Heuristic and Knowledge-Based Security Checks of Source Code Artifacts Using Community Knowledge

¡ Logos Verlag Berlin GmbH
ā§Ģ.ā§Ļ
ā§§ āĻŸāĻž āĻĒā§°ā§āĻ¯āĻžāĻ˛ā§‹āĻšāĻ¨āĻž
āĻ‡āĻŦā§āĻ•
225
āĻĒā§ƒāĻˇā§āĻ āĻž
āĻ¯ā§‹āĻ—ā§āĻ¯

āĻāĻ‡ āĻ‡āĻŦā§āĻ•āĻ–āĻ¨ā§° āĻŦāĻŋāĻˇā§Ÿā§‡

The goal of this dissertation is to support developers in applying security checks using community knowledge. Artificial intelligence approaches combined with natural language processing techniques are employed to identify security-related information from community websites such as Stack Overflow or GitHub. All security-related information is stored in a security knowledge base. This knowledge base provides code fragments that represent the community´s knowledge about vulnerabilities, security-patches, and exploits.

Comprehensive knowledge is required to carry out security checks on software artifacts, such as data covering known vulnerabilities and their manifestation in the source code as well as possible attack strategies. Approaches that check software libraries and source code fragments are provided for the automated use of the data.

Insecure software libraries can be detected using the NVD combined with metadata and library file hash approaches introduced in this dissertation. Vulnerable source code fragments can be identified using community knowledge represented by code fragments extracted from the largest coding community websites: Stack Overflow and GitHub. A state-of-the-art clone detection approach is modified and enriched by several heuristics to enable vulnerability detection and leverage community knowledge while maintaining good performance. Using various case studies, the approaches implemented in Eclipse plugins and a JIRA plugin are adapted to the users´ needs and evaluated.

āĻŽā§‚āĻ˛ā§āĻ¯āĻžāĻ‚āĻ•āĻ¨ āĻ†ā§°ā§ āĻĒā§°ā§āĻ¯āĻžāĻ˛ā§‹āĻšāĻ¨āĻžāĻ¸āĻŽā§‚āĻš

ā§Ģ.ā§Ļ
ā§§ āĻŸāĻž āĻĒā§°ā§āĻ¯āĻžāĻ˛ā§‹āĻšāĻ¨āĻž

āĻāĻ‡ āĻ‡āĻŦā§āĻ•āĻ–āĻ¨āĻ• āĻŽā§‚āĻ˛ā§āĻ¯āĻžāĻ‚āĻ•āĻ¨ āĻ•ā§°āĻ•

āĻ†āĻŽāĻžāĻ• āĻ†āĻĒā§‹āĻ¨āĻžā§° āĻŽāĻ¤āĻžāĻŽāĻ¤ āĻœāĻ¨āĻžāĻ“āĻ•āĨ¤

āĻĒāĻĸāĻŧāĻžā§° āĻ¨āĻŋāĻ°ā§āĻĻā§‡āĻļāĻžā§ąāĻ˛ā§€

āĻ¸ā§āĻŽāĻžā§°ā§āĻŸāĻĢ’āĻ¨ āĻ†ā§°ā§ āĻŸā§‡āĻŦāĻ˛ā§‡āĻŸ
Android āĻ†ā§°ā§ iPad/iPhoneā§° āĻŦāĻžāĻŦā§‡ Google Play Books āĻāĻĒāĻŸā§‹ āĻ‡āĻ¨āĻˇā§āĻŸāĻ˛ āĻ•ā§°āĻ•āĨ¤ āĻ‡ āĻ¸ā§āĻŦāĻ¯āĻŧāĻ‚āĻ•ā§āĻ°āĻŋāĻ¯āĻŧāĻ­āĻžā§ąā§‡ āĻ†āĻĒā§‹āĻ¨āĻžā§° āĻāĻ•āĻžāĻ‰āĻŖā§āĻŸā§° āĻ¸ā§ˆāĻ¤ā§‡ āĻ›āĻŋāĻ‚āĻ• āĻšāĻ¯āĻŧ āĻ†ā§°ā§ āĻ†āĻĒā§āĻ¨āĻŋ āĻ¯'āĻ¤ā§‡ āĻ¨āĻžāĻĨāĻžāĻ•āĻ• āĻ¤'āĻ¤ā§‡āĻ‡ āĻ•ā§‹āĻ¨ā§‹ āĻ…āĻĄāĻŋāĻ…'āĻŦā§āĻ• āĻ…āĻ¨āĻ˛āĻžāĻ‡āĻ¨ āĻŦāĻž āĻ…āĻĢāĻ˛āĻžāĻ‡āĻ¨āĻ¤ āĻļā§āĻ¨āĻŋāĻŦāĻ˛ā§ˆ āĻ¸ā§āĻŦāĻŋāĻ§āĻž āĻĻāĻŋāĻ¯āĻŧā§‡āĨ¤
āĻ˛ā§‡āĻĒāĻŸāĻĒ āĻ†ā§°ā§ āĻ•āĻŽā§āĻĒāĻŋāĻ‰āĻŸāĻžā§°
āĻ†āĻĒā§āĻ¨āĻŋ āĻ•āĻŽā§āĻĒāĻŋāĻ‰āĻŸāĻžā§°ā§° ā§ąā§‡āĻŦ āĻŦā§āĻ°āĻžāĻ‰āĻœāĻžā§° āĻŦā§āĻ¯ā§ąāĻšāĻžā§° āĻ•ā§°āĻŋ Google PlayāĻ¤ āĻ•āĻŋāĻ¨āĻž āĻ…āĻĄāĻŋāĻ…'āĻŦā§āĻ•āĻ¸āĻŽā§‚āĻš āĻļā§āĻ¨āĻŋāĻŦ āĻĒāĻžā§°ā§‡āĨ¤
āĻ‡-ā§°ā§€āĻĄāĻžā§° āĻ†ā§°ā§ āĻ…āĻ¨ā§āĻ¯ āĻĄāĻŋāĻ­āĻžāĻ‡āĻš
Kobo eReadersā§° āĻĻā§°ā§‡ āĻ‡-āĻšāĻŋā§ŸāĻžāĻāĻšā§€ā§° āĻĄāĻŋāĻ­āĻžāĻ‡āĻšāĻ¸āĻŽā§‚āĻšāĻ¤ āĻĒā§āĻŋāĻŦāĻ˛ā§ˆ, āĻ†āĻĒā§āĻ¨āĻŋ āĻāĻŸāĻž āĻĢāĻžāĻ‡āĻ˛ āĻĄāĻžāĻ‰āĻ¨āĻ˛â€™āĻĄ āĻ•ā§°āĻŋ āĻ¸ā§‡āĻ‡āĻŸā§‹ āĻ†āĻĒā§‹āĻ¨āĻžā§° āĻĄāĻŋāĻ­āĻžāĻ‡āĻšāĻ˛ā§ˆ āĻ¸ā§āĻĨāĻžāĻ¨āĻžāĻ¨ā§āĻ¤ā§°āĻŖ āĻ•ā§°āĻŋāĻŦ āĻ˛āĻžāĻ—āĻŋāĻŦāĨ¤ āĻ¸āĻŽā§°ā§āĻĨāĻŋāĻ¤ āĻ‡-ā§°āĻŋāĻĄāĻžā§°āĻ˛ā§ˆ āĻĢāĻžāĻ‡āĻ˛āĻŸā§‹ āĻ•ā§‡āĻ¨ā§‡āĻ•ā§ˆ āĻ¸ā§āĻĨāĻžāĻ¨āĻžāĻ¨ā§āĻ¤ā§° āĻ•ā§°āĻŋāĻŦ āĻœāĻžāĻ¨āĻŋāĻŦāĻ˛ā§ˆ āĻ¸āĻšāĻžāĻ¯āĻŧ āĻ•ā§‡āĻ¨ā§āĻĻā§ā§°āĻ¤ āĻĨāĻ•āĻž āĻ¸āĻŦāĻŋāĻļā§‡āĻˇ āĻ¨āĻŋā§°ā§āĻĻā§‡āĻļāĻžā§ąāĻ˛ā§€ āĻšāĻžāĻ“āĻ•āĨ¤

āĻāĻ•ā§‡āĻ§ā§°āĻŖā§° āĻ‡-āĻŦā§āĻ•

Ghost in the Wires: My Adventures as the World's Most Wanted Hacker
Kevin Mitnick
Biographies & memoirs
ā§Ē.ā§Ģ
US$ ā§§ā§¨.ā§¯ā§¯
Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations
Nicole Forsgren, PhD
Business & investing
ā§Ē.ā§Ē
US$ ā§§ā§¨.ā§¯ā§¯US$ ā§¨.ā§¯ā§¯
The Art of Hacking
Anto.Y
Computers & technology
ā§Ē.ā§¯
US$ ā§§ā§Ž.ā§Ļā§ĻUS$ ā§­.ā§Žā§§
Underground Mobile Phone Hacking
Anto.Y
Computers & technology
ā§Ē.ā§¯
US$ ā§§ā§Ģ.ā§Ļā§ĻUS$ ā§Ŧ.ā§Ļā§§