Dicos: Discovering Insecure Code Snippets from Stack Overflow Posts by Leveraging User Discussions

Hyunji Hong, Seunghoon Woo, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Online Q&A fora such as Stack Overflow assist developers to solve their faced coding problems. Despite the advantages, Stack Overflow has the potential to provide insecure code snippets that, if reused, can compromise the security of the entire software. We present Dicos, an accurate approach by examining the change history of Stack Overflow posts for discovering insecure code snippets. When a security issue was detected in a post, the insecure code is fixed to be safe through user discussions, leaving a change history. Inspired by this process, Dicos first extracts the change history from the Stack Overflow post, and then analyzes the history whether it contains security patches, by utilizing pre-selected features that can effectively identify security patches. Finally, when such changes are detected, Dicos determines that the code snippet before applying the security patch is insecure. To evaluate Dicos, we collected 1,958,283 Stack Overflow posts tagged with C, C++, and Android. When we applied Dicos on the collected posts, Dicos discovered 12,458 insecure posts (i.e., 14,719 insecure code snippets) from the collected posts with 91% precision and 93% recall. We further confirmed that the latest versions of 151 out of 2,000 popular C/C++ open-source software contain at least one insecure code snippet taken from Stack Overflow, being discovered by Dicos. Our proposed approach, Dicos, can contribute to preventing further propagation of insecure codes and thus creating a safe code reuse environment.

Original languageEnglish
Title of host publicationProceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021
PublisherAssociation for Computing Machinery
Pages194-206
Number of pages13
ISBN (Electronic)9781450385794
DOIs
Publication statusPublished - 2021 Dec 6
Event37th Annual Computer Security Applications Conference, ACSAC 2021 - Virtual, Online, United States
Duration: 2021 Dec 62021 Dec 10

Publication series

NameACM International Conference Proceeding Series

Conference

Conference37th Annual Computer Security Applications Conference, ACSAC 2021
Country/TerritoryUnited States
CityVirtual, Online
Period21/12/621/12/10

Keywords

  • Insecure code snippet discovery
  • Q&A forum
  • Software security

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Fingerprint

Dive into the research topics of 'Dicos: Discovering Insecure Code Snippets from Stack Overflow Posts by Leveraging User Discussions'. Together they form a unique fingerprint.

Cite this