Titulo Estágio
Security Analysis and Vulnerability Detection in Open-Source Task-Based Chatbots
Local do Estágio
DEI
Enquadramento
Task-based chatbots are increasingly deployed in production environments, handling sensitive user interactions and triggering automated workflows. Despite this, their security remains underexplored, often due to the absence of representative and up-to-date datasets.
The recent development of two in-house large-scale datasets offers a unique opportunity to systematically analyze the security of real-world Rasa-based chatbots. These bots vary in complexity, usage patterns, and integration with external APIs, reflecting diverse development practices in open-source environments.
This thesis will leverage \dataset to perform an empirical security evaluation of open-source chatbots. The focus will be on detecting insecure coding and configuration patterns in Rasa projects using static and dynamic analysis techniques. The outcome will provide actionable insights on common security flaws, their frequency, and potential impact in modern task-based bots.
Objetivo
The main objectives of this thesis are:
1. Implement Static Analysis for Rasa Bots: Scan domain.yml, stories.yml, rules.yml, and actions.py files for common security issues (e.g., open endpoints, improper entity handling, fallback misuse).
2. Analyze the dataset Corpus: Apply the analysis tools to the full curated dataset and generate a structured report of detected issues.
3. Identify Risk Patterns: Categorize issues based on severity and type (e.g., injection risks in actions, weak intent validation).
4. Extend to Lightweight Dynamic Analysis: Optionally run selected bots in test environments and observe runtime behavior under basic interaction scripts.
5. Summarize Trends and Recommendations: Highlight recurring vulnerabilities and propose best practices for secure Rasa bot development.
Plano de Trabalhos - Semestre 1
Prepare a representative subset of bots from \dataset and select appropriate static security tools (e.g., Bandit, Semgrep, Trivy).
[13/10/2025 to 09/11/2025] Apply selected tools to the bots, collecting security issues related to code, configs, and dependencies.
[10/11/2025 to 07/12/2025] Aggregate and classify findings by CWE categories, and assess frequency and severity of issues.
[08/12/2025 to --/01/2026] Draft and submit the thesis proposal, including initial findings and methodological plan.
Plano de Trabalhos - Semestre 2
Run full analysis on the entire dataset and extract quantitative security metrics per bot.
[02/03/2026 to 19/04/2026] Analyze correlations between bot features (e.g., popularity, complexity) and security posture.
[20/04/2026 to 10/05/2026] Optionally validate high-risk findings through runtime testing on a controlled subset of bots.
[11/05/2026 to --/06/2026] Write and finalize the thesis, documenting tools, results, and practical insights for chatbot security.
Condições
Depending on the evolution of the internship a studentship may be available to support the development of the work. The work is to be executed at the laboratories of the CISUC’s Software and Systems Engineering (SSE) Group and Cyber Security Laboratory (CS-Lab).
Orientador
Joao Campos
jrcampos@dei.uc.pt 📩