Just Accepted
Software Security Analysis in 2030 and Beyond: A Research Roadmap
Authors: 
Marcel Böhme, Eric Bodden, Tevfik Bultan, 
Cristian Cadar, 
Yang Liu, Giuseppe ScannielloAuthors Info & Claims
Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, Giuseppe ScannielloAuthors Info & ClaimsAccepted on 04 November 2024
Abstract
As our lives, our businesses, and indeed our world economy become increasingly reliant on the secure operation of many interconnected software systems, the software engineering research community is faced with unprecedented research challenges, but also with exciting new opportunities. In this roadmap paper, we outline our vision of Software Security Analysis for the systems of the future. Given the recent advances in generative AI, we need new methods to assess and maximize the security of code co-written by machines. As our systems become increasingly heterogeneous, we need practical approaches that work even if some functions are automatically generated, e.g., by deep neural networks. As software systems depend evermore on the software supply chain, we need tools that scale to an entire ecosystem. What kind of vulnerabilities exist in future systems and how do we detect them? When all the shallow bugs are found, how do we discover vulnerabilities hidden deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless protect our system? To answer these questions, we start our roadmap with a survey of recent advances in software security, then discuss open challenges and opportunities, and conclude with a long-term perspective for the field.
References
[1]
[n. d.]. What Is Software Supply Chain Security and How Does It Work? — Synopsys. https://www.synopsys.com/glossary/what-is-software-supply-chain-security.html. (Accessed on 03/04/2024).
[2]
2024. Best practices for dependency management — Google Cloud Blog. https://cloud.google.com/blog/topics/developers-practitioners/best-practices-dependency-management. (Accessed on 03/14/2024).
[3]
2024. Dependabot. https://github.com/dependabot. (Accessed on 03/14/2024).
[4]
2024. Home · Sigstore. https://www.sigstore.dev/. (Accessed on 03/14/2024).
[5]
2024. NVD - SWID. https://nvd.nist.gov/products/swid. (Accessed on 03/15/2024).
[6]
2024. ossf/criticality_score: Gives criticality score for an open source project. https://github.com/ossf/criticality_score. (Accessed on 03/14/2024).
[7]
2024. ossf/package-manager-best-practices: Collection of security best practices for package managers. https://github.com/ossf/package-manager-best-practices/tree/main. (Accessed on 03/14/2024).
[8]
2024. ossf/scorecard: OpenSSF Scorecard - Security health metrics for Open Source. https://github.com/ossf/scorecard. (Accessed on 03/14/2024).
[9]
2024. OWASP CycloneDX Software Bill of Materials (SBOM) Standard. https://cyclonedx.org/. (Accessed on 03/15/2024).
[10]
2024. OWASP Dependency-Check — OWASP Foundation. https://owasp.org/www-project-dependency-check/. (Accessed on 03/14/2024).
[11]
2024. Secure Software Development Framework — CSRC. https://csrc.nist.gov/projects/ssdf. (Accessed on 03/14/2024).
[12]
2024. SLSA • Supply-chain Levels for Software Artifacts. https://slsa.dev/. (Accessed on 03/14/2024).
[13]
2024. SPDX – Linux Foundation Projects Site. https://spdx.dev/. (Accessed on 03/15/2024).
[14]
2024. SPIFFE – Secure Production Identity Framework for Everyone. https://spiffe.io/. (Accessed on 03/14/2024).
[15]
Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC) 13, 1 (2009), 1–40.
[16]
Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. 2008. Preventing memory error exploits with WIT. In 2008 IEEE Symposium on Security and Privacy (sp 2008). IEEE, 263–277.
[17]
aleak [n. d.]. Another misconfigured Amazon S3 server leaks data of 50,000 Australians. https://www.scmagazineuk.com/another-misconfigured-amazon -s3-server-leaks-data-of-50000-australians/article/705125/.
[18]
Muath Alkhalaf, Abdulbaki Aydin, and Tevfik Bultan. 2014. Semantic differential repair for input validation and sanitization. In Proceedings of the 2014 International Symposium on Software Testing and Analysis. 225–236.
[19]
Kevin Allix, Tegawendé F Bissyandé, Quentin Jérome, Jacques Klein, Radu State, and Yves Le Traon. 2016. Empirical assessment of machine learning-based malware detectors for Android: Measuring the gap between in-the-lab and in-the-wild validation scenarios. Empirical Software Engineering 21 (2016), 183–211.
[20]
Majed Almansoori, Jessica Lam, Elias Fang, Kieran Mulligan, Adalbert Gerald Soosai Raj, and Rahul Chatterjee. 2020. How Secure are our Computer Systems Courses?. In Proceedings of Conference on International Computing Education Research. ACM, 271–281.
[21]
Anastasios Andronidis and Cristian Cadar. 2022. SnapFuzz: High-Throughput Fuzzing of Network Applications. In ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2022).
[22]
Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and Don’ts of Machine Learning in Computer Security. In Proc. of USENIX Security Symposium.
[23]
Steven Arzt and Eric Bodden. 2014. Reviser: efficiently updating IDE-/IFDS-based data-flow analyses in response to incremental program changes. In Proceedings of the 36th International Conference on Software Engineering. 288–298.
[24]
Owura Asare, Meiyappan Nagappan, and N Asokan. 2023. Is github's copilot as bad as humans at introducing vulnerabilities in code? Empirical Software Engineering 28, 6 (2023), 129.
[25]
azureflaw [n. d.]. Microsoft Azure cloud vulnerability is the ‘worst you can imagine’. https://www.theverge.com/2021/8/27/22644161/microsoft-azure-database-vulnerabilty-chaosdb?fbclid=IwAR2nKV8uslH4EGDslnogYT4ulQRGz7NsD0xuIb3lgK2sP1-WG_O1tJbR-eE.
[26]
John Backes, Pauline Bolignano, Byron Cook, Catherine Dodge, Andrew Gacek, Kasper Luckow, Neha Rungta, Oksana Tkachu, and Carsten Varming. 2018. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In Proceedings of the 18th Conference on Formal Methods in Computer-Aided Design (FMCAD 2018), Austin, Texas, USA, October 30 - November 2, 2018. 1–9.
[27]
Michael Backes, Boris Köpf, and Andrey Rybalchenko. 2009. Automatic Discovery and Quantification of Information Leaks. In 30th IEEE Symposium on Security and Privacy (S&P 2009), 17-20 May 2009, Oakland, California, USA. 141–153.
[28]
Deepika Badampudi, Michael Unterkalmsteiner, and Ricardo Britto. 2023. Modern code reviews–survey of literature and practice. ACM Transactions on Software Engineering and Methodology 32, 4 (2023), 1–61.
[29]
Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR) 51, 3 (2018), 1–39.
[30]
Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In 2008 IEEE Symposium on Security and Privacy (sp 2008). IEEE, 387–401.
[31]
Lingfeng Bao, Xin Xia, Ahmed E Hassan, and Xiaohu Yang. 2022. V-SZZ: automatic identification of version ranges affected by CVE vulnerabilities. In Proceedings of the 44th International Conference on Software Engineering. 2352–2364.
[32]
Mohamed Ben-Daya, Elkafi Hassini, and Zied Bahroun. 2019. Internet of things and supply chain management: a literature review. International journal of production research 57, 15-16 (2019), 4719–4742.
[33]
Marcel Böhme. 2022. Statistical Reasoning About Programs. In Proceedings of the 44th International Conference on Software Engineering (Pittsburgh, USA) (ICSE 2022). 5 pages. https://doi.org/10.1145/3510455.3512796
[34]
Marcel Böhme, Cristian Cadar, and Abhik Roychoudhury. 2021. Fuzzing: Challenges and Reflections. IEEE Software 38, 3 (2021), 79–86. https://doi.org/10.1109/MS.2020.3016773
[35]
Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). 2329–2344.
[36]
Dillon Bowen, Brendan Murphy, Will Cai, David Khachaturov, Adam Gleave, and Kellin Pelrine. 2024. Scaling Laws for Data Poisoning in LLMs. arXiv preprint arXiv:2408.02946 (2024).
[37]
Sergey Bratus, Michael Locasto, Meredith Patterson, Len Sassaman, and Anna Shubina. 2011. From Buffer Overflows to Weird Machines. ;login: (December 2011).
[38]
Tegan Brennan, Nicolás Rosner, and Tevfik Bultan. 2020. JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020. IEEE, 1207–1222.
[39]
Bobby R Bruce, Tianyi Zhang, Jaspreet Arora, Guoqing Harry Xu, and Miryung Kim. 2020. Jshrink: In-depth investigation into debloating modern java applications. In Proceedings of the 28th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering. 135–146.
[40]
Tevfik Bultan, Fang Yu, Muath Alkhalaf, and Abdulbaki Aydin. 2017. String Analysis for Software Verification and Security. Springer.
[41]
Frank Busse, Martin Nowack, and Cristian Cadar. 2020. Running Symbolic Execution Forever. In ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2020) (Virtual Event). 63–74.
[42]
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008) (San Diego, CA, USA). 209–224.
[43]
Cristian Cadar, Vijay Ganesh, Peter Pawlowski, David Dill, and Dawson Engler. 2006. EXE: Automatically Generating Inputs of Death. In ACM Conference on Computer and Communications Security (CCS 2006) (Alexandria, VA, USA). 322–335.
[44]
Cristian Cadar, Patrice Godefroid, Sarfraz Khurshid, Corina S Păsăreanu, Koushik Sen, Nikolai Tillmann, and Willem Visser. 2011. Symbolic execution for software testing in practice: preliminary assessment. In Proceedings of the 33rd International Conference on Software Engineering. 1066–1071.
[45]
Cristian Cadar and Martin Nowack. 2020. KLEE Symbolic Execution Engine in 2019. International Journal on Software Tools for Technology Transfer (2020) 23, 6 (2020), 867–870. https://doi.org/10.1007/s10009-020-00570-3
[46]
Cristian Cadar, Luís Pina, and John Regehr. 2015. Multi-Version Execution Defeats a Compiler-Bug-Based Backdoor. https://ccadar.blogspot.co.uk/2015/11/multi-version-execution-defeats.html.
[47]
Cristian Cadar, Daniel Schemmel, and Arindam Sharma. 2023. Patch Specifications via Product Programs. In 2023 International Conference on Formal Methods in Software Engineering (FormaliSE 2023) (Melbourne, Australia). 39–43. https://doi.org/10.1109/FormaliSE58978.2023.00012
[48]
Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Communications of the Association for Computing Machinery (CACM 2013) 56, 2 (2013), 82–90.
[49]
Cristiano Calcagno, Dino Distefano, Jérémy Dubreil, Dominik Gabi, Pieter Hooimeijer, Martino Luca, Peter O’Hearn, Irene Papakonstantinou, Jim Purbrick, and Dulma Rodriguez. 2015. Moving fast with software verification. In NASA Formal Methods Symposium. Springer, 3–11.
[50]
cancan 2015. ryanb/cancan • GitHub. https://github.com/ryanb/cancan.
[51]
Anthony James Cartwright. 2023. The elephant in the room: cybersecurity in healthcare. Journal of Clinical Monitoring and Computing 37, 5 (2023), 1123–1132.
[52]
Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, and Baishakhi Ray. 2021. Deep learning based vulnerability detection: Are we there yet. IEEE Transactions on Software Engineering (2021).
[53]
S. Chakraborty, R. Krishna, Y. Ding, and B. Ray. 2022. Deep Learning Based Vulnerability Detection: Are We There Yet? IEEE Transactions on Software Engineering 48, 09 (Sept. 2022), 3280–3296. https://doi.org/10.1109/TSE.2021.3087402
[54]
Yang Chen, Andrew E Santosa, Asankhaya Sharma, and David Lo. 2020. Automated identification of libraries from vulnerability data. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice. 90–99.
[55]
Clang Static Analyzer [n. d.]. Clang Static Analyzer. https://clang-analyzer.llvm.org.
[56]
Lori A. Clarke. 1976. A system to generate test data and symbolically execute programs. IEEE Transactions on software engineering 3 (1976), 215–222.
[57]
Michael R Clarkson and Fred B Schneider. 2010. Hyperproperties. Journal of Computer Security 18, 6 (2010), 1157–1210.
[58]
James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis. 196–206.
[59]
CLion 2024. CLion IDE. https://www.jetbrains.com/clion/.
[60]
Domenico Cotroneo, Cristina Improta, Pietro Liguori, and Roberto Natella. 2024. Vulnerabilities in ai code generators: Exploring targeted data poisoning attacks. In Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension. 280–292.
[61]
Patrick Cousot. 1996. Abstract interpretation. ACM Computing Surveys (CSUR) 28, 2 (1996), 324–328.
[62]
Coverity software [n. d.]. Coverity software. http://www.coverity.com.
[63]
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX security symposium, Vol. 98. San Antonio, TX, 63–78.
[64]
Olivier Crameri, Nikola Knezevic, Dejan Kostic, Ricardo Bianchini, and Willy Zwaenepoel. 2007. Staged deployment in Mirage, an integrated software upgrade testing and distribution system. SIGOPS Oper. Syst. Rev. 41, 6 (oct 2007), 221–236. https://doi.org/10.1145/1323293.1294283
[65]
CWE TOP 25 Most Dangerous Software Errors. 2024. https://www.sans.org/top25-software-errors/.
[66]
Ozren Dabic, Emad Aghajani, and Gabriele Bavota. 2021. Sampling projects in github for MSR studies. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). IEEE, 560–564.
[67]
Jiarun Dai, Yuan Zhang, Hailong Xu, Haiming Lyu, Zicheng Wu, Xinyu Xing, and Min Yang. 2021. Facilitating Vulnerability Assessment through PoC Migration. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS ’21). Association for Computing Machinery, New York, NY, USA, 3300–3317. https://doi.org/10.1145/3460120.3484594
[68]
Andreas Dann, Henrik Plate, Ben Hermann, Serena Elisa Ponta, and Eric Bodden. 2021. Identifying challenges for oss vulnerability scanners-a study & test suite. IEEE Transactions on Software Engineering 48, 9 (2021), 3613–3625.
[69]
Robin David, Sébastien Bardin, Thanh Dinh Ta, Laurent Mounier, Josselin Feist, Marie-Laure Potet, and Jean-Yves Marion. 2016. BINSEC/SE: A dynamic symbolic execution toolkit for binary-level analysis. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Vol. 1. IEEE, 653–656.
[70]
Leonardo De Moura and Nikolaj Bjørner. 2011. Satisfiability modulo theories: introduction and applications. Commun. ACM 54, 9 (2011), 69–77.
[71]
Alexandre Decan, Tom Mens, Ahmed Zerouali, and Coen De Roover. 2021. Back to the past–analysing backporting practices in package dependency networks. IEEE Transactions on Software Engineering 48, 10 (2021), 4087–4099.
[72]
Dorothy E Denning. 1987. An intrusion-detection model. IEEE Transactions on software engineering 2 (1987), 222–232.
[73]
djleak [n. d.]. Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data. https://www.upguard.com/breaches/cloud-leak-dow-jones.
[74]
Thomas Dullien. 2011. Weird machines, exploitability, and provable unexploitability. http://www.dullien.net/thomas/weird-machines-exploitability.pdf.
[75]
William Eiers, Ganesh Sankaran, Albert Li, Emily O’Mahony, Benjamin Prince, and Tevfik Bultan. 2022. Quantifying Permissiveness of Access Control Policies. In 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, May 25-27, 2022. ACM, 1805–1817.
[76]
European Parliament. 2022. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0454
[77]
European Union Agency for Cybersecurity. 2020. Guidelines for Securing the Internet of Things - ENISA. http://archive.md/2023.04.18-071548/https://www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things/.
[78]
Yong Fang, Yongcheng Liu, Cheng Huang, and Liang Liu. 2020. FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm. Plos one 15, 2 (2020), e0228439.
[79]
Shiwei Feng, Guanhong Tao, Siyuan Cheng, Guangyu Shen, Xiangzhe Xu, Yingqi Liu, Kaiyuan Zhang, Shiqing Ma, and Xiangyu Zhang. 2023. Detecting backdoors in pre-trained encoders. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 16352–16362.
[80]
K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. 2005. Verification and Change-Impact Analysis of Access-Control Policies. In Proceedings of the 27th International Conference on Software Engineering (ICSE 05). 196–205.
[81]
Alexander Frömmgen, Jacob Austin, Peter Choy, Nimesh Ghelani, Lera Kharatyan, Gabriela Surita, Elena Khrapko, Pascal Lamblin, Pierre-Antoine Manzagol, Marcus Revaj, Maxim Tabachnyk, Daniel Tarlow, Kevin Villela, Dan Zheng, Satish Chandra, and Petros Maniatis. 2024. Resolving Code Review Comments with Machine Learning. In 2024 IEEE/ACM 46th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).
[82]
Michael Fu and Chakkrit Tantithamthavorn. 2022. Linevul: A transformer-based line-level vulnerability prediction. In Proceedings of the 19th International Conference on Mining Software Repositories. 608–620.
[83]
Dr Bhargav Gangadhara. 2023. Optimizing cloud-based manufacturing: a study on service and development models. International Journal of Science and Research (IJSR) 12, 6 (2023), 2487–2491.
[84]
Jun Gao, Pingfan Kong, Li Li, Tegawendé F Bissyandé, and Jacques Klein. 2019. Negative results on mining crypto-api usage rules in android apps. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, 388–398.
[85]
GitHub 2024. GitHub website. https://github.com/.
[86]
Patrice Godefroid, Michael Y Levin, and David Molnar. 2012. SAGE: whitebox fuzzing for security testing. Commun. ACM 55, 3 (2012), 40–44.
[87]
Amid Golmohammadi, Man Zhang, and Andrea Arcuri. 2023. Testing restful apis: A survey. ACM Transactions on Software Engineering and Methodology 33, 1 (2023), 1–41.
[88]
Yaroslav Golubev, Viktor Poletansky, Nikita Povarov, and Timofey Bryksin. 2021. Multi-threshold token-based code clone detection. In Proceedings of the 28th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER’21).
[89]
Qingyuan Gong, Jiayun Zhang, Yang Chen, Qi Li, Yu Xiao, Xin Wang, and Pan Hui. 2019. Detecting malicious accounts in online developer communities using deep learning. In Proceedings of the 28th ACM International Conference on Information and Knowledge Management. 1251–1260.
[90]
Danielle Gonzalez, Thomas Zimmermann, Patrice Godefroid, and Max Schaefer. 2021. Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub. In 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). 258–267. https://doi.org/10.1109/ICSE-SEIP52600.2021.00035
[91]
Jesus M Gonzalez-Barahona. 2020. Characterizing outdateness with technical lag: An exploratory study. In Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops. 735–741.
[92]
Yacong Gu, Lingyun Ying, Yingyuan Pu, Xiao Hu, Huajun Chai, Ruimin Wang, Xing Gao, and Haixin Duan. 2023. Investigating package related security threats in software registries. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1578–1595.
[93]
Shangwei Guo, Chunlong Xie, Jiwei Li, Lingjuan Lyu, and Tianwei Zhang. 2022. Threats to pre-trained language models: Survey and taxonomy. arXiv preprint arXiv:2202.06862 (2022).
[94]
Wenbo Guo, Zhengzi Xu, Chengwei Liu, Cheng Huang, Yong Fang, and Yang Liu. 2023. An Empirical Study of Malicious Code In PyPI Ecosystem. In 2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 166–177.
[95]
Danny Halawi, Alexander Wei, Eric Wallace, Tony T Wang, Nika Haghtalab, and Jacob Steinhardt. 2024. Covert Malicious Finetuning: Challenges in Safeguarding LLM Adaptation. arXiv preprint arXiv:2406.20053 (2024).
[96]
Subir Halder, Amrita Ghosal, and Mauro Conti. 2020. Secure over-the-air software updates in connected vehicles: A survey. Computer Networks 178 (2020), 107343.
[97]
Hao He, Yulin Xu, Yixiao Ma, Yifei Xu, Guangtai Liang, and Minghui Zhou. 2021. A multi-metric ranking approach for library migration recommendations. In 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 72–83.
[98]
Petr Hosek and Cristian Cadar. 2013. Safe Software Updates via Multi-version Execution. In International Conference on Software Engineering (ICSE 2013) (San Francisco, CA, USA). 612–621.
[99]
Jinchang Hu, Lyuye Zhang, Chengwei Liu, Sen Yang, Song Huang, and Yang Liu. 2023. Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem. arXiv preprint arXiv:2401.00515 (2023).
[100]
Kaifeng Huang, Bihuan Chen, Congying Xu, Ying Wang, Bowen Shi, Xin Peng, Yijian Wu, and Yang Liu. 2022. Characterizing usages, updates and risks of third-party libraries in Java projects. Empirical Software Engineering 27, 4 (2022), 90.
[101]
Graham Hughes and Tevfik Bultan. 2008. Automated verification of access control policies using a SAT solver. STTT 10, 6 (2008), 503–520.
[102]
Yu-Liang Hung and Shingo Takada. 2020. CPPCD: A Token-Based Approach to Detecting Potential Clones. In IEEE 14th International Workshop on Software Clones (IWSC’20).
[103]
iam [n. d.]. AWS IAM Policy Language. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html.
[104]
Nasif Imtiaz, Seaver Thorn, and Laurie Williams. 2021. A comparative study of vulnerability reporting by software composition analysis tools. In Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (Bari, Italy) (ESEM ’21). Association for Computing Machinery, New York, NY, USA, Article 5, 11 pages. https://doi.org/10.1145/3475716.3475769
[105]
Ling Jiang, Hengchen Yuan, Qiyi Tang, Sen Nie, Shi Wu, and Yuqun Zhang. 2023. Third-Party Library Dependency for Large-Scale SCA in the C/C++ Ecosystem: How Far Are We?. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (¡conf-loc¿, ¡city¿Seattle¡/city¿, ¡state¿WA¡/state¿, ¡country¿USA¡/country¿, ¡/conf-loc¿) (ISSTA 2023). Association for Computing Machinery, New York, NY, USA, 1383–1395. https://doi.org/10.1145/3597926.3598143
[106]
Wenxin Jiang, Nicholas Synovic, Rohan Sethi, Aryan Indarapu, Matt Hyatt, Taylor R Schorlemmer, George K Thiruvathukal, and James C Davis. 2022. An empirical study of artifacts and security risks in the pre-trained model supply chain. In Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses. 105–114.
[107]
Jirayus Jiarpakdee, Chakkrit Kla Tantithamthavorn, and John Grundy. 2021. Practitioners’ perceptions of the goals and visual explanations of defect prediction models. In Proceedings of the 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR 2021). IEEE, Institute of Electrical and Electronics Engineers, 432–443. https://doi.org/10.1109/MSR52588.2021.00055
[108]
Joe Biden. 2021. Executive Order on Improving the Nation's Cybersecurity. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[109]
Timotej Kapus, Oren Ish-Shalom, Shachar Itzhaky, Noam Rinetzky, and Cristian Cadar. 2019. Computing Summaries of String Loops in C for Better Testing and Refactoring. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2019) (Phoenix, AZ, USA). 874–888.
[110]
Tushar Khinvasara, Stephanie Ness, and Nikolaos Tzenios. 2023. Risk Management in Medical Device Industry. J. Eng. Res. Rep 25, 8 (2023), 130–140.
[111]
James C King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385–394.
[112]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. 2123–2138.
[113]
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. 207–220.
[114]
Thijs Klooster, Fatih Turkmen, Gerben Broenink, Ruben Ten Hove, and Marcel Böhme. 2023. Continuous Fuzzing: A Study of the Effectiveness and Scalability of Fuzzing in CI/CD Pipelines. In 2023 IEEE/ACM International Workshop on Search-Based and Fuzz Testing (SBFT). 25–32. https://doi.org/10.1109/SBFT59156.2023.00015
[115]
Padmanabhan Krishnan, Cristina Cifuentes, Li Li, Tegawendé F Bissyandé, and Jacques Klein. 2023. Why Is Static Application Security Testing Hard to Learn? IEEE Security & Privacy 21, 5 (2023), 68–72.
[116]
Tomasz Kuchta and Bartosz Zator. 2022. Auto Off-Target: Enabling Thorough and Scalable Testing for Complex Software Systems. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1–12.
[117]
Volodymyr Kuznetzov, László Szekeres, Mathias Payer, George Candea, R Sekar, and Dawn Song. 2018. Code-pointer integrity. In The Continuing Arms Race: Code-Reuse Attacks and Defenses. 81–116.
[118]
Vu Le, Mehrdad Afshari, and Zhendong Su. 2014. Compiler validation via equivalence modulo inputs., 216–226 pages.
[119]
Seongmin Lee and Marcel Böhme. 2023. Statistical Reachability Analysis. In Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2023). 12. https://doi.org/10.1145/3611643.3616268
[120]
Xavier Leroy, Sandrine Blazy, Daniel Kästner, Bernhard Schommer, Markus Pister, and Christian Ferdinand. 2016. CompCert - a formally verified optimizing compiler. In ERTS 2016: Embedded Real Time Software and Systems, 8th European Congress.
[121]
Guodong Li, Indradeep Ghosh, and Sreeranga P Rajan. 2011. KLOVER: A symbolic execution and automatic test generation tool for C++ programs. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings 23. Springer, 609–615.
[122]
Li Li, Tegawendé F Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Le Traon. 2017. Static analysis of android apps: A systematic literature review. Information and Software Technology 88 (2017), 67–95.
[123]
Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. Libd: Scalable and precise third-party library detection in android markets. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). IEEE, 335–346.
[124]
Zongjie Li, Chaozheng Wang, Shuai Wang, and Cuiyun Gao. 2023. Protecting intellectual property of large language model-based code generation apis via watermarks. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2336–2350.
[125]
Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, and Yuyi Zhong. 2018. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection. In NDSS. The Internet Society.
[126]
LibFuzzer 2022. LibFuzzer website. http://llvm.org/docs/LibFuzzer.html.
[127]
Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, and Xin Peng. 2022. Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In Proceedings of the 44th International Conference on Software Engineering. 672–684.
[128]
Antonio López Martínez, Manuel Gil Pérez, and Antonio Ruiz-Martínez. 2023. A comprehensive review of the state-of-the-art on security and privacy issues in healthcare. Comput. Surveys 55, 12 (2023), 1–38.
[129]
Ethirajan Manavalan and Kandasamy Jayakrishna. 2019. A review of Internet of Things (IoT) embedded sustainable supply chain for industry 4.0 requirements. Computers & industrial engineering 127 (2019), 925–953.
[130]
Paul Dan Marinescu and Cristian Cadar. 2013. KATCH: High-Coverage Testing of Software Patches. In European Software Engineering Conference / ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2013) (Saint Petersburg, Russia). 235–245.
[131]
Ankur Maurya and Divya Kumar. 2020. Reliability of safety-critical systems: A state-of-the-art review. Quality and Reliability Engineering International 36, 7 (2020), 2547–2568.
[132]
Ruijie Meng, Martin Mirchev, Marcel Böhme, and Abhik Roychoudhury. 2024. Large Language Model guided Protocol Fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’24). 15 pages.
[133]
Bertrand Meyer. 1992. Applying ’design by contract’. IEEE Computer 25, 10 (1992), 40–51.
[134]
Microsoft. [n. d.]. Copilot. https://copilot.microsoft.com/. (Accessed on 03/04/2024).
[135]
Imanol Mugarza, Jose Luis Flores, and Jose Luis Montero. 2020. Security issues and software updates management in the industrial internet of things (iiot) era. Sensors 20, 24 (2020), 7160.
[136]
Phil Muncaster. 2021. Global Security Skills Shortage Falls to 2.7 Million Workers - Infosecurity Magazine. https://www.infosecurity-magazine.com/news/global-security-skills-shortage/. Online; last accessed 12 October 2023.
[137]
Benjamin Barslev Nielsen, Martin Toldam Torp, and Anders Møller. 2021. Modular Call Graph Construction for Security Scanning of Node.js Applications. In Proc. 30th International Symposium on Software Testing and Analysis (ISSTA).
[138]
Sabato Nocera, Simone Romano, Massimiliano Di Penta, Rita Francese, and Giuseppe Scanniello. 2023. Software Bill of Materials Adoption: A Mining Study from GitHub. In Procedings of International Conference on Software Maintenance and Evolution. IEEE, 39–49. https://doi.org/10.1109/ICSME58846.2023.00016
[139]
Sabato Nocera, Simone Romano, Rita Francese, and Giuseppe Scanniello. 2023. Training for Security: Planning the Use of a SAT in the Development Pipeline of Web Apps. In 45th IEEE/ACM International Conference on Software Engineering: Software Engineering Education and Training, SEET@ICSE 2023, Melbourne, Australia, May 14-20, 2023. 40–45. https://doi.org/10.1109/ICSE-SEET58685.2023.00010
[140]
Sabato Nocera, Simone Romano, Rita Francese, and Giuseppe Scanniello. 2024. Training for Security: Results from Using a Static Analysis Tool in the Development Pipeline of Web Apps. In Proceedings of the 46th International Conference on Software Engineering: Software Engineering Education and Training (Lisbon, Portugal) (ICSE-SEET ’24). Association for Computing Machinery, New York, NY, USA, 253–263. https://doi.org/10.1145/3639474.3640073
[141]
Philippe Ombredanne. 2020. Free and Open Source Software License Compliance: Tools for Software Composition Analysis. Computer 53, 10 (2020), 105–109. https://doi.org/10.1109/MC.2020.3011082
[142]
OSS-Fuzz 2024. https://github.com/google/oss-fuzz.
[143]
Rohan Padhye, Caroline Lemieux, and Koushik Sen. 2019. JQF: coverage-guided property-based testing in Java. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA) (Beijing, China) (ISSTA 2019). 398–401. https://doi.org/10.1145/3293882.3339002
[144]
Hristina Palikareva, Tomasz Kuchta, and Cristian Cadar. 2016. Shadow of a Doubt: Testing for Divergences Between Software Versions. In International Conference on Software Engineering (ICSE 2016) (Austin, TX, USA). 1181–1192.
[145]
Fatemeh Khoda Parast, Chandni Sindhav, Seema Nikam, Hadiseh Izadi Yekta, Kenneth B Kent, and Saqib Hakak. 2022. Cloud computing security: A survey of service-based models. Computers & Security 114 (2022), 102580.
[146]
Corina S Păsăreanu and Neha Rungta. 2010. Symbolic PathFinder: symbolic execution of Java bytecode. In Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering. 179–180.
[147]
Ivan Pashchenko, Duc-Ly Vu, and Fabio Massacci. 2020. A qualitative study of dependency management and its security implications. In Proceedings of the 2020 ACM SIGSAC conference on computer and communications security. 1513–1531.
[148]
Pankayaraj Pathmanathan, Souradip Chakraborty, Xiangyu Liu, Yongyuan Liang, and Furong Huang. 2024. Is poisoning a real threat to LLM alignment? Maybe more so than you think. arXiv preprint arXiv:2406.12091 (2024).
[149]
Felix Pauck, Eric Bodden, and Heike Wehrheim. 2018. Do android taint analysis tools keep their promises?. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 331–341.
[150]
Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. 2022. Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions. In SP. IEEE, 754–768.
[151]
Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. 2022. Asleep at the keyboard? assessing the security of github copilot's code contributions. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 754–768.
[152]
Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh. 2023. Do Users Write More Insecure Code with AI Assistants?. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS ’23). Association for Computing Machinery, New York, NY, USA, 2785–2799. https://doi.org/10.1145/3576915.3623157
[153]
Jonas Peters, Dominik Janzing, and Bernhard Schlkopf. 2017. Elements of Causal Inference: Foundations and Learning Algorithms. The MIT Press.
[154]
Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru R. Căciulescu, and Abhik Roychoudhury. 2021. Smart Greybox Fuzzing. IEEE Transactions on Software Engineering 47, 9 (2021), 1980–1997. https://doi.org/10.1109/TSE.2019.2941681
[155]
Quoc-Sang Phan, Lucas Bang, Corina S. Pasareanu, Pasquale Malacaria, and Tevfik Bultan. 2017. Synthesis of Adaptive Side-Channel Attacks. In 30th IEEE Computer Security Foundations Symposium, CSF 2017, Santa Barbara, CA, USA, August 21-25, 2017. IEEE Computer Society, 328–342.
[156]
Luís Pina, Anastasios Andronidis, Michael Hicks, and Cristian Cadar. 2019. Mvedsua: Higher Availability Dynamic Software Updates via Multi-Version Execution. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2019) (Providence, RI, USA). 573–585.
[157]
Goran Piskachev, Lisa Nguyen Quang Do, and Eric Bodden. 2019. Codebase-adaptive detection of security-relevant methods. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. 181–191.
[158]
Goran Piskachev, Ranjith Krishnamurthy, and Eric Bodden. 2021. Secucheck: Engineering configurable taint analysis for software developers. In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, 24–29.
[159]
Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with SymCC: Don’t interpret, compile!. In 29th USENIX Security Symposium (USENIX Security 20). 181–198.
[160]
Chromium Project. 2021. Memory safety. https://www.chromium.org/Home/chromium-security/memory-safety/
[161]
pundit 2016. GitHub - elabs/pundit: Minimal authorization throught OO design and pure Ruby classes. https://github.com/elabs/pundit.
[162]
Manuel Rigger and Zhendong Su. 2020. Testing Database Engines via Pivoted Query Synthesis. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20). USENIX Association, 667–682. https://www.usenix.org/conference/osdi20/presentation/rigger
[163]
Niklas Risse and Marcel Böhme. 2023. Limits of Machine Learning for Automatic Vulnerability Detection. arXiv:2306.17193 [cs.CR]
[164]
Yaman Roumani. 2021. Patching zero-day vulnerabilities: an empirical analysis. Journal of Cybersecurity 7, 1 (2021), tyab023.
[165]
Gustavo Sandoval, Hammond Pearce, Teo Nys, Ramesh Karri, Siddharth Garg, and Brendan Dolan-Gavitt. 2023. Lost at c: A user study on the security implications of large language model code assistants. In 32nd USENIX Security Symposium (USENIX Security 23). 2205–2222.
[166]
Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: A concolic unit testing engine for C. ACM SIGSOFT Software Engineering Notes 30, 5 (2005), 263–272.
[167]
Kostya Serebryany. 2017. OSS-Fuzz - Google's continuous fuzzing service for open source software. USENIX Association, Vancouver, BC.
[168]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In 2012 USENIX annual technical conference (USENIX ATC 12). 309–318.
[169]
Geoffrey Smith. 2009. On the Foundations of Quantitative Information Flow. In Foundations of Software Science and Computational Structures, 12th International Conference, FOSSACS 2009, York, UK, March 22-29, 2009. Proceedings. 288–302.
[170]
Eliezio Soares, Gustavo Sizilio, Jadson Santos, Daniel Alencar da Costa, and Uirá Kulesza. 2022. The effects of continuous integration on software development: a systematic literature review. Empirical Software Engineering 27, 3 (2022), 78.
[171]
X. Song, Y. Wang, X. Cheng, G. Liang, W. Qianxiang, and Z. Zhu. 2024. Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency Analysis. In 2024 IEEE/ACM 46th International Conference on Software Engineering (ICSE). IEEE Computer Society, Los Alamitos, CA, USA, 887–887. https://doi.ieeecomputersociety.org/
[172]
Johannes Späth, Karim Ali, and Eric Bodden. 2019. Context-, flow-, and field-sensitive data-flow analysis using synchronized pushdown systems. Proceedings of the ACM on Programming Languages 3, POPL (2019), 1–29.
[173]
Evgeniy Stepanov and Konstantin Serebryany. 2015. MemorySanitizer: fast detector of uninitialized memory use in C++. In 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). IEEE, 46–55.
[174]
Jeffrey Vander Stoep. 2022. Memory Safe Languages in Android 13. https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html
[175]
Jacob Stringer, Amjed Tahir, Kelly Blincoe, and Jens Dietrich. 2020. Technical lag of dependencies in major package managers. In 2020 27th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 228–237.
[176]
Kairan Sun, Zhengzi Xu, Chengwei Liu, Kaixuan Li, and Yang Liu. 2023. Demystifying the Composition and Code Reuse in Solidity Smart Contracts. In Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 796–807.
[177]
Zhensu Sun, Xiaoning Du, Fu Song, Mingze Ni, and Li Li. 2022. Coprotector: Protect open-source code against unauthorized training usage with data poisoning. In Proceedings of the ACM Web Conference 2022. 652–660.
[178]
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal war in memory. In 2013 IEEE Symposium on Security and Privacy. IEEE, 48–62.
[179]
Matthew Taylor, Ruturaj Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. Defending against package typosquatting. In Proceedings of the 14th International Conference Network and System Security (NSS 2020). Springer, 112–131.
[180]
Ken Thompson. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (aug 1984), 761–763. https://doi.org/10.1145/358198.358210
[181]
Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of web applications. ACM Sigplan Notices 44, 6 (2009), 87–97.
[182]
Daniele Ucci, Leonardo Aniello, and Roberto Baldoni. 2019. Survey of machine learning techniques for malware analysis. Computers & Security 81 (2019), 123–147.
[183]
Celina G. Val, Michael A. Enescu, Sam Bayless, William Aiello, and Alan J. Hu. 2016. Precisely Measuring Quantitative Information Flow: 10K Lines of Code and Beyond. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). 31–46. https://doi.org/10.1109/EuroSP.2016.15
[184]
verizonleak [n. d.]. 14 MILLION Verizon subscribers’ details leak from crappily configured AWS S3 data store. https://www.theregister.co.uk/2017/07/12/14m_verizon_customers_details_out/.
[185]
Garima Verma and Sandhya Adhikari. 2020. Cloud computing security issues: a stakeholder's perspective. SN Computer Science 1, 6 (2020), 329.
[186]
VSCode 2024. VSCode IDE. https://code.visualstudio.com/.
[187]
Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Typosquatting and combosquatting attacks on the python ecosystem. In 2020 ieee european symposium on security and privacy workshops (euros&pw). IEEE, 509–514.
[188]
Ying Wang, Peng Sun, Lin Pei, Yue Yu, Chang Xu, Shing-Chi Cheung, Hai Yu, and Zhiliang Zhu. 2023. Plumber: Boosting the propagation of vulnerability fixes in the npm ecosystem. IEEE Transactions on Software Engineering (2023).
[189]
Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Ed H. Chi, Quoc Le, and Denny Zhou. 2022. Chain of Thought Prompting Elicits Reasoning in Large Language Models. CoRR abs/2201.11903 (2022). arXiv:2201.11903 https://arxiv.org/abs/2201.11903
[190]
Jonathan Woodruff, Robert NM Watson, David Chisnall, Simon W Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. ACM SIGARCH Computer Architecture News 42, 3 (2014), 457–468.
[191]
Fangzhou Wu, Ning Zhang, Somesh Jha, Patrick McDaniel, and Chaowei Xiao. 2024. A new era in llm security: Exploring security concerns in real-world llm-based systems. arXiv preprint arXiv:2402.18649 (2024).
[192]
Haoze Wu, Alex Ozdemir, Aleksandar Zeljić, Kyle Julian, Ahmed Irfan, Divya Gopinath, Sadjad Fouladi, Guy Katz, Corina Pasareanu, and Clark Barrett. 2020. Parallelization Techniques for Verifying Neural Networks. In 2020 Formal Methods in Computer Aided Design (FMCAD). 128–137. https://doi.org/10.34727/2020/isbn.978-3-85448-042-6_20
[193]
Yueming Wu, Chengwei Liu, and Yang Liu. 2023. The Software Genome Project: Venture to the Genomic Pathways of Open Source Software and Its Applications. arXiv preprint arXiv:2311.09881 (2023).
[194]
Yulun Wu, Zeliang Yu, Ming Wen, Qiang Li, Deqing Zou, and Hai Jin. 2023. Understanding the threats of upstream vulnerabilities to downstream projects in the maven ecosystem. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 1046–1058.
[195]
XACML 2003. eXtensible Access Control Markup Language (XACML) Version 1.0. OASIS Standard. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
[196]
Guowei Yang, Corina S. Păsăreanu, and Sarfraz Khurshid. 2012. Memoized symbolic execution. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (Minneapolis, MN, USA) (ISSTA 2012). Association for Computing Machinery, New York, NY, USA, 144–154. https://doi.org/10.1145/2338965.2336771
[197]
Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation. 283–294.
[198]
Yifan Yao, Jinhao Duan, Kaidi Xu, Yuanfang Cai, Zhibo Sun, and Yue Zhang. 2024. A survey on large language model (llm) security and privacy: The good, the bad, and the ugly. High-Confidence Computing (2024), 100211.
[199]
Jerin Yasmin, Yuan Tian, and Jinqiu Yang. 2020. A first look at the deprecation of RESTful APIs: An empirical study. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 151–161.
[200]
Zhiyuan Yu, Yuhao Wu, Ning Zhang, Chenguang Wang, Yevgeniy Vorobeychik, and Chaowei Xiao. 2023. CODEIPPROMPT: intellectual property infringement assessment of code language models. In International Conference on Machine Learning. PMLR, 40373–40389.
[201]
Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, and Laurie Williams. 2022. What are weak links in the npm supply chain?. In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice. 331–340.
[202]
Michal Zalewski. [n. d.]. Technical “whitepaper” for afl-fuzz. http://lcamtuf.coredump.cx/afl/technical_details.txt.
[203]
Xian Zhan, Lingling Fan, Sen Chen, Feng Wu, Tianming Liu, Xiapu Luo, and Yang Liu. 2021. Atvhunter: Reliable version detection of third-party libraries for vulnerability identification in android applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1695–1707.
[204]
Lyuye Zhang, Chengwei Liu, Sen Chen, Zhengzi Xu, Lingling Fan, Lida Zhao, Yiran Zhang, and Yang Liu. 2023. Mitigating persistence of open-source vulnerabilities in maven ecosystem. In 2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 191–203.
[205]
Lyuye Zhang, Chengwei Liu, Zhengzi Xu, Sen Chen, Lingling Fan, Bihuan Chen, and Yang Liu. 2023. Has My Release Disobeyed Semantic Versioning? Static Detection Based on Semantic Differencing. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (¡conf-loc¿, ¡city¿Rochester¡/city¿, ¡state¿MI¡/state¿, ¡country¿USA¡/country¿, ¡/conf-loc¿) (ASE ’22). Association for Computing Machinery, New York, NY, USA, Article 51, 12 pages. https://doi.org/10.1145/3551349.3556956
[206]
Lyuye Zhang, Chengwei Liu, Zhengzi Xu, Sen Chen, Lingling Fan, Lida Zhao, Jiahui Wu, and Yang Liu. 2023. Compatible remediation on vulnerabilities from third-party libraries for java projects. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 2540–2552.
[207]
Yanan Zhang, Yuqiao Ning, Chao Ma, Longhai Yu, and Zhen Guo. 2023. Empirical Study for Open Source Libraries in Automotive Software Systems. IEEE Access (2023).
[208]
Yuntong Zhang, Haifeng Ruan, Zhiyu Fan, and Abhik Roychoudhury. 2024. AutoCodeRover: Autonomous Program Improvement. arXiv preprint arXiv:2404.05427 (2024).
[209]
Zhengyan Zhang, Guangxuan Xiao, Yongwei Li, Tian Lv, Fanchao Qi, Zhiyuan Liu, Yasheng Wang, Xin Jiang, and Maosong Sun. 2023. Red alarm for pre-trained models: Universal vulnerability to neuron-level backdoor attacks. Machine Intelligence Research 20, 2 (2023), 180–193.
[210]
Jian Zhao, Shenao Wang, Yanjie Zhao, Xinyi Hou, Kailong Wang, Peiming Gao, Yuanchao Zhang, Chen Wei, and Haoyu Wang. 2024. Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs. arXiv preprint arXiv:2409.09368 (2024).
[211]
Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Advances in neural information processing systems 32 (2019).
[212]
Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th USENIX Security Symposium (USENIX Security 19). 995–1010.
Index Terms
- Software Security Analysis in 2030 and Beyond: A Research Roadmap
Recommendations
The Trailer of the ACM 2030 Roadmap for Software Engineering
The landscape of software engineering has dramatically changed. The recent advances in AI, the new opportunities of quantum computing, and the new challenges of sustainability and cyber security upset the software engineering research prospective. The ...
Quantum Software Engineering: Roadmap and Challenges Ahead
As quantum computers advance, the complexity of the software they can execute increases as well. To ensure this software is efficient, maintainable, reusable, and cost-effective —key qualities of any industry-grade software— mature software engineering ...
An evidence-based roadmap for IoT software systems engineering
Abstract Context:The Internet of Things (IoT) has brought expectations for software inclusion in everyday objects. However, it has challenges and requires multidisciplinary technical knowledge involving different areas that should be combined to enable ...
Highlights- An overview of seven IoT Facets involved in IoT systems engineering.
- The IoT Conceptual Framework, integrating facets with System Engineering Life Cycle.
- The IoT Roadmap, with 117 recommendations for engineering IoT software ...
Comments
Information & Contributors
Information
Published In
EISSN:1557-7392
Table of ContentsCopyright © 2024 Copyright held by the owner/author(s).
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Online AM: 19 December 2024
Accepted: 04 November 2024
Revised: 26 September 2024
Received: 27 May 2024
Check for updates
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 293Total Downloads
- Downloads (Last 12 months)293
- Downloads (Last 6 weeks)233
Reflects downloads up to 08 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in