{"id":"https://openalex.org/W4387872692","doi":"https://doi.org/10.1109/tifs.2023.3326985","title":"A Credential Usage Study: Flow-Aware Leakage Detection in Open-Source Projects","display_name":"A Credential Usage Study: Flow-Aware Leakage Detection in Open-Source Projects","publication_year":2023,"publication_date":"2023-10-23","ids":{"openalex":"https://openalex.org/W4387872692","doi":"https://doi.org/10.1109/tifs.2023.3326985"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2023.3326985","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2023.3326985","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5037808916","display_name":"Ruidong Han","orcid":"https://orcid.org/0000-0001-6859-6005"},"institutions":[{"id":"https://openalex.org/I149594827","display_name":"Xidian University","ror":"https://ror.org/05s92vm98","country_code":"CN","type":"education","lineage":["https://openalex.org/I149594827"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Ruidong Han","raw_affiliation_strings":["School of Cyber Engineering, Xidian University, Xi&#x2019;an, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Engineering, Xidian University, Xi&#x2019;an, China","institution_ids":["https://openalex.org/I149594827"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002851512","display_name":"Huihui Gong","orcid":"https://orcid.org/0000-0003-2162-7331"},"institutions":[{"id":"https://openalex.org/I129604602","display_name":"The University of Sydney","ror":"https://ror.org/0384j8v12","country_code":"AU","type":"education","lineage":["https://openalex.org/I129604602"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Huihui Gong","raw_affiliation_strings":["Faculty of Engineering, The University of Sydney, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"Faculty of Engineering, The University of Sydney, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I129604602"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5016972157","display_name":"Siqi Ma","orcid":"https://orcid.org/0000-0003-3479-5713"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Siqi Ma","raw_affiliation_strings":["School of Engineering and Information System, University of New South Wales, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"School of Engineering and Information System, University of New South Wales, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5020082816","display_name":"Juanru Li","orcid":"https://orcid.org/0000-0002-7978-595X"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Juanru Li","raw_affiliation_strings":["Zhiyuan College, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"Zhiyuan College, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5001529504","display_name":"Chang Xu","orcid":"https://orcid.org/0000-0002-4756-0609"},"institutions":[{"id":"https://openalex.org/I129604602","display_name":"The University of Sydney","ror":"https://ror.org/0384j8v12","country_code":"AU","type":"education","lineage":["https://openalex.org/I129604602"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Chang Xu","raw_affiliation_strings":["School of Computer Science, Faculty of Engineering and IT, The University of Sydney, Darlington, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Faculty of Engineering and IT, The University of Sydney, Darlington, NSW, Australia","institution_ids":["https://openalex.org/I129604602"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5061694501","display_name":"Elisa Bertino","orcid":"https://orcid.org/0000-0002-4029-7051"},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Elisa Bertino","raw_affiliation_strings":["Department of Computer Science, Purdue University, West Lafayette, IN, USA"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Purdue University, West Lafayette, IN, USA","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5082256444","display_name":"\u202aSurya Nepal\u202c","orcid":"https://orcid.org/0000-0002-3289-6599"},"institutions":[{"id":"https://openalex.org/I4210101388","display_name":"Health Sciences and Nutrition","ror":"https://ror.org/0152bt112","country_code":"AU","type":"facility","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4210101388","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Surya Nepal","raw_affiliation_strings":["Commonwealth Scientific and Industrial Research, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"Commonwealth Scientific and Industrial Research, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I4210101388"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5015787649","display_name":"Zhuo Ma","orcid":"https://orcid.org/0000-0001-6023-2864"},"institutions":[{"id":"https://openalex.org/I149594827","display_name":"Xidian University","ror":"https://ror.org/05s92vm98","country_code":"CN","type":"education","lineage":["https://openalex.org/I149594827"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhuo Ma","raw_affiliation_strings":["School of Cyber Engineering, Xidian University, Xi&#x2019;an, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Engineering, Xidian University, Xi&#x2019;an, China","institution_ids":["https://openalex.org/I149594827"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5012016098","display_name":"Jianfeng Ma","orcid":"https://orcid.org/0000-0003-4251-1143"},"institutions":[{"id":"https://openalex.org/I149594827","display_name":"Xidian University","ror":"https://ror.org/05s92vm98","country_code":"CN","type":"education","lineage":["https://openalex.org/I149594827"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jianfeng Ma","raw_affiliation_strings":["School of Cyber Engineering, Xidian University, Xi&#x2019;an, China"],"affiliations":[{"raw_affiliation_string":"School of Cyber Engineering, Xidian University, Xi&#x2019;an, China","institution_ids":["https://openalex.org/I149594827"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5037808916"],"corresponding_institution_ids":["https://openalex.org/I149594827"],"apc_list":null,"apc_paid":null,"fwci":0.7854,"has_fulltext":false,"cited_by_count":4,"citation_normalized_percentile":{"value":0.71898578,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":97},"biblio":{"volume":"19","issue":null,"first_page":"722","last_page":"734"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9983000159263611,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9983000159263611,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9972000122070312,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/credential","display_name":"Credential","score":0.9301321506500244},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8711430430412292},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6322577595710754},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.5173327326774597},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.5002632141113281},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.4332776367664337},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.432232141494751},{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.4300115406513214},{"id":"https://openalex.org/keywords/information-leakage","display_name":"Information leakage","score":0.4221421480178833},{"id":"https://openalex.org/keywords/pointer","display_name":"Pointer (user interface)","score":0.41472938656806946},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.2886599898338318},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.12401881814002991}],"concepts":[{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.9301321506500244},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8711430430412292},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6322577595710754},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.5173327326774597},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.5002632141113281},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.4332776367664337},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.432232141494751},{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.4300115406513214},{"id":"https://openalex.org/C2779201187","wikidata":"https://www.wikidata.org/wiki/Q2775060","display_name":"Information leakage","level":2,"score":0.4221421480178833},{"id":"https://openalex.org/C150202949","wikidata":"https://www.wikidata.org/wiki/Q107602","display_name":"Pointer (user interface)","level":2,"score":0.41472938656806946},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.2886599898338318},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.12401881814002991},{"id":"https://openalex.org/C31972630","wikidata":"https://www.wikidata.org/wiki/Q844240","display_name":"Computer vision","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2023.3326985","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2023.3326985","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G2495480902","display_name":null,"funder_award_id":"92167203","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4328264082","display_name":null,"funder_award_id":"92267204","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G455078787","display_name":null,"funder_award_id":"XJSJ23185","funder_id":"https://openalex.org/F4320335787","funder_display_name":"Fundamental Research Funds for the Central Universities"},{"id":"https://openalex.org/G6030431395","display_name":null,"funder_award_id":"62232013","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320335787","display_name":"Fundamental Research Funds for the Central Universities","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":43,"referenced_works":["https://openalex.org/W1523506468","https://openalex.org/W1990762361","https://openalex.org/W2058513595","https://openalex.org/W2115147459","https://openalex.org/W2250539671","https://openalex.org/W2253429366","https://openalex.org/W2559655401","https://openalex.org/W2559935471","https://openalex.org/W2634106992","https://openalex.org/W2792868481","https://openalex.org/W2947593054","https://openalex.org/W2955656327","https://openalex.org/W2956006111","https://openalex.org/W2962178652","https://openalex.org/W2962960733","https://openalex.org/W2964167407","https://openalex.org/W2973220656","https://openalex.org/W2993331254","https://openalex.org/W3004040842","https://openalex.org/W3005951744","https://openalex.org/W3008406900","https://openalex.org/W3009129408","https://openalex.org/W3015248254","https://openalex.org/W3033053557","https://openalex.org/W3033777149","https://openalex.org/W3039516369","https://openalex.org/W3047731586","https://openalex.org/W3111602563","https://openalex.org/W3119833153","https://openalex.org/W3153576810","https://openalex.org/W3163385614","https://openalex.org/W3176011546","https://openalex.org/W4214663624","https://openalex.org/W4284664377","https://openalex.org/W4287848621","https://openalex.org/W4288057720","https://openalex.org/W4313406111","https://openalex.org/W6632118081","https://openalex.org/W6685053522","https://openalex.org/W6713385145","https://openalex.org/W6767270520","https://openalex.org/W6768491504","https://openalex.org/W6781930392"],"related_works":["https://openalex.org/W2389256677","https://openalex.org/W2013502867","https://openalex.org/W2353766896","https://openalex.org/W1986630940","https://openalex.org/W1859642347","https://openalex.org/W2123415650","https://openalex.org/W4387081478","https://openalex.org/W4285327239","https://openalex.org/W2367339285","https://openalex.org/W2963215340"],"abstract_inverted_index":{"Authentication":[0],"and":[1,27,86,106,118,137],"cryptography":[2],"are":[3,9],"critical":[4],"security":[5,25,57],"functions":[6,18],"and,":[7],"thus,":[8],"very":[10],"often":[11,32],"included":[12],"as":[13,23,217],"part":[14],"of":[15,40,43,56,91,158,193],"code.":[16,142],"These":[17],"require":[19],"using":[20,213],"credentials,":[21,233],"such":[22,223],"passwords,":[24],"tokens,":[26],"cryptographic":[28],"keys.":[29],"However,":[30],"developers":[31,166,211],"incorrectly":[33],"implement/use":[34],"credentials":[35,133,171,180,216],"in":[36,100,172,200],"their":[37],"code":[38,87,122],"because":[39],"a":[41,61,73],"lack":[42],"secure":[44],"coding":[45],"skills.":[46],"This":[47],"paper":[48],"analyzes":[49,120],"open-source":[50,80,148],"projects":[51,69,81],"concerning":[52],"the":[53,93,121,131,141,170,173,186,191,201,214],"correct":[54],"use":[55],"credentials.":[58],"We":[59,71,143],"developed":[60],"semantic-rich,":[62],"language-independent":[63],"analysis":[64,162],"approach":[65],"for":[66],"analyzing":[67,92],"many":[68],"automatically.":[70],"implemented":[72],"detection":[74],"tool,":[75],"SEAGULL,":[76],"to":[77,114,125,146,197],"automatically":[78],"check":[79],"based":[82],"on":[83],"string":[84],"literal":[85,112],"structure":[88],"information.":[89],"Instead":[90],"entire":[94],"project":[95,175],"code,":[96],"which":[97],"might":[98],"result":[99],"path":[101],"explosion":[102],"when":[103],"constructing":[104],"data":[105],"control":[107],"dependencies,":[108],"SEAGULL":[109,128,145,150],"pinpoints":[110],"all":[111],"constants":[113],"identify":[115],"credential":[116,155,194,224],"candidates":[117],"then":[119],"snippets":[123],"correlated":[124],"these":[126],"candidates.":[127],"accurately":[129],"identifies":[130],"leaked":[132,232],"by":[134],"obtaining":[135],"semantic":[136],"syntax":[138],"information":[139],"about":[140],"applied":[144],"377":[147],"projects.":[149,160,229],"successfully":[151,206],"reported":[152],"19":[153],"real-world":[154],"leakages":[156,195,225],"out":[157],"those":[159],"Our":[161],"shows":[163],"that":[164,222],"some":[165,228],"protected":[167],"or":[168],"erased":[169],"current":[174,202],"versions,":[176],"but":[177],"previously":[178],"used":[179],"can":[181,235],"still":[182,226],"be":[183,198],"extracted":[184],"from":[185],"project\u2019s":[187],"historical":[188],"versions.":[189],"Although":[190],"implementations":[192],"seem":[196],"fixed":[199],"projects,":[203],"attackers":[204,234],"could":[205],"log":[207,236],"into":[208,237],"accounts":[209],"if":[210],"keep":[212],"same":[215],"before.":[218],"Additionally,":[219],"we":[220],"found":[221],"affect":[227],"By":[230],"exploiting":[231],"particular":[238],"accounts.":[239]},"counts_by_year":[{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":1}],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}