ABSTRACT
Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable.
In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable.
Based on this observation, we were able to extend Vulture by a simple predictor that correctly predicts about half of all vulnerable components, and about two thirds of all predictions are correct. This allows developers and project managers to focus their their efforts where it is needed most: "We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities.".
- Rakesh Agrawal and Ramakrishnan Srikant. Fast algorithms for mining association rules. In Jorge B. Bocca, Matthias Jarke, and Carlo Zaniolo, editors, Proc. 20th Int'l Conf. on Very Large Data Bases, VLDB, pages 487--499. Morgan Kaufmann, September 1994. Google ScholarDigital Library
- Omar Alhazmi, Yashwant Malaiya, and Indrajit Ray. Security Vulnerabilities in Software Systems: A Quantitative Perspective, volume 3645/2005 of Lecture Notes in Computer Science, pages 281--294. Springer Verlag, Berlin, Heidelberg, August 2005. Google ScholarDigital Library
- Hao Chen, Drew Dean, and David Wagner. Model checking one million lines of C code. In Proc. 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171--185, February 2004.Google Scholar
- Hao Chen and David Wagner. MOPS: An infrastructure for examining security properties of software. In Proc. 9th ACM Conf. on Computer and Communications Security (CCS), pages 235--244, November 2002. Google ScholarDigital Library
- Crispin Cowan. Apparmor linux application security. http://www.novell.com/linux/security/apparmor/, January 2007.Google Scholar
- Crispin Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conf., pages 63--78, San Antonio, Texas, January 1998. Google ScholarDigital Library
- Davor Cubranic, Gail C. Murphy, Janice Singer, and Kellogg S. Booth. Hipikat: A project memory for software development. IEEE Transactions on Software Engineering, 31(6):446--465, June 2005. Google ScholarDigital Library
- Dan DaCosta, Christopher Dahn, Spiros Mancoridis, and Vassilis Prevelakis. Characterizing the security vulnerability likelihood of software functions. In IEEE Proc. 2003 Int'l Conf. on Software Maintenance (ICSM'03), September 2003. Google ScholarDigital Library
- Evgenia Dimitriadou, Kurt Hornik, Friedrich Leisch, David Meyer, and Andreas Weingessel. e1071: Misc Functions Department of Statistics (e1071), TU Wien, 2006. R package version 1.5-13.Google Scholar
- Michael Fischer, Martin Pinzger, and Harald Gall. Populating a release history database from version control and bug tracking systems. In Proc. Int'l Conf. on Software Maintenance (ICSM'03), Amsterdam, Netherlands, September 2003. IEEE. Google ScholarDigital Library
- Pascal Fradet, Ronan Caugne, and Daniel Le Métayer. Static detection of pointer errors: An axiomatisation and a checking algorithm. In European Symposium on Programming, pages 125--140, 1996. Google ScholarDigital Library
- Vinod Ganapathy, Somesh Jha, David Chandler, David Melski, and David Vitek. Buffer overrun detection using linear programming and static analysis. In 10th ACM Conf. on Computer and Communications Security (CCS), October 2003. Google ScholarDigital Library
- Trevor Hastie, Robert Tibshirani, and Jerome Friedman. The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer Series in Statistics. Springer Verlag, 2001.Google Scholar
- Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy. May 2006. Google ScholarDigital Library
- Roger Koenker and Pin Ng. SparseM: Sparse Linear Algebra. R package version 0.73.Google Scholar
- David Larochelle and David Evans. Statically detecting likely buffer overflow vulnerabilities. In 10th USENIX Security Symposium, pages 177--190, August 2001. Google ScholarDigital Library
- Zhenmin Li, Lin Tan, Xuanhui Wang, Shan Lu, Yuanyuan Zhou, and Chengxiang Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Proc. Workshop on Architectural and System Support for Improving Software Dependability 2006, pages 25--33. ACM Press, October 2006. Google ScholarDigital Library
- Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo. Efficient algorithms for discovering association rules. In Knowledge Discovery in Databases: Papers from the 1994 AAAI Workshop, pages 181--192, 1994.Google Scholar
- Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study reliability of UNIX utilities. Communications , 33(12):32--44, 1990. Google ScholarDigital Library
- K. W. Miller, L. J. Morell, R. E. Noonan, S. K. Park, D. M. Nicol, B. W. Murrill, and M. Voas. Estimating the probability of failure when testing reveals no failures. IEEE Transactions on Software Engineering, 18(1):33--43, January 1992. Google ScholarDigital Library
- Nachiappan Nagappan, Thomas Ball, and Andreas Zeller. Mining metrics to predict component failures. In Proc. 29th Int'l Conf. on Software Engineering. ACM Press, November 2005. Google ScholarDigital Library
- National Security Agency. Security-enhanced linux. http://www.nsa.gov/selinux/, January 2007.Google Scholar
- Andy Ozment and Stuart E. Schechter. Milk or wine: Does software security improve with age? In Proc. 15th Usenix Security Symposium, pages 93--104, August 2006. Google ScholarDigital Library
- R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2006. ISBN 3-900051-07-0.Google Scholar
- Eric Rescorla. Is finding security holes a good idea? IEEE Security and Privacy, 3(1):14--19, 2005. Google ScholarDigital Library
- Radu Rugina and Martin Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proc. ACM SIGPLAN '00 conference on Programming language design and implementation, pages 182--195. ACM Press, 2000. Google ScholarDigital Library
- Bruce Schneier. Do we really need a security industry? Wired, May 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/%05/securitymatters_0503.Google Scholar
- Berhard Scholz, Johann Blieberger, and Thomas Fahringer. Symbolic pointer analysis for detecting memory leaks. In Proc. 2000 ACM SIGPLAN workshop on Partial evaluation and semantics-based program manipulation, pages 104--113. ACM Press, 1999. Google ScholarDigital Library
- Adrian Schröter, Thomas Zimmermann, and Andreas Zeller. Predicting component failures at design time. In Proc. 5th Int'l Symposium on Empirical Software Engineering, pages 18--27, New York, NY, USA, September 2006. Google ScholarDigital Library
- Jacek Śliwerski, Thomas Zimmermann, and Andreas Zeller. When do changes induce fixes? In Proc. Second Int'l Workshop on Mining Software Repositories, pages 24--28, May 2005. Google ScholarDigital Library
- Gregor Snelting, Torsten Robschink, and Jens Krinke. Efficient path conditions in dependence graphs for software safety analysis. In Proc. 24th Int'l Conf. on Software Engineering, New York, NY, USA, May 2002. ACM Press. Google ScholarDigital Library
- The Mozilla Foundation. Bugzilla. http://www.bugzilla.org, January 2007.Google Scholar
- The Mozilla Foundation. Mozilla foundation security advisories. http://www.mozilla.org/projects/security/known-vulnerabilities.html, January 2007.Google Scholar
- The Mozilla Foundation. Mozilla project website. http://www.mozilla.org/, January 2007.Google Scholar
- Chris Tofts and Brian Monahan. Towards an analytic model of security flaws. Technical Report 2004-224, HP Trusted Systems Laboratory, Bristol, UK, December 2004.Google Scholar
- Vladimir Naumovich Vapnik. The Nature of Statistical Learning Theory. Springer Verlag, Berlin, 1995. Google ScholarDigital Library
- John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. Token-based scanning of source code for security problems. ACM Transaction on Information and System Security, 5(3):238--261, 2002. Google ScholarDigital Library
- Jeffrey Voas and Gary McGraw. Software Fault Injection: Innoculating Programs Against Errors. John Wiley & Sons, 1997. Google ScholarDigital Library
- Jian Yin, Chunqiang Tang, Xiaolan Zhang, and Michael McIntosh. On estimating the security risks of composite software services. In Proc. PASSWORD Workshop, June 2006.Google Scholar
Index Terms
- Predicting vulnerable software components
Recommendations
Predicting vulnerable software components with dependency graphs
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and MetricsSecurity metrics and vulnerability prediction for software have gained a lot of interests from the community. Many software security metrics have been proposed e.g., complexity metrics, cohesion and coupling metrics. In this paper, we propose a novel ...
Predicting Severity of Software Vulnerability Based on Grey System Theory
Proceedings of the ICA3PP International Workshops and Symposiums on Algorithms and Architectures for Parallel Processing - Volume 9532Vulnerabilities usually represents the risk level of software, therefore, it is of high value to predict vulnerabilities so as to evaluate the security level of software. Current researches mainly focus on predicting the number of vulnerabilities or the ...
To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyNot all vulnerabilities are equal. Some recent studies have shown that only a small fraction of vulnerabilities that have been reported has actually been exploited. Since finding and addressing potential vulnerabilities in a program can take ...
Comments