TU Darmstadt / ULB / TUbiblio

UNGOML: Automated Classification of unsafe Usages in Go

Wickert, Anna-Katharina ; Damke, Clemens ; Baumgärtner, Lars ; Hüllermeier, Eyke ; Mezini, Mira (2023)
UNGOML: Automated Classification of unsafe Usages in Go.
20th International Conference on Mining Software Repositories (MSR 2023). Melbourne, Australia (15.05.2023-16.05.2023)
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

The Go programming language offers strong protection from memory corruption. As an escape hatch of these protections, it provides the unsafe package. Previous studies identified that this unsafe package is frequently used in real-world code for several purposes, e.g., serialization or casting types. Due to the variety of these reasons, it may be possible to refactor specific usages to avoid potential vulnerabilities. However, the classification of unsafe usages is challenging and requires the context of the call and the program’s structure. In this paper, we present the first automated classifier for unsafe usages in Go, UNGOML, to identify what is done with the unsafe package and why it is used. For UNGOML, we built four custom deep-learning classifiers trained on a manually labeled data set. We represent Go code as enriched control-flow graphs (CFGs) and solve the label prediction task with one single-vertex and three context-aware classifiers. All three context-aware classifiers achieve a top-1 accuracy of more than 86% for both dimensions, WHAT and WHY. Furthermore, in a set-valued conformal prediction setting, we achieve accuracies of more than 93% with mean label set sizes of 2 for both dimensions. Thus, UNGOML can be used to efficiently filter unsafe usages for use cases such as refactoring or a security audit.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2023
Autor(en): Wickert, Anna-Katharina ; Damke, Clemens ; Baumgärtner, Lars ; Hüllermeier, Eyke ; Mezini, Mira
Art des Eintrags: Bibliographie
Titel: UNGOML: Automated Classification of unsafe Usages in Go
Sprache: Englisch
Publikationsjahr: 15 Mai 2023
Veranstaltungstitel: 20th International Conference on Mining Software Repositories (MSR 2023)
Veranstaltungsort: Melbourne, Australia
Veranstaltungsdatum: 15.05.2023-16.05.2023
Zugehörige Links:
Kurzbeschreibung (Abstract):

The Go programming language offers strong protection from memory corruption. As an escape hatch of these protections, it provides the unsafe package. Previous studies identified that this unsafe package is frequently used in real-world code for several purposes, e.g., serialization or casting types. Due to the variety of these reasons, it may be possible to refactor specific usages to avoid potential vulnerabilities. However, the classification of unsafe usages is challenging and requires the context of the call and the program’s structure. In this paper, we present the first automated classifier for unsafe usages in Go, UNGOML, to identify what is done with the unsafe package and why it is used. For UNGOML, we built four custom deep-learning classifiers trained on a manually labeled data set. We represent Go code as enriched control-flow graphs (CFGs) and solve the label prediction task with one single-vertex and three context-aware classifiers. All three context-aware classifiers achieve a top-1 accuracy of more than 86% for both dimensions, WHAT and WHY. Furthermore, in a set-valued conformal prediction setting, we achieve accuracies of more than 93% with mean label set sizes of 2 for both dimensions. Thus, UNGOML can be used to efficiently filter unsafe usages for use cases such as refactoring or a security audit.

Freie Schlagworte: Engineering, E1, Software Technology Group (STG)
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Softwaretechnik
DFG-Sonderforschungsbereiche (inkl. Transregio)
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen
Hinterlegungsdatum: 11 Jul 2023 08:42
Letzte Änderung: 14 Jul 2023 13:04
PPN: 509681530
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen