nach oben

Empirical Software Engineering

Erschienen in:

19.12.2015

An automatic method for assessing the versions affected by a vulnerability

verfasst von: Viet Hung Nguyen, Stanislav Dashevskyi, Fabio Massacci

Erschienen in: Empirical Software Engineering | Ausgabe 6/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Vulnerability data sources are used by academics to build models, and by industry and government to assess compliance. Errors in such data sources therefore not only are threats to validity in scientific studies, but also might cause organizations, which rely on retro versions of software, to lose compliance. In this work, we propose an automated method to determine the code evidence for the presence of vulnerabilities in retro software versions. The method scans the code base of each retro version of software for the code evidence to determine whether a retro version is vulnerable or not. It identifies the lines of code that were changed to fix vulnerabilities. If an earlier version contains these deleted lines, it is highly likely that this version is vulnerable. To show the scalability of the method we performed a large scale experiments on Chrome and Firefox (spanning 7,236 vulnerable files and approximately 9,800 vulnerabilities) on the National Vulnerability Database (NVD). The elimination of spurious vulnerability claims (e.g. entries to a vulnerability database such as NVD) found by our method may change the conclusions of studies on the prevalence of foundational vulnerabilities.

Vorheriger Artikel Cheap talk, cooperation, and trust in global software engineering

Nächster Artikel On the unreliability of bug severity data

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Some states in US (i.e. Nevada and Minnesota) have adopted PCI DSS as a actual law for some business operating in these states (Williams and Chuvakin 2012, Chap.3)

http://www.sap.com/corporate-en/about/our-company/policies/sybase/third-party-legal.html

While this is sufficient for non-critical applications, it is possible that we might miss important information that is not a part of the vulnerable code footprint (Please refer to Sections 4.4 and 7 for discussion)

In an SVN repository, the immediately preceding of the revision r _{f
i
x} is r _{f
i
x}−1. In some other repository such as Mercurial, the immediately preceding revision is determined by performing the command parent

This page has been removed, but can be accessed by URL http://web.archive.org/web/20021201184650/http://icat.nist.gov/icat_documentation.htm

Unexpected and extremely rare events hat can have major impact but can be only explained in retrospection (Taleb 2010)

Agresti A, Franklin CA (2012) Statistics: the art and science of learning from data. Pearson Higher Ed

Allodi L, Kotov V, Massacci F (2013) MalwareLab: Experimentation with cybercrime attack tools

Antoniol G, Ayari K, Di Penta M, Khomh F, Guéhéneuc Y-G (2008) Is it a bug or an enhancement? a textbased approach to classify change requests

Bird Christian, Bachmann A, Aune E, Duffy J, Bernstein A, Filkov V, Devanbu P (2009) Fair and balanced? bias in bug-fix datasets. In: Proceedings of the 7th european software engineering conference. ACM, pp 121–130

Chowdhury I, Zulkernine M (2011) Using complexity, coupling, and cohesion metrics as early predictors of vulnerabilities. J Syst Archit 57(3):294–313CrossRef

Chromium Developers (2013) Chrome stable releases history. http://omahaproxy.appspot.com/history?channel=stable visited in April 2013

Krsul IV (1998) Software vulnerability analysis. PhD thesis. Purdue University

Massacci F, Nguyen VH (2014) An empirical methodology to evaluate vulnerability discovery models. IEEE Trans Softw Eng 40(12):1147–1162CrossRef

Massacci F, Nguyen VH (2010) Which is the right source for vulnerabilities studies? An empirical analysis on mozilla firefox. In: Proceedings of the international acm workshop on security measurement and metrics (MetriSec’ 9)

Massacci F, Neuhaus S, Nguyen VH (2011) After- life vulnerabilities: A study on firefox evolution, its vulnerabilities and fixes. In: Proceedings of the 2011 engineering secure software and systems conference (ESSoS’11)

Meneely A, Srinivasan H, Musa A, Rodrguez Tejeda A, Mokary M, Spates B (2013) When a patch goes bad: Exploring the properties of vulnerability-contributing commits

Mozilla Security (2011) Missing CVEs in MFSA? Private Communication

Needham R (2002) Security and Open Source

Neuhaus S, Zimmermann T, Holler C, Zeller A (2007) Predicting vulnerable software components. In: Proceedings of the 14th acm conference on computer and communications security (CCS’07), pp 529–540

Nguyen T, Adams B, Hassan AE (2010) A case study of bias in bug-fix datasets. In: Proceedings of 17th working conference on reverse engineering (WCRE’10)

Nguyen VH (2014) Empirical methods for evaluating empirical vulnerability models. PhD thesis. University of Trento

Nguyen VH, Massacci F (2013) The (Un) reliability of nvd vulnerable versions data: an empirical experiment on google chrome vulnerabilities. In: Proceeding of the 8th ACM symposium on information, computer and communications security (ASIACCS’13)

NIST (2012) Question on the data source of vulnerable configurations in an NVD entry. Private communication

Ozment A (2007) Vulnerability discovery and software security. PhD thesis. University of Cambridge, Cambridge

Ozment A, Schechter SE (2006) Milk or wine: Does software security improve with age?. In: Proceedings of the 15th USENIX security symposium

Quinn SD, Scarfone KA, Barrett M, Johnson CS (2010) SP 800-117. Guide to adopting and using the Security Content Automation Protocol (SCAP) Version 1.0. Tech. rep. National Institute of Standards and Technology

Roumani Y, Nwankpa JK, Roumani YF (2015) Time series modeling of vulnerabilities. In: Computers and Security 51, pp 32–40

Shin Y, Meneely A, Williams L, Osborne JA (2011) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans Softw Eng 37(6):772–787CrossRef

Sliwerski J, Zimmermann T, Zeller A (2005) When do changes induce fixes?. In: Proceedings of the 2nd international working conference on mining software repositories MSR(’05), pp 24–28

Taleb NN (2010) The black swan:: The impact of the highly improbable fragility. Vol. 2. Random House

Wikipedia (2013) Firefox release history. http://en.wikipedia.org/wiki/Firefox_release_history, visited in April 2013

Williams BR, Chuvakin AA (2012) PCI compliance, third edition: Understand and implement effective pci data security standard compliance. Ed. by Dereck Milroy 3rd. Elsevier, Syngress

Younan Y (2013) 25 Years of vulnerabilities:1988-2012. Tech. rep. Source Fire

Zimmermann T, Premraj R, Zeller A (2007) Predicting defects for eclipse. In: Proceedings of the 3th international workshop on predictor models in software engineering (PROMISE?07). IEEE Computer Society, pp 9–15

Titel: An automatic method for assessing the versions affected by a vulnerability
verfasst von: Viet Hung Nguyen
Stanislav Dashevskyi
Fabio Massacci
Publikationsdatum: 19.12.2015
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 6/2016
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-015-9408-2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 6/2016

Cheap talk, cooperation, and trust in global software engineering

A guest editorial: special section on search-based software engineering

On the unreliability of bug severity data

Improving the performance of OCL constraint solving with novel heuristics for logical operations: a search-based approach

An exploratory study of api changes and usages based on apache and eclipse ecosystems

Large-scale information retrieval in software engineering - an experience report from industrial application