research-article

Achilles’ heel of plug-and-Play software architectures: a grounded theory based approach

Authors:

Joanna C. S. Santos,

Adriana Sejfia,

Taylor Corrello,

Smruthi Gadenkanahalli,

Mehdi MirakhorliAuthors Info & Claims

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 671 - 682

https://doi.org/10.1145/3338906.3338969

Published: 12 August 2019 Publication History

Abstract

Through a set of well-defined interfaces, plug-and-play architectures enable additional functionalities to be added or removed from a system at its runtime. However, plug-ins can also increase the application’s attack surface or introduce untrusted behavior into the system. In this paper, we (1) use a grounded theory-based approach to conduct an empirical study of common vulnerabilities in plug-and-play architectures; (2) conduct a systematic literature survey and evaluate the extent that the results of the empirical study are novel or supported by the literature; (3) evaluate the practicality of the findings by interviewing practitioners with several years of experience in plug-and-play systems. By analyzing Chromium, Thunderbird, Firefox, Pidgin, WordPress, Apache OfBiz, and OpenMRS, we found a total of 303 vulnerabilities rooted in extensibility design decisions and observed that these plugin-related vulnerabilities were caused by 16 different types of vulnerabilities. Out of these 16 vulnerability types we identified 19 mitigation procedures for fixing them. The literature review supported 12 vulnerability types and 8 mitigation techniques discovered in our empirical study, and indicated that 5 mitigation techniques were not covered in our empirical study. Furthermore, it indicated that 4 vulnerability types and 11 mitigation techniques discovered in our empirical study were not covered in the literature. The interviews with practitioners confirmed the relevance of the findings and highlighted ways that the results of this empirical study can have an impact in practice.

References

[1]

M. Acher, A. Cleve, P. Collet, P. Merle, L. Duchien, and P. Lahire. Extraction and evolution of architectural variability models in plugin-based systems. Softw. Syst. Model., 13(4):1367–1394, Oct. 2014.

Digital Library

[2]

M. Alam, X. Zhang, M. Nauman, S. Khan, and Q. Alam. Mauth: A fine-grained and user-centric permission delegation framework for multi-mashup web services. In 2010 6th World Congress on Services (SERVICES-1), pages 56–63. IEEE, 2010.

Digital Library

[3]

D. Arney, S. Fischmeister, J. M. Goldman, I. Lee, and R. Trausmuth. Plug-and-play for medical devices: Experiences from a case study. Biomedical Instrumentation & Technology, 43(4):313–317, 2009.

[4]

D. Arney, J. Plourde, R. Schrenker, P. Mattegunta, S. F. Whitehead, and J. M. Goldman. Design pillars for medical cyber-physical system middleware. In OASIcs-OpenAccess Series in Informatics, volume 36. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2014.

[5]

G. Baldoni, M. Melita, S. Micalizzi, C. Rametta, G. Schembra, and A. Vassallo. A dynamic, plug-and-play and efficient video surveillance platform for smart cities. In 2017 14th IEEE Annual Consumer Communications Networking Conference (CCNC), pages 611–612, Jan 2017.

[6]

S. Bandhakavi, N. Tiku, W. Pittman, S. T. King, P. Madhusudan, and M. Winslett. Vetting browser extensions for security vulnerabilities with vex. Commun. ACM, 54(9):91–99, Sept. 2011.

Digital Library

[7]

A. Barth, A. P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Network and Distributed System Security Symposium (NDSS), 2010.

[8]

L. Bass, P. Clements, and R. Kazman. Software Architecture in Practice. Addison-Wesley Professional, 3rd edition, 2012.

Digital Library

[9]

D. Birsan. On plug-ins and extensible architectures. Queue, 3(2):40–46, 2005.

Digital Library

[10]

N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, pages 7–7, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[11]

J. C. C. M. da Fonseca and M. P. A. Vieira. A practical experience on the impact of plugins in web security. In IEEE 33rd International Symposium on Reliable Distributed Systems, pages 21–30. IEEE, 2014.

Digital Library

[12]

S. Das and M. Zulkernine. Cloubex: A cloud-based security analysis framework for browser extensions. In 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE), pages 268–275. IEEE, 2016.

Digital Library

[13]

M. Dhawan and V. Ganapathy. Analyzing information flow in javascript-based browser extensions. In 2009 Annual Computer Security Applications Conference, pages 382–391, Dec 2009.

Digital Library

[14]

J. Dietrich, J. Hosking, and J. Giles. A formal contract language for pluginbased software engineering. In 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007), pages 175–184, July 2007.

Digital Library

[15]

M. Egele, E. Kirda, and C. Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In J. Camenisch and D. Kesdogan, editors, iNetSec 2009 – Open Research Problems in Network Security, pages 52–62, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.

[16]

I. Foster, A. Prudhomme, K. Koscher, and S. Savage. Fast and vulnerable: A story of telematic failures. In Proceedings of the 9th USENIX Conference on Offensive Technologies, WOOT’15, pages 15–15, Berkeley, CA, USA, 2015. USENIX Association.

Digital Library

[17]

J. Frtunikj, V. Rupanov, A. Camek, C. Buckl, and A. Knoll. A safety aware run-time environment for adaptive automotive control systems. In Embedded real-time software and systems (ERTS2), 2014.

[18]

D. Gangadharan, J. H. Kim, O. Sokolsky, B. Kim, C.-W. Lin, S. Shiraishi, and I. Lee. Platform-based plug and play of automotive safety features: Challenges and directions. In 2016 IEEE 22nd International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), pages 76–84. IEEE, 2016.

[19]

B. G. Glaser. Theoretical sensitivity: Advances in the methodology of grounded theory. Sociology Pr, 1978.

[20]

B. G. Glaser. Basics of grounded theory analysis: Emergence vs forcing. Sociology press, 1992.

[21]

B. G. Glaser and A. L. Strauss. The discovery of grounded theory: Strategies for qualitative research. New York: Aldlne, 1967.

[22]

D. Gonzalez, F. Alhenaki, and M. Mirakhorli. Architectural security weaknesses in industrial control systems (ICS) an empirical study based on disclosed software vulnerabilities. In 2019 IEEE International Conference on Software Architecture (ICSA), pages 31–40. IEEE, 2019.

[23]

M. Greiler, A. v. Deursen, and M.-A. Storey. Test confessions: a study of testing practices for plug-in systems. In Proceedings of the 34th International Conference on Software Engineering, pages 244–254. IEEE Press, 2012.

Digital Library

[24]

C. Grier, S. Tang, and S. T. King. Secure web browsing with the op web browser. In SP 2008. IEEE Symposium on Security and Privacy, pages 402–416. IEEE, 2008.

Digital Library

[25]

J. Himmelspach and A. M. Uhrmacher. Plug’n simulate. In Simulation Symposium, 2007. ANSS ’07. 40th Annual, pages 137–143, March 2007.

Digital Library

[26]

N. Jagpal, E. Dingle, J.-P. Gravel, P. Mavrommatis, N. Provos, M. A. Rajab, and K. Thomas. Trends and lessons from three years fighting malicious extensions. In USENIX Security Symposium, pages 579–593, 2015.

Digital Library

[27]

R. Karim, M. Dhawan, V. Ganapathy, and C.-c. Shan. An analysis of the mozilla jetpack extension framework. In European Conference on Object-Oriented Programming, pages 333–355. Springer, 2012.

Digital Library

[28]

T. Kwon and Z. Su. Detecting and analyzing insecure component usage. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pages 5:1–5:11, New York, NY, USA, 2012. ACM.

Digital Library

[29]

P. W. l. Fong and S. A. Orr. A module system for isolating untrusted software extensions. In 2006 22nd Annual Computer Security Applications Conference (ACSAC’06), pages 203–212, Dec 2006.

Digital Library

[30]

G. McGraw. Software security: building security in, volume 1. Addison-Wesley Professional, 2006.

Digital Library

[31]

I. Medeiros, N. Neves, and M. Correia. Equipping wap with weapons to detect vulnerabilities: Practical experience report. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 630–637. IEEE, 2016.

[32]

O. Mesa, R. Vieira, M. Viana, V. H. Durelli, E. Cirilo, M. Kalinowski, and C. Lucena. Understanding vulnerabilities in plugin-based web systems: an exploratory study of wordpress. In Proceeedings of the 22nd International Conference on Systems and Software Product Line, pages 149–159. ACM, 2018.

Digital Library

[33]

B. Mewara, S. Bairwa, and J. Gajrani. Browser’s defenses against reflected crosssite scripting attacks. In 2014 International Conference on Signal Propagation and Computer Technology (ICSPCT), pages 662–667. IEEE, 2014.

[34]

J. W. Min, S. M. Jung, and T. M. Chung. Filtering malicious routines in web browsers using dynamic binary instrumentation. In 2012 14th International Conference on Advanced Communication Technology (ICACT), pages 554–557. IEEE, 2012.

[35]

National Vulnerability Database. NVD Data feeds. https://nvd.nist.gov/vuln/datafeeds, 2017. (Accessed on 04/31/2016).

[36]

F. B. M. Nor, K. A. Jalil, and J. l. Ab Manan. An enhanced remote authentication scheme to mitigate man-in-the-browser attacks. In Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pages 271–276, June 2012.

[37]

P. J. C. Nunes, J. Fonseca, and M. Vieira. phpsafe: A security analysis tool for oop web application plugins. In 2015 45th Annual IEEE/IFIP International Conference onDependable Systems and Networks (DSN), pages 299–306. IEEE, 2015.

Digital Library

[38]

D. Oliveira, J. Navarro, N. Wetzel, and M. Bucci. Ianus: Secure and holistic coexistence with kernel extensions - a immune system-inspired approach. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, SAC ’14, pages 1672–1679, New York, NY, USA, 2014. ACM.

Digital Library

[39]

D. Oliveira, N. Wetzel, M. Bucci, J. Navarro, D. Sullivan, and Y. Jin. Hardwaresoftware collaboration for secure coexistence with kernel extensions. SIGAPP Appl. Comput. Rev., 14(3):22–35, Sept. 2014.

Digital Library

[40]

J. Pan and X. Mao. Detecting dom-sourced cross-site scripting in browser extensions. In 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 24–34. IEEE, 2017.

[41]

R. Rajkumar, A. Wang, J. D. Hiser, A. Nguyen-Tuong, J. W. Davidson, and J. C. Knight. Component-oriented monitoring of binaries for security. In 2011 44th Hawaii International Conference onSystem Sciences (HICSS), pages 1–10. IEEE, 2011.

Digital Library

[42]

K. Rieck, T. Krueger, and A. Dewald. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 31–39. ACM, 2010.

Digital Library

[43]

P. Runeson and M. Hoest. Guidelines for conducting and reporting case study research in software engineering. Empirical Software Engineering, 14:131–164, 2009.

Digital Library

[44]

A. Saini, M. S. Gaur, and V. Laxmi. The darker side of firefox extension. In Proceedings of the 6th International Conference on Security of Information and Networks, pages 316–320. ACM, 2013.

Digital Library

[45]

A. Saini, M. S. Gaur, V. Laxmi, and P. Nanda. sandfox: Secure sandboxed and isolated environment for firefox browser. In Proceedings of the 8th International Conference on Security of Information and Networks, SIN ’15, pages 20–27, New York, NY, USA, 2015. ACM.

[46]

J. C. S. Santos, A. Peruma, M. Mirakhorli, M. Galster, J. V. Vidal, and A. Sejfia. Understanding software vulnerabilities related to architectural security tactics: An empirical investigation of chromium, php and thunderbird. In 2017 IEEE International Conference on Software Architecture (ICSA), pages 69–78. IEEE, 2017.

[47]

J. C. S. Santos, K. Tarrit, and M. Mirakhorli. A catalog of security architecture weaknesses. In 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), pages 220–223, April 2017.

[48]

J. C. S. Santos, K. Tarrit, A. Sejfia, M. Mirakhorli, and M. Galster. An empirical study of tactical vulnerabilities. Journal of Systems and Software, 149:263 – 284, 2019.

[49]

H. Shahriar, K. Weldemariam, T. Lutellier, and M. Zulkernine. A model-based detection of vulnerable and malicious browser extensions. In 2013 IEEE 7th International Conference on Software Security and Reliability, pages 198–207, June 2013.

Digital Library

[50]

B. Shand and J. Rashbass. Security for middleware extensions: Event meta-data for enforcing security policy. In Proceedings of the 2008 Workshop on Middleware ESEC/FSE ’19, August 26–30, 2019, Tallinn, Estonia Joanna C. S. Santos, Adriana Sejfia, Taylor Corrello, Smruthi Gadenkanahalli, and Mehdi Mirakhorli Security, MidSec ’08, pages 31–33, New York, NY, USA, 2008. ACM.

Digital Library

[51]

L. Sousa, A. Oliveira, W. Oizumi, S. Barbosa, A. Garcia, J. Lee, M. Kalinowski, R. de Mello, B. Fonseca, R. Oliveira, et al. Identifying design problems in the source code: a grounded theory. In 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), pages 921–931. IEEE, 2018.

Digital Library

[52]

K. J. Stol, P. Ralph, and B. Fitzgerald. Grounded theory in software engineering research: A critical review and guidelines. In 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE), pages 120–131, May 2016.

Digital Library

[53]

M. Sun, D. Gu, J. Li, and B. Li. Pyxhon: Dynamic detection of security vulnerabilities in python extensions. In 2012 International Conference on Information Science and Technology (ICIST), pages 461–466. IEEE, 2012.

[54]

H. Trunde and E. Weippl. Wordpress security: an analysis based on publicly available exploits. In Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services, page 81. ACM, 2015.

Digital Library

[55]

G. Varshney, M. Misra, and P. Atrey. Browshing a new way of phishing using a malicious browser extension. In 2017 Innovations in Power and Advanced Computing Technologies (i-PACT), pages 1–5, April 2017.

[56]

J. Walden, M. Doyle, R. Lenhof, J. Murray, and A. Plunkett. Impact of plugins on the security of web applications. In Proceedings of the 6th International Workshop on Security Measurements and Metrics, page 1. ACM, 2010.

Digital Library

[57]

S. Wang, G. S. Avrunin, and L. A. Clarke. Architectural building blocks for plug- and-play system design. In I. Gorton, G. T. Heineman, I. Crnković, H. W. Schmidt, J. A. Stafford, C. Szyperski, and K. Wallnau, editors, Component-Based Software Engineering, pages 98–113, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.

Digital Library

[58]

S. Wang, G. S. Avrunin, and L. A. Clarke. Plug-and-Play Architectural Design and Verification, pages 273–297. Springer Berlin Heidelberg, Berlin, Heidelberg, 2008.

Digital Library

[59]

R. J. Wieringa. Design science methodology for information systems and software engineering. Springer, 2014.

Digital Library

[60]

WordPress.org. Hardening wordpress. https://codex.wordpress.org/Hardening_ WordPress, 2018. (Accessed on 03/01/2018).

[61]

H. Zhang, M. A. Babar, and P. Tell. Identifying relevant studies in software engineering. Information and Software Technology, 53(6):625–637, 2011.

Digital Library

[62]

R. Zhao, C. Yue, and Q. Yi. Automatic detection of information leakage vulnerabilities in browser extensions. In Proceedings of the 24th International Conference on World Wide Web, pages 1384–1394. International World Wide Web Conferences Steering Committee, 2015.

Digital Library

Cited By

Zheng WZhang MTang HCai YChen XWu XAbdallah Semasaba A(2021)Automatically Identifying Bug Reports with Tactical Vulnerabilities by Deep Feature Learning2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE52982.2021.00043(333-344)Online publication date: Oct-2021
https://doi.org/10.1109/ISSRE52982.2021.00043
Overeem MSpoor MJansen SBrinkkemper S(2021)An empirical characterization of event sourced systems and their schema evolution — Lessons from industryJournal of Systems and Software10.1016/j.jss.2021.110970(110970)Online publication date: Apr-2021
https://doi.org/10.1016/j.jss.2021.110970
Sejfia AMedvidovic N(2020)Strategies for Pattern-Based Detection of Architecturally-Relevant Software Vulnerabilities2020 IEEE International Conference on Software Architecture (ICSA)10.1109/ICSA47634.2020.00017(92-102)Online publication date: Mar-2020
https://doi.org/10.1109/ICSA47634.2020.00017

Index Terms

Achilles’ heel of plug-and-Play software architectures: a grounded theory based approach
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Software design engineering

Recommendations

Software-driven Security Attacks: From Vulnerability Sources to Durable Hardware Defenses

There is an increasing body of work in the area of hardware defenses for software-driven security attacks. A significant challenge in developing these defenses is that the space of security vulnerabilities and exploits is large and not fully understood. ...
A survey of detection methods for XSS attacks
Abstract
Cross-site scripting attack (abbreviated as XSS) is an unremitting problem for the Web applications since the early 2000s. It is a code injection attack on the client-side where an attacker injects malicious payload into a vulnerable ...
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of Programs

We present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 2019

1264 pages

ISBN:9781450355728

DOI:10.1145/3338906

General Chairs:
Marlon Dumas
University of Tartu, Estonia
,
Dietmar Pfahl
University of Tartu, Estonia
,
Program Chairs:
Sven Apel
Saarland University, Germany
,
Alessandra Russo
Imperial College, UK

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE '19

Sponsor:

SIGSOFT

ESEC/FSE '19: 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 26 - 30, 2019

Tallinn, Estonia

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
300
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)2

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zheng WZhang MTang HCai YChen XWu XAbdallah Semasaba A(2021)Automatically Identifying Bug Reports with Tactical Vulnerabilities by Deep Feature Learning2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE52982.2021.00043(333-344)Online publication date: Oct-2021
https://doi.org/10.1109/ISSRE52982.2021.00043
Overeem MSpoor MJansen SBrinkkemper S(2021)An empirical characterization of event sourced systems and their schema evolution — Lessons from industryJournal of Systems and Software10.1016/j.jss.2021.110970(110970)Online publication date: Apr-2021
https://doi.org/10.1016/j.jss.2021.110970
Sejfia AMedvidovic N(2020)Strategies for Pattern-Based Detection of Architecturally-Relevant Software Vulnerabilities2020 IEEE International Conference on Software Architecture (ICSA)10.1109/ICSA47634.2020.00017(92-102)Online publication date: Mar-2020
https://doi.org/10.1109/ICSA47634.2020.00017

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents