioners engage with this practice, although they recognise it as potentially risky. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dc827-0c7e-4b4b-8852-afdd509477af
  • a few publications in the current literature explore the interface between software security and TD ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dc8b7-d222-40d5-8d66-705aaaccff4b
  • they suggest that tools/methods such as code reviews and threat modelling are suitable to spot internal quality issues in software requirements, coding, architecture, and testing ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dc8ed-8198-455d-b95c-6e3f183b7401
  • They conclude that TD pointers can help improve the performance of Machine Learning (ML) models for vulnerability prediction. ls-type:: annotation hl-page:: 2 hl-color:: green id:: 657dca95-443e-4a10-8e43-8bca892cb0ba
  • more than 55% of self-admissions in the form of code comments correspond to insecure implementations/snippets ls-type:: annotation hl-page:: 2 hl-color:: blue id:: 657dcabf-d2aa-4545-b8ea-0ce2982bda30