Stack Overflow Considered Helpful! Deep Learning Security Nudges Towards Stronger Cryptography

Authors: 

Felix Fischer, Technical University of Munich; Huang Xiao, Bosch Center for Artificial Intelligence; Ching-Yu Kao, Fraunhofer AISEC; Yannick Stachelscheid, Benjamin Johnson, and Danial Raza, Technical University of Munich; Paul Fawkesley and Nat Buckley, Projects by IF; Konstantin Böttinger, Fraunhofer AISEC; Paul Muntean and Jens Grossklags, Technical University of Munich

Abstract: 

Stack Overflow is the most popular discussion platform for software developers. Recent research found a large amount of insecure encryption code in production systems that has been inspired by examples given on Stack Overflow. By copying and pasting functional code, developers introduced exploitable software vulnerabilities into security-sensitive high-profile applications installed by millions of users every day. Proposed mitigations of this problem suffer from usability flaws and push developers to continue shopping for code examples on Stack Overflow once again. This points us to fighting the proliferation of insecure code directly at the root before it even reaches the clipboard. By viewing Stack Overflow as a market, implementation of cryptography becomes a decision-making problem: i. e. how to simplify the selection of helpful and secure examples. We focus on supporting software developers in making better decisions by applying nudges, a concept borrowed from behavioral science. This approach is motivated by one of our key findings: for 99.37% of insecure code examples on Stack Overflow, similar alternatives are available that serve the same use case and provide strong cryptography. Our system design is based on several nudges that are controlled by a deep neural network. It learns a representation for cryptographic API usage patterns and classification of their security, achieving average AUC-ROC of 0.992. With a user study we demonstrate that nudge-based security advice significantly helps tackling the most popular and error-prone cryptographic use cases in Android.

USENIX Security '19 Open Access Videos Sponsored by
King Abdullah University of Science and Technology (KAUST)

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {235481,
author = {Felix Fischer and Huang Xiao and Ching-Yu Kao and Yannick Stachelscheid and Benjamin Johnson and Danial Razar and Paul Fawkesley and Nat Buckley and Konstantin B{\"o}ttinger and Paul Muntean and Jens Grossklags},
title = {Stack Overflow Considered Helpful! Deep Learning Security Nudges Towards Stronger Cryptography},
booktitle = {28th {USENIX} Security Symposium ({USENIX} Security 19)},
year = {2019},
isbn = {978-1-939133-06-9},
address = {Santa Clara, CA},
pages = {339--356},
url = {https://www.usenix.org/conference/usenixsecurity19/presentation/fischer},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video