On the use of C# Unsafe Code Context: An Empirical Study of Stack Overflow

Background. C# maintains type safety and security by not allowing direct dangerous pointer arithmetic. To improve performance for special cases, pointer arithmetic is provided via an unsafe context. Programmers can use the C# unsafe keyword to encapsulate a code block, which can use pointer arithmetic. In the Common Language Runtime (CLR), unsafe code is referred to as unverifiable code. It then becomes the responsibility of the programmer to ensure the encapsulated code snippet is not dangerous. Naturally, this raises concern on whether such trust is misused by programmers when they promote the use of C# unsafe context. Aim. We aim to analyze the prevalence and vulnerabilities of share code examples using C# unsafe keyword in Stack Overflow (SO) code sharing platform. Method. By using some regular expressions and manual checks, we extracted C# unsafe code relevant posts from SO and categorized them into some software development scenarios. Results. In the entire SO data dump of September 2018, we find 2,283 C# snippets with the unsafe keyword. Among those posts, 27% of posts are about Image processing, where unsafe codes are mainly used for performance reasons. The second most popular category by 21% of the codes in the posts is used for 'Interoperability' reasons. That is 'unsafe' is used to enable 'Interoperability' between C# managed codes and unmanaged codes. The 'stackalloc' operator is the third category with 9% of unsafe code posts. The stackalloc operator allocates a block of memory on the stack. Since C# 7.2, Microsoft recommends against using 'stackalloc' in unsafe context whenever possible. Manual inspection shows 67 code snippets with dangerous functions that can introduce vulnerability if not used with caution (e.g., buffer overflow). Finally, 35% of 'Interoperability' posts have 'P/Invoke' tag were used outside NativeMethods class, which is in contrast to Microsoft design suggestion. Conclusion. Our study leads to 7 main findings, and these findings show the importance of cautiously using this feature.

[1]  Murat Kantarcioglu,et al.  CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects , 2018, CCS.

[2]  Ashkan Sami,et al.  Visual Studio Automated Refactoring Tool Should Improve Development Time, but ReSharper Led to More Solution-Build Failures , 2019, 2019 IEEE Workshop on Mining and Analyzing Interaction Histories (MAINT).

[3]  Foutse Khomh,et al.  An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples , 2019, ArXiv.

[4]  Na Meng,et al.  Secure Coding Practices in Java: Challenges and Vulnerabilities , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[5]  Jens Krinke,et al.  Python Coding Style Compliance on Stack Overflow , 2019, 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR).

[6]  Diomidis Spinellis,et al.  House of Cards: Code Smells in Open-Source C# Repositories , 2017, 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[7]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[8]  Adam Freeman,et al.  Programming .NET security - writing secure applications using C# or Visual Basic .Net , 2003 .

[9]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[10]  Felix A. Fischer,et al.  How Reliable is the Crowdsourced Knowledge of Security Implementation? , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[11]  Nalin Asanka Gamagedara Arachchilage,et al.  Why Johnny can't develop a secure application? A usability analysis of Java Secure Socket Extension API , 2019, Comput. Secur..

[12]  Effat Farhana,et al.  Snakes in Paradise?: Insecure Python-Related Coding Practices in Stack Overflow , 2019, 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR).