Detecting Vulnerabilities in Encrypted Software Code while Ensuring Code Privacy

Software vulnerabilities continue to be the primary cause of cyberattacks. It is crucial to identify vulnerabilities in applications' source code before attackers gain access to them and exploit any vulnerability they may contain. Developers have used static analysis tools (SATs) to find vulnerabilities in unprotected application code, and software testing companies have started offering software code analysis as a service to assist developers in these findings. Such services require access to unprotected code, which raises concerns about its privacy and intellectual property theft. Attackers can also perform this analysis using similar tools, if they gain access to the code. It is, therefore, beneficial to have a system that can maintain code privacy by protecting it with cryptographic techniques, while still allowing authorised people to detect vulnerabilities in the encrypted code. This paper presents such a solution, a novel approach to Software Quality and Privacy that allows source code to be analysed in a protected manner, preserving its privacy. The proposed solution combines Static Analysis with Searchable Symmetric Encryption (SSE) for confidential vulnerability detection, enabling data and dependency tracking for data flow analysis over encrypted source code. The solution represents the code's data and control flows as an Encrypted Inverted Index, in a connected way that enables SSE's queries for vulnerability discovery. The solution was implemented as the CoCoA tool and evaluated with synthetic and real PHP web applications. Results show that CoCoA has similar precision as (non-confidential) SATs - 93% - with real applications, requiring only 209 ms to process 4k LoC - a modest overhead of 42.7% compared to a non-confidential baseline. This paper also defines a new research field - Confidential Code Analysis -, from which other types of code analysis tasks can be derived.