"Towards verifiable web-based code review systems" by Hammad Afzali, Santiago Torres-Arias et al.
 

Towards verifiable web-based code review systems

Document Type

Article

Publication Date

1-1-2023

Abstract

Although code review is an essential step for ensuring the quality of software, it is surprising that current code review systems do not have mechanisms to protect the integrity of the code review process. We uncover multiple attacks against the code review infrastructure which are easy to execute, stealthy in nature, and can have a significant impact, such as allowing malicious or buggy code to be merged and propagated to future releases. To improve this status quo, in this work we lay the foundations for securing the code review process. Towards this end, we first identify a set of key design principles necessary to secure the code review process. We then use these principles to propose SecureReview, a security mechanism that can be applied on top of a Git-based code review system to ensure the integrity of the code review process and provide verifiable guarantees that the code review process followed the intended review policy. We implement SecureReview as a Chrome browser extension for GitHub and Gerrit. Our security analysis shows that SecureReview is effective in mitigating the aforementioned attacks. An experimental evaluation shows that the SecureReview implementation only adds a slight storage overhead (i.e., less than 0.0006 of the repository size).

Identifier

85161000550 (Scopus)

Publication Title

Journal of Computer Security

External Full Text Location

https://doi.org/10.3233/JCS-210098

ISSN

0926227X

First Page

153

Last Page

184

Issue

2

Volume

31

Grant

CNS 1801430

Fund Ref

National Science Foundation

This document is currently not available here.

Share

COinS