A Feasibility Study of Using Code Clone Detection for Secure Programming Education

Abstract

Secure library reuse is critical for modern ap-plications to protect private information in software security engineering. Teaching secure programming is also more critical to tackle the challenges of new and evolving threats. However, novice students often make mistakes by API misuses due to a lack of understanding of secure libraries or a false sense of security. In this paper, we study the feasibility of applying code clone detection (CCD) for finding relevant examples to effectively teach secure programming to computer science students. CCD is an emerging new technology that extracts syntactically or semantically similar code fragments to support many software engineering tasks, such as program understanding, code quality analysis, software evolution analysis, and bug detection. We have developed a prototype implementation ExTUTOR that allows students to search for relevant examples as feedback when they want to fix their programming issues or vulnerabilities. In our evaluation, we applied ExTUTOR to open source subject applications in the security domain. Our approach should help novice students gain benefits from feedback and identify how to effectively make use of APIs, encouraging students to fix their own security violations in their own applications.