Evaluating the Language-Based Security for Plugin Development
- URL: http://arxiv.org/abs/2405.07448v1
- Date: Mon, 13 May 2024 03:12:24 GMT
- Title: Evaluating the Language-Based Security for Plugin Development
- Authors: Naisheng Liang, Alex Potanin,
- Abstract summary: We aim to enhance the understanding of access control vulnerabilities in plugins and explore effective security measures.
We developed and evaluated test plugins to assess the security mechanisms in popular development environments.
A comparative analysis is conducted to evaluate the effectiveness of capability-based systems in addressing access control vulnerabilities.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: With the increasing popularity of plugin-based software systems, ensuring the security of plugins has become a critical concern. When users install plugins or browse websites with plugins from an untrusted source, how can we be sure that they do have any undesirable functions implicitly? In this research, we present a comprehensive study on language-based security mechanisms for plugin development. We aim to enhance the understanding of access control vulnerabilities in plugins and explore effective security measures by introducing a capability-based system. We also developed and evaluated test plugins to assess the security mechanisms in popular development environments such as IntelliJ IDEA and Visual Studio Code by utilising Java, JavaScript, and associated APIs and frameworks. We also explore the concept of capability-based module systems as an alternative approach to plugin security. A comparative analysis is conducted to evaluate the effectiveness of capability-based systems in addressing access control vulnerabilities identified in earlier sections. Finally, recommendations for improving plugin security practices and tools will be presented, emphasizing the importance of robust security measures in the ever-evolving landscape of software plugins.
Related papers
- WebAssembly and Security: a review [0.8962460460173961]
We analyze 121 papers by identifying seven different security categories.
We aim to fill this gap by proposing a comprehensive review of research works dealing with security in WebAssembly.
arXiv Detail & Related papers (2024-07-17T03:37:28Z) - SETC: A Vulnerability Telemetry Collection Framework [0.0]
This paper introduces the Security Exploit Telemetry Collection (SETC) framework.
SETC generates reproducible vulnerability exploit data at scale for robust defensive security research.
This research enables scalable exploit data generation to drive innovations in threat modeling, detection methods, analysis techniques, and strategies.
arXiv Detail & Related papers (2024-06-10T00:13:35Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - A Survey of Third-Party Library Security Research in Application Software [3.280510821619164]
With the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent.
Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information.
Research on third-party libraries in software becomes paramount to address this growing security challenge.
arXiv Detail & Related papers (2024-04-27T16:35:02Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - Causative Insights into Open Source Software Security using Large
Language Code Embeddings and Semantic Vulnerability Graph [3.623199159688412]
Open Source Software (OSS) vulnerabilities can cause unauthorized access, data breaches, network disruptions, and privacy violations.
Recent deep-learning techniques have shown great promise in identifying and localizing vulnerabilities in source code.
Our study shows a 24% improvement in code repair capabilities compared to previous methods.
arXiv Detail & Related papers (2024-01-13T10:33:22Z) - Exploring Security Practices in Infrastructure as Code: An Empirical
Study [54.669404064111795]
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools.
scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks.
Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
arXiv Detail & Related papers (2023-08-07T23:43:32Z) - Leveraging Traceability to Integrate Safety Analysis Artifacts into the
Software Development Process [51.42800587382228]
Safety assurance cases (SACs) can be challenging to maintain during system evolution.
We propose a solution that leverages software traceability to connect relevant system artifacts to safety analysis models.
We elicit design rationales for system changes to help safety stakeholders analyze the impact of system changes on safety.
arXiv Detail & Related papers (2023-07-14T16:03:27Z) - CodeLMSec Benchmark: Systematically Evaluating and Finding Security
Vulnerabilities in Black-Box Code Language Models [58.27254444280376]
Large language models (LLMs) for automatic code generation have achieved breakthroughs in several programming tasks.
Training data for these models is usually collected from the Internet (e.g., from open-source repositories) and is likely to contain faults and security vulnerabilities.
This unsanitized training data can cause the language models to learn these vulnerabilities and propagate them during the code generation procedure.
arXiv Detail & Related papers (2023-02-08T11:54:07Z) - Developing Hands-on Labs for Source Code Vulnerability Detection with AI [0.0]
We propose a framework including learning modules and hands on labs to guide future IT professionals towards developing secure programming habits.
This thesis our goal is to design learning modules with a set of hands on labs that will introduce students to secure programming practices using source code and log file analysis tools.
arXiv Detail & Related papers (2023-02-01T20:53:58Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.