Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects
Resumo
This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers’ behaviors and practices influence their mitigation. Through analysis of OSS projects, we have identified common issues in outdated or unmaintained dependencies, including pointer dereferences and array bounds violations, that pose significant security risks. We have also examined developer responses to formal verifier reports, noting a tendency to dismiss potential issues as false positives, which can lead to overlooked vulnerabilities. Our results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape. Notably, four vulnerabilities were fixed as a result of this study, demonstrating the effectiveness of our mitigation strategies.Referências
Almarimi, N., Ouni, A., and Mkaouer, M. W. (2020). Learning to detect community smells in open source software projects. Knowledge-Based Systems, 204:106201.
Assal, H. and Chiasson, S. (2018). Security in the software development lifecycle. In SOUPS, pages 281–296.
Berger, E. D., Hollenbeck, C., Maj, P., Vitek, O., and Vitek, J. (2019). On the impact of programming languages on code quality: A reproduction study. ACM TOPLAS, 41(4):1–24.
Beyer, D. (2024). State of the art in software verification and witness validation: Sv-comp 2024. In TACAS, pages 299–329. Springer.
Brat, G., Navas, J. A., Shi, N., and Venet, A. (2014). Ikos: A framework for static analysis based on abstract interpretation. In SEFM, pages 271–277. Springer.
Clarke, E., Kroening, D., and Lerda, F. (2004). A tool for checking ansi-c programs. Lecture Notes in Computer Science, 2988:168–176.
Cordeiro, L. and Fischer, B. (2011). Verifying multi-threaded software using smt-based context-bounded model checking. In ICSE, pages 331–340.
Coverity (2024). Static application security testing. [link]. Accessed 16 Aug 2024.
CVE, M. (2024). Cve list. [link]. Accessed 16 June 2024.
de Sousa, J. O., de Farias, B. C., da Silva, T. A., Cordeiro, L. C., et al. (2023a). Finding software vulnerabilities in open-source c projects via bounded model checking. arXiv preprint arXiv:2311.05281.
de Sousa, J. O., de Farias, B. C., da Silva, T. A., de Lima Filho, E. B., and Cordeiro, L. C. (2023b). Lsverifier: A bmc approach to identify security vulnerabilities in c open-source software projects. In XXIII SBSeg, pages 17–24. SBC.
Fortify (2024). Source code analyzer. [link]. Accessed 16 Aug 2024.
Gadelha, M., Monteiro, F., Cordeiro, L., and Nicole, D. (2019). ESBMC v6.0: Verifying C Programs Using k-Induction and Invariant Inference. In TACAS.
Gadelha, M. R., Menezes, R. S., and Cordeiro, L. C. (2021). Esbmc 6.1: automated test case generation using bounded model checking. STTT, 23(6):857–861.
Gueye, A., Galhardo, C. E., Bojanova, I., and Mell, P. (2021). A decade of reoccurring software weaknesses. IEEE Security & Privacy, 19(6):74–82.
Kula, R. G., German, D. M., Ouni, A., Ishio, T., and Inoue, K. (2018). Do developers update their library dependencies? an empirical study on the impact of security advisories on library migration. Empirical Software Engineering, 23:384–417.
Lipp, S., Banescu, S., and Pretschner, A. (2022). An empirical study on the effectiveness of static c code analyzers for vulnerability detection. In 31st ACM SIGSOFT, pages 544–555.
Marjamäki, D. (2013). Cppcheck: a tool for static c/c++ code analysis. URL: [link].
Massacci, F. and Pashchenko, I. (2021). Technical leverage in a software ecosystem: Development opportunities and security risks. In IEEE/ACM ICSE, pages 1386–1397. IEEE.
Menezes, R. S., Aldughaim, M., Farias, B., Li, X., Manino, E., Shmarov, F., Song, K., Brauße, F., Gadelha, M. R., Tihanyi, N., et al. (2024). Esbmc v7. 4: Harnessing the power of intervals: (competition contribution). In TACAS, pages 376–380. Springer.
MITRE (2024). Common weakness enumeration (cwe). Accessed 16 June 2024.
Pashchenko, I., Vu, D.-L., and Massacci, F. (2020). A qualitative study of dependency management and its security implications. In ACM SIGSAC, pages 1513–1531.
Plate, H., Ponta, S. E., and Sabetta, A. (2015). Impact assessment for vulnerabilities in open-source software libraries. In ICSME, pages 411–420. IEEE.
Prana, G. A. A., Sharma, A., Shar, L. K., Foo, D., Santosa, A. E., Sharma, A., and Lo, D. (2021). Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empirical Software Engineering, 26:1–34.
Švejda, J., Berger, P., and Katoen, J.-P. (2020). Interpretation-based violation witness validation for c: Nitwit. In TACAS, pages 40–57. Springer.
Tang, W., Xu, Z., Liu, C., Wu, J., Yang, S., Li, Y., Luo, P., and Liu, Y. (2022). Towards understanding third-party library dependency in c/c++ ecosystem. In 37th IEEE/ACM ASE, pages 1–12.
Wermke, D. (2023). Security considerations in the open source software ecosystem.
Wermke, D., Wöhler, N., Klemmer, J. H., Fourné, M., Acar, Y., and Fahl, S. (2022). Committed to trust: A qualitative study on security & trust in open source software projects. In IEEE SP, pages 1880–1896. IEEE.
Xiao, S., Witschey, J., and Murphy-Hill, E. (2014). Social influences on secure development tool adoption: why security tools spread. In 17th ACM CSCW, pages 1095–1106.
Zou, J., Zeng, W., Zhao, Y., Liang, R., and CSAI, A. (2019). Research on secure stereoscopic self-checking scheme for open source software. pages 158–162.
Assal, H. and Chiasson, S. (2018). Security in the software development lifecycle. In SOUPS, pages 281–296.
Berger, E. D., Hollenbeck, C., Maj, P., Vitek, O., and Vitek, J. (2019). On the impact of programming languages on code quality: A reproduction study. ACM TOPLAS, 41(4):1–24.
Beyer, D. (2024). State of the art in software verification and witness validation: Sv-comp 2024. In TACAS, pages 299–329. Springer.
Brat, G., Navas, J. A., Shi, N., and Venet, A. (2014). Ikos: A framework for static analysis based on abstract interpretation. In SEFM, pages 271–277. Springer.
Clarke, E., Kroening, D., and Lerda, F. (2004). A tool for checking ansi-c programs. Lecture Notes in Computer Science, 2988:168–176.
Cordeiro, L. and Fischer, B. (2011). Verifying multi-threaded software using smt-based context-bounded model checking. In ICSE, pages 331–340.
Coverity (2024). Static application security testing. [link]. Accessed 16 Aug 2024.
CVE, M. (2024). Cve list. [link]. Accessed 16 June 2024.
de Sousa, J. O., de Farias, B. C., da Silva, T. A., Cordeiro, L. C., et al. (2023a). Finding software vulnerabilities in open-source c projects via bounded model checking. arXiv preprint arXiv:2311.05281.
de Sousa, J. O., de Farias, B. C., da Silva, T. A., de Lima Filho, E. B., and Cordeiro, L. C. (2023b). Lsverifier: A bmc approach to identify security vulnerabilities in c open-source software projects. In XXIII SBSeg, pages 17–24. SBC.
Fortify (2024). Source code analyzer. [link]. Accessed 16 Aug 2024.
Gadelha, M., Monteiro, F., Cordeiro, L., and Nicole, D. (2019). ESBMC v6.0: Verifying C Programs Using k-Induction and Invariant Inference. In TACAS.
Gadelha, M. R., Menezes, R. S., and Cordeiro, L. C. (2021). Esbmc 6.1: automated test case generation using bounded model checking. STTT, 23(6):857–861.
Gueye, A., Galhardo, C. E., Bojanova, I., and Mell, P. (2021). A decade of reoccurring software weaknesses. IEEE Security & Privacy, 19(6):74–82.
Kula, R. G., German, D. M., Ouni, A., Ishio, T., and Inoue, K. (2018). Do developers update their library dependencies? an empirical study on the impact of security advisories on library migration. Empirical Software Engineering, 23:384–417.
Lipp, S., Banescu, S., and Pretschner, A. (2022). An empirical study on the effectiveness of static c code analyzers for vulnerability detection. In 31st ACM SIGSOFT, pages 544–555.
Marjamäki, D. (2013). Cppcheck: a tool for static c/c++ code analysis. URL: [link].
Massacci, F. and Pashchenko, I. (2021). Technical leverage in a software ecosystem: Development opportunities and security risks. In IEEE/ACM ICSE, pages 1386–1397. IEEE.
Menezes, R. S., Aldughaim, M., Farias, B., Li, X., Manino, E., Shmarov, F., Song, K., Brauße, F., Gadelha, M. R., Tihanyi, N., et al. (2024). Esbmc v7. 4: Harnessing the power of intervals: (competition contribution). In TACAS, pages 376–380. Springer.
MITRE (2024). Common weakness enumeration (cwe). Accessed 16 June 2024.
Pashchenko, I., Vu, D.-L., and Massacci, F. (2020). A qualitative study of dependency management and its security implications. In ACM SIGSAC, pages 1513–1531.
Plate, H., Ponta, S. E., and Sabetta, A. (2015). Impact assessment for vulnerabilities in open-source software libraries. In ICSME, pages 411–420. IEEE.
Prana, G. A. A., Sharma, A., Shar, L. K., Foo, D., Santosa, A. E., Sharma, A., and Lo, D. (2021). Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empirical Software Engineering, 26:1–34.
Švejda, J., Berger, P., and Katoen, J.-P. (2020). Interpretation-based violation witness validation for c: Nitwit. In TACAS, pages 40–57. Springer.
Tang, W., Xu, Z., Liu, C., Wu, J., Yang, S., Li, Y., Luo, P., and Liu, Y. (2022). Towards understanding third-party library dependency in c/c++ ecosystem. In 37th IEEE/ACM ASE, pages 1–12.
Wermke, D. (2023). Security considerations in the open source software ecosystem.
Wermke, D., Wöhler, N., Klemmer, J. H., Fourné, M., Acar, Y., and Fahl, S. (2022). Committed to trust: A qualitative study on security & trust in open source software projects. In IEEE SP, pages 1880–1896. IEEE.
Xiao, S., Witschey, J., and Murphy-Hill, E. (2014). Social influences on secure development tool adoption: why security tools spread. In 17th ACM CSCW, pages 1095–1106.
Zou, J., Zeng, W., Zhao, Y., Liang, R., and CSAI, A. (2019). Research on secure stereoscopic self-checking scheme for open source software. pages 158–162.
Publicado
16/09/2024
Como Citar
SOUSA, Janislley Oliveira de; FARIAS, Bruno Carvalho de; LIMA FILHO, Eddie Batista de; CORDEIRO, Lucas Carvalho.
Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 616-631.
DOI: https://doi.org/10.5753/sbseg.2024.241765.
