Full Program »
Dicos: Discovering Insecure Code Snippets from Stack Overflow Posts by Leveraging User Discussions
Online Q&A fora such as Stack Overflow assist developers to solve their faced coding problems. Despite the advantages, Stack Overflow has the potential to provide insecure code snippets that, if reused, can compromise the security of the entire software. We present Dicos, an accurate approach by examining the change history of Stack Overflow posts for discovering insecure code snippets. When a security issue was detected in a post, the insecure code is fixed to be safe through user discussions, leaving a change history. Inspired by this process, Dicos first extracts the change history from the Stack Overflow post, and then analyzes the history whether it contains security patches, by utilizing pre-selected features that can effectively identify security patches. Finally, when such changes are detected, Dicos determines that the code snippet before applying the security patch is an insecure code snippet. We evaluated Dicos with 987,367 Stack Overflow posts tagged with C/C++; Dicos discovered 11,175 insecure code snippets with 92% precision and 91% recall. We further confirmed that the latest versions of 151 out of 2,000 popular open-source software contain at least one insecure code snippet taken from Stack Overflow, being discovered by Dicos. Our proposed approach, Dicos, can contribute to preventing further propagation of insecure codes and thus creating a safe code reuse environment.