Stack Overflow Considered Helpful! Deep Learning Security Nudges Towards Stronger Cryptography

Stack Overflow is the most popular discussion platform for software developers. However, recent research identified a large amount of insecure encryption code in production systems that has been inspired by examples given on Stack Overflow. By copying and pasting functional code, developers introduced exploitable software vulnerabilities into security-sensitive high-profile applications installed by millions of users every day. Proposed mitigations of this problem suffer from usability flaws and push developers to continue shopping for code examples on Stack Overflow once again. This motivates us to fight the proliferation of insecure code directly at the root before it even reaches the clipboard. By viewing Stack Overflow as a market, implementation of cryptography becomes a decision-making problem. In this context, our goal is to simplify the selection of helpful and secure examples. More specifically, we focus on supporting software developers in making better decisions on Stack Overflow by applying nudges, a concept borrowed from behavioral economics and psychology. This approach is motivated by one of our key findings: For 99.37% of insecure code examples on Stack Overflow, similar alternatives are available that serve the same use case and provide strong cryptography. Our system design that modifies Stack Overflow is based on several nudges that are controlled by a deep neural network. It learns a representation for cryptographic API usage patterns and classification of their security, achieving average AUC-ROC of 0.992. With a user study, we demonstrate that nudge-based security advice significantly helps tackling the most popular and error-prone cryptographic use cases in Android.

[1]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[2]  Yang Wang,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[3]  Yang Wang,et al.  Privacy nudges for social media: an exploratory Facebook study , 2013, WWW.

[4]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Heng Yin,et al.  Scalable Graph-based Bug Search for Firmware Images , 2016, CCS.

[6]  G. Kalyanaram,et al.  Nudge: Improving Decisions about Health, Wealth, and Happiness , 2011 .

[7]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[8]  Mira Mezini,et al.  CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs , 2018, IEEE Transactions on Software Engineering.

[9]  Laurie J. Hendren,et al.  Enabling static analysis for partial java programs , 2008, OOPSLA.

[10]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[11]  Cass R. Sunstein,et al.  Nudging: A Very Short Guide , 2014 .

[12]  Shouhuai Xu,et al.  VulDeePecker: A Deep Learning-Based System for Vulnerability Detection , 2018, NDSS.

[13]  Norman M. Sadeh,et al.  Reconciling mobile app privacy and usability on smartphones: could user privacy profiles help? , 2014, WWW.

[14]  Felix A. Fischer,et al.  How Reliable is the Crowdsourced Knowledge of Security Implementation? , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[15]  Rainer Böhme,et al.  The security cost of cheap user interaction , 2011, NSPW '11.

[16]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[17]  Adrienne Porter Felt,et al.  Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors , 2017, CCS.

[18]  Le Song,et al.  Discriminative Embeddings of Latent Variable Models for Structured Data , 2016, ICML.

[19]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Michael Backes,et al.  Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[21]  Shin Ishii,et al.  Distributional Smoothing by Virtual Adversarial Examples , 2015, ICLR.

[22]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[23]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[24]  Alvaro A. Cárdenas,et al.  Nudge: intermediaries' role in interdependent network security , 2010, SAC '10.

[25]  Matthew Smith,et al.  To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS Connections , 2015, USENIX Security Symposium.

[26]  Stuart E. Schechter,et al.  Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them , 2013 .

[27]  Alessandro Acquisti,et al.  Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions , 2016, SOUPS.

[28]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[29]  Alessandro Acquisti,et al.  Nudging Users Towards Privacy on Mobile Devices , 2011 .

[30]  François Laviolette,et al.  Domain-Adversarial Training of Neural Networks , 2015, J. Mach. Learn. Res..

[31]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[32]  Yuriy Brun,et al.  API Blindspots: Why Experienced Developers Write Vulnerable Code , 2018, SOUPS @ USENIX Security Symposium.