Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting Vulnerabilities in Encrypted Software Code while Ensuring Code Privacy

Jorge Martins, David Dantas, Rafael Ramires, Bernardo Ferreira, Ibéria Medeiros

TL;DR

This work tackles the privacy risk of outsourced software code analysis by introducing Confidential Code Analysis (CCA) and the CoCoA tool, which enables static analysis on encrypted code without exposing source content. It combines Static Code Analysis with a tailored SSE-based inverted index of a Data and Control Flow Graph (DCFG) to support vulnerability detection (e.g., SQLi, XSS) in PHP applications. The authors formalize CCA, present a two-phase architecture (Code Privacy and Code Analysis), implement CoCoA, and show that it achieves comparable precision to non-confidential tools while incurring a modest average overhead of 42.7% (and higher with additional cryptographic features). This approach preserves code privacy in security testing workflows and defines a path toward broader Confidential Code Analysis applications in DevSecOps contexts.

Abstract

Software vulnerabilities continue to be the main cause of occurrence for cyber attacks. In an attempt to reduce them and improve software quality, software code analysis has emerged as a service offered by companies specialising in software testing. However, this service requires software companies to provide access to their software's code, which raises concerns about code privacy and intellectual property theft. This paper presents a novel approach to Software Quality and Privacy, in which testing companies can perform code analysis tasks on encrypted software code provided by software companies while code privacy is preserved. The approach combines Static Code Analysis and Searchable Symmetric Encryption in order to process the source code and build an encrypted inverted index that represents its data and control flows. The index is then used to discover vulnerabilities by carrying out static analysis tasks in a confidential way. With this approach, this paper also defines a new research field -- Confidential Code Analysis --, from which other types of code analysis tasks and approaches can be derived. We implemented the approach in a new tool called CoCoA and evaluated it experimentally with synthetic and real PHP web applications. The results show that the tool has similar precision as standard (non-confidential) static analysis tools and a modest average performance overhead of 42.7%.

Detecting Vulnerabilities in Encrypted Software Code while Ensuring Code Privacy

TL;DR

This work tackles the privacy risk of outsourced software code analysis by introducing Confidential Code Analysis (CCA) and the CoCoA tool, which enables static analysis on encrypted code without exposing source content. It combines Static Code Analysis with a tailored SSE-based inverted index of a Data and Control Flow Graph (DCFG) to support vulnerability detection (e.g., SQLi, XSS) in PHP applications. The authors formalize CCA, present a two-phase architecture (Code Privacy and Code Analysis), implement CoCoA, and show that it achieves comparable precision to non-confidential tools while incurring a modest average overhead of 42.7% (and higher with additional cryptographic features). This approach preserves code privacy in security testing workflows and defines a path toward broader Confidential Code Analysis applications in DevSecOps contexts.

Abstract

Software vulnerabilities continue to be the main cause of occurrence for cyber attacks. In an attempt to reduce them and improve software quality, software code analysis has emerged as a service offered by companies specialising in software testing. However, this service requires software companies to provide access to their software's code, which raises concerns about code privacy and intellectual property theft. This paper presents a novel approach to Software Quality and Privacy, in which testing companies can perform code analysis tasks on encrypted software code provided by software companies while code privacy is preserved. The approach combines Static Code Analysis and Searchable Symmetric Encryption in order to process the source code and build an encrypted inverted index that represents its data and control flows. The index is then used to discover vulnerabilities by carrying out static analysis tasks in a confidential way. With this approach, this paper also defines a new research field -- Confidential Code Analysis --, from which other types of code analysis tasks and approaches can be derived. We implemented the approach in a new tool called CoCoA and evaluated it experimentally with synthetic and real PHP web applications. The results show that the tool has similar precision as standard (non-confidential) static analysis tools and a modest average performance overhead of 42.7%.
Paper Structure (32 sections, 4 figures, 6 tables)

This paper contains 32 sections, 4 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Confidential Code Analysis
  3. Formal Definition
  4. Adversary Model
  5. CoCoA Challenges and Overview
  6. Challenges
  7. Overview
  8. Code Privacy Phase
  9. Lexer
  10. ITL Translator
  11. ITL-Tokens & Rules and Task Knowledge Databases
  12. Translation process
  13. Relationship Finder
  14. Data Dependency and Bottom-up Data Flow
  15. Control Flow
  16. ...and 17 more sections

Figures (4)

  • Figure 1: CoCoA's architecture.
  • Figure 1: A PHP program with various control flow branches and with different depths, orders and types, and their values.
  • Figure 2: Example of executing CoCoA for the XSS vulnerability detection analysis task in PHP.
  • Figure 3: Storage space used by the source code and the encrypted data structure, in bytes.