ABSTRACT
Software security vulnerabilities are discovered on an almost daily basis and have caused substantial damage. Aiming at supporting early detection and resolution for them, we have conducted an empirical study on thousands of vulnerabilities and found that many of them are recurring due to software reuse. Based on the knowledge gained from the study, we developed SecureSync, an automatic tool to detect recurring software vulnerabilities on the systems that reuse source code or libraries. The core of SecureSync includes two techniques to represent and compute the similarity of vulnerable code across different systems. The evaluation for 60 vulnerabilities on 176 releases of 119 open-source software systems shows that SecureSync is able to detect recurring vulnerabilities with high accuracy and to identify 90 releases having potentially vulnerable code that are not reported or fixed yet, even in mature systems. A couple of cases were actually confirmed by their developers.
- }}A. Andoni and P. Indyk. E2LSH 0.1 User manual. http://web.mit.edu/andoni/www/LSH/manual.pdf.Google Scholar
- }}ASF Security Team. http://www.apache.org/security/.Google Scholar
- }}Common vulnerabilities and exposures. http://cve.mitre.org/.Google Scholar
- }}US-CERT bulletins. http://www.us-cert.gov/.Google Scholar
- }}M. Acharya, T. Xie, J. Pei, and J. Xu. Mining API patterns as partial orders from source code: from usage scenarios to specifications. In ESEC-FSE?07. Google ScholarDigital Library
- }}O. Alhazmi, Y. Malaiya, and I. Ray. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security, 26, 2007.Google Scholar
- }}R.-Y. Chang, A. Podgurski, and J. Yang. Discovering neglected conditions in software by mining dependence graphs. IEEE Trans. Softw. Eng., 34(5), 2008. Google ScholarDigital Library
- }}T. Copeland. PMD Applied. Centennial Books, 2005.Google Scholar
- }}D. Cubranic, G. C. Murphy, J. Singer, and K. S. Booth. Hipikat: A project memory for software development. IEEE Trans. Softw. Eng., 31(6), 2005. Google ScholarDigital Library
- }}E. Duala-Ekoko and M. P. Robillard. Tracking code clones in evolving software. In ICSE?07, pages 158--167. IEEE CS, 2007. Google ScholarDigital Library
- }}M. Gegick, L. Williams, J. Osborne, and M. Vouk. Prioritizing software security fortification through code-level metrics. Proceedings of 4th ACM workshop on Quality of protection, pages 31--38, 2008. Google ScholarDigital Library
- }}A. E. Hassan and R. C. Holt. The top ten list: Dynamic fault prediction. In ICSM?05, pages 263--272. IEEE CS, 2005. Google ScholarDigital Library
- }}D. Hovemeyer and W. Pugh. Finding bugs is easy. SIGPLAN Not., 39(12), 2004. Google ScholarDigital Library
- }}L. Jiang, Z. Su, and E. Chiu. Context-based detection of clone-related bugs. In ESEC-FSE?07, pages 55--64. ACM, 2007. Google ScholarDigital Library
- }}S. Kim, K. Pan, and E. E. J. Whitehead, Jr. Memories of bug fixes. In FSE?06, pages 35--45. ACM, 2006. Google ScholarDigital Library
- }}S. Kim, T. Zimmermann, E. E. J. Whitehead, Jr., and A. Zeller. Predicting faults from cached history. In ICSE?07, pages 489--498. IEEE CS, 2007. Google ScholarDigital Library
- }}Z. Li, S. Lu, and S. Myagmar. CP-Miner: Finding copy-paste and related bugs in large-scale software code. IEEE Trans. Softw. Eng., 32(3):176--192, 2006. Google ScholarDigital Library
- }}B. Livshits and T. Zimmermann. Dynamine: finding common error patterns by mining software revision histories. FSE?05, pages, 296--305, ACM, 2005. Google ScholarDigital Library
- }}T. Menzies, J. Greenwald, and A. Frank. Data mining static code attributes to learn defect predictors. IEEE Trans. Softw. Eng., 33(1):2--13, 2007. Google ScholarDigital Library
- }}R. Moser, W. Pedrycz, and G. Succi. A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In ICSE?08. Google ScholarDigital Library
- }}Mozilla Foundation Security Advisories. http://www.mozilla.org/security/.Google Scholar
- }}S. Neuhaus and T. Zimmermann. The beauty and the beast: Vulnerabilities in red hat's packages. In USENIX Annual Technical Conference, June 2009. Google ScholarDigital Library
- }}H. A. Nguyen, T. T. Nguyen, N. H. Pham, J. M. Al-Kofahi, and T. N. Nguyen. Accurate and Efficient Structural Characteristic Feature Extraction Method for Clone Detection. In FASE?09. Springer-Verlag, 2009. Google ScholarDigital Library
- }}T. T. Nguyen, H. A. Nguyen, N. H. Pham, J. M. Al-Kofahi, and T. N. Nguyen. Graph-based Mining of Multiple Object Usage Patterns. In FSE?09, ACM. Google ScholarDigital Library
- }}T. T. Nguyen, H. A. Nguyen, N. H. Pham, J. M. Al-Kofahi, and T. N. Nguyen. Recurring Bug Fixes in Object-Oriented Programs. In ICSE?10. Google ScholarDigital Library
- }}T. T. Nguyen, H. A. Nguyen, N. H. Pham, T. N. Nguyen. Operation-based, Fine-grained Version Control Model for Tree-based Representation. FASE?10. Google ScholarDigital Library
- }}N. H. Pham, T. T. Nguyen, H. A. Nguyen, X. Wang, A. T. Nguyen, and T. N. Nguyen. Detecting Recurring and Similar Software Vulnerabilities. In ICSE?10, NIER Track, ACM Press, 2010. Google ScholarDigital Library
- }}Open Source Computer Emergency Response Team. http://www.ocert.org/.Google Scholar
- }}Pattern Insight. http://patterninsight.com/solutions/find-once.php.Google Scholar
- }}Q. Song, M. Shepperd, M. Cartwright, and C. Mair. Software defect association mining and defect correction effort prediction. IEEE TSE, 32(2):69--82, 2006. Google ScholarDigital Library
- }}B. Sun, R.-Y. Chang, X. Chen, and A. Podgurski. Automated support for propagating bug fixes. In ISSRE?08, pages 187--196. IEEE CS, 2008. Google ScholarDigital Library
- }}S. Thummalapenta and T. Xie. Mining exception-handling rules as sequence association rules. In ICSE?09, pages 496--506. IEEE CS, 2009. Google ScholarDigital Library
- }}A. Wasylkowski, A. Zeller, and C. Lindig. Detecting object usage anomalies. In ESEC-FSE?07, pages 35--44. ACM, 2007. Google ScholarDigital Library
- }}C. C. Williams and J. K. Hollingsworth. Automatic mining of source code repositories to improve bug finding techniques. IEEE TSE, 31(6), 2005. Google ScholarDigital Library
- }}Backporting - Wikipedia. http://en.wikipedia.org/wiki/Backporting.Google Scholar
Index Terms
- Detection of recurring software vulnerabilities
Recommendations
An exploratory study on the relationship of smells and design issues with software vulnerabilities
MSR4P&S 2022: Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and SecuritySoftware vulnerabilities are one of the leading causes of the loss of confidential data resulting in financial damages in the industry. As a result, software companies strive to discover potential vulnerabilities before the software is deployed. ...
A study examining relationships between micro patterns and security vulnerabilities
Software security is an integral part of software quality and reliability. Software vulnerabilities make the software susceptible to attacks which violates software security. Metric-based software vulnerability prediction is one way to evaluate ...
Software security vulnerabilities: baselining and benchmarking
SEAD '18: Proceedings of the 1st International Workshop on Security Awareness from Design to DeploymentThe security of a company's software products is of paramount importance, of course, and arguably even more important than software reliability and the other key quality attributes. But companies are currently faced with a troublesome dilemma: Supplying ...
Comments