Towards verifiable web-based code review systems
Document Type
Article
Publication Date
1-1-2023
Abstract
Although code review is an essential step for ensuring the quality of software, it is surprising that current code review systems do not have mechanisms to protect the integrity of the code review process. We uncover multiple attacks against the code review infrastructure which are easy to execute, stealthy in nature, and can have a significant impact, such as allowing malicious or buggy code to be merged and propagated to future releases. To improve this status quo, in this work we lay the foundations for securing the code review process. Towards this end, we first identify a set of key design principles necessary to secure the code review process. We then use these principles to propose SecureReview, a security mechanism that can be applied on top of a Git-based code review system to ensure the integrity of the code review process and provide verifiable guarantees that the code review process followed the intended review policy. We implement SecureReview as a Chrome browser extension for GitHub and Gerrit. Our security analysis shows that SecureReview is effective in mitigating the aforementioned attacks. An experimental evaluation shows that the SecureReview implementation only adds a slight storage overhead (i.e., less than 0.0006 of the repository size).
Identifier
85161000550 (Scopus)
Publication Title
Journal of Computer Security
External Full Text Location
https://doi.org/10.3233/JCS-210098
ISSN
0926227X
First Page
153
Last Page
184
Issue
2
Volume
31
Grant
CNS 1801430
Fund Ref
National Science Foundation
Recommended Citation
Afzali, Hammad; Torres-Arias, Santiago; Curtmola, Reza; and Cappos, Justin, "Towards verifiable web-based code review systems" (2023). Faculty Publications. 2360.
https://digitalcommons.njit.edu/fac_pubs/2360