28/10/2020 – Talk: “Fixing Vulnerabilities Automatically With Linters” By Willard Rafnsson

Willard Rafnsson will give a talk about fixing vulnerabilities automatically with linters. Details below.


Willard Rafnsson, Assistant Professor, ITU.


Fixing Vulnerabilities Automatically with Linters


Static analysis is a tried-and-tested approach to eliminate vulnerabilities in software. However, despite decades of successful use by experts, mainstream programmers often deem static analysis too costly to use. Mainstream programmers do routinely use linters, which are static analysis tools geared towards identifying simple bugs and stylistic issues in software. Can linters serve as a medium for delivering vulnerability detection to mainstream programmers?

We investigate the extent of which linters can be leveraged to help programmers write secure software. We present new rules for ESLint that detect—and automatically fix—certain classes of cross-site scripting, SQL injection, and misconfiguration vulnerabilities in JavaScript. Evaluating our experience, we find that there is enormous potential in using linters to eliminate vulnerabilities in software, due to the relative ease with which linter rules can be implemented and shared to the community. We identify several open challenges, including third-party library dependencies and linter configuration, and propose ways to address them.

This talk presents a paper by the same name, co-authored by Rosario Giustolisi, Mark Kragerup, and Matthias Høyrup, and published at Network & System Security this year (NSS2020). A preprint is available here: http://research.precise.li/pub/2020nss/2020nss-rafnsson-giustolisi-kragerup-hoeyrup.pdf