Article

Predicting vulnerable software components

Authors:
Stephan Neuhaus

Saarland University, Saarbrücken, Germany

Saarland University, Saarbrücken, Germany
View Profile

,
Thomas Zimmermann

University of Calgary, Alberta, Canada

University of Calgary, Alberta, Canada
View Profile

,
Christian Holler

Saarland University, Saarbrücken, Germany

Saarland University, Saarbrücken, Germany
View Profile

,
Andreas Zeller

Saarland University, Saarbrücken, Germany

Saarland University, Saarbrücken, Germany
View Profile

CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityOctober 2007Pages 529–540https://doi.org/10.1145/1315245.1315311

Published:28 October 2007Publication History

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Pages 529–540

ABSTRACT

Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable.

In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable.

Based on this observation, we were able to extend Vulture by a simple predictor that correctly predicts about half of all vulnerable components, and about two thirds of all predictions are correct. This allows developers and project managers to focus their their efforts where it is needed most: "We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities.".

References

Rakesh Agrawal and Ramakrishnan Srikant. Fast algorithms for mining association rules. In Jorge B. Bocca, Matthias Jarke, and Carlo Zaniolo, editors, Proc. 20th Int'l Conf. on Very Large Data Bases, VLDB, pages 487--499. Morgan Kaufmann, September 1994. Google ScholarDigital Library
Omar Alhazmi, Yashwant Malaiya, and Indrajit Ray. Security Vulnerabilities in Software Systems: A Quantitative Perspective, volume 3645/2005 of Lecture Notes in Computer Science, pages 281--294. Springer Verlag, Berlin, Heidelberg, August 2005. Google ScholarDigital Library
Hao Chen, Drew Dean, and David Wagner. Model checking one million lines of C code. In Proc. 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171--185, February 2004.Google Scholar
Hao Chen and David Wagner. MOPS: An infrastructure for examining security properties of software. In Proc. 9th ACM Conf. on Computer and Communications Security (CCS), pages 235--244, November 2002. Google ScholarDigital Library
Crispin Cowan. Apparmor linux application security. http://www.novell.com/linux/security/apparmor/, January 2007.Google Scholar
Crispin Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conf., pages 63--78, San Antonio, Texas, January 1998. Google ScholarDigital Library
Davor Cubranic, Gail C. Murphy, Janice Singer, and Kellogg S. Booth. Hipikat: A project memory for software development. IEEE Transactions on Software Engineering, 31(6):446--465, June 2005. Google ScholarDigital Library
Dan DaCosta, Christopher Dahn, Spiros Mancoridis, and Vassilis Prevelakis. Characterizing the security vulnerability likelihood of software functions. In IEEE Proc. 2003 Int'l Conf. on Software Maintenance (ICSM'03), September 2003. Google ScholarDigital Library
Evgenia Dimitriadou, Kurt Hornik, Friedrich Leisch, David Meyer, and Andreas Weingessel. e1071: Misc Functions Department of Statistics (e1071), TU Wien, 2006. R package version 1.5-13.Google Scholar
Michael Fischer, Martin Pinzger, and Harald Gall. Populating a release history database from version control and bug tracking systems. In Proc. Int'l Conf. on Software Maintenance (ICSM'03), Amsterdam, Netherlands, September 2003. IEEE. Google ScholarDigital Library
Pascal Fradet, Ronan Caugne, and Daniel Le Métayer. Static detection of pointer errors: An axiomatisation and a checking algorithm. In European Symposium on Programming, pages 125--140, 1996. Google ScholarDigital Library
Vinod Ganapathy, Somesh Jha, David Chandler, David Melski, and David Vitek. Buffer overrun detection using linear programming and static analysis. In 10th ACM Conf. on Computer and Communications Security (CCS), October 2003. Google ScholarDigital Library
Trevor Hastie, Robert Tibshirani, and Jerome Friedman. The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer Series in Statistics. Springer Verlag, 2001.Google Scholar
Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy. May 2006. Google ScholarDigital Library
Roger Koenker and Pin Ng. SparseM: Sparse Linear Algebra. R package version 0.73.Google Scholar
David Larochelle and David Evans. Statically detecting likely buffer overflow vulnerabilities. In 10th USENIX Security Symposium, pages 177--190, August 2001. Google ScholarDigital Library
Zhenmin Li, Lin Tan, Xuanhui Wang, Shan Lu, Yuanyuan Zhou, and Chengxiang Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Proc. Workshop on Architectural and System Support for Improving Software Dependability 2006, pages 25--33. ACM Press, October 2006. Google ScholarDigital Library
Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo. Efficient algorithms for discovering association rules. In Knowledge Discovery in Databases: Papers from the 1994 AAAI Workshop, pages 181--192, 1994.Google Scholar
Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study reliability of UNIX utilities. Communications , 33(12):32--44, 1990. Google ScholarDigital Library
K. W. Miller, L. J. Morell, R. E. Noonan, S. K. Park, D. M. Nicol, B. W. Murrill, and M. Voas. Estimating the probability of failure when testing reveals no failures. IEEE Transactions on Software Engineering, 18(1):33--43, January 1992. Google ScholarDigital Library
Nachiappan Nagappan, Thomas Ball, and Andreas Zeller. Mining metrics to predict component failures. In Proc. 29th Int'l Conf. on Software Engineering. ACM Press, November 2005. Google ScholarDigital Library
National Security Agency. Security-enhanced linux. http://www.nsa.gov/selinux/, January 2007.Google Scholar
Andy Ozment and Stuart E. Schechter. Milk or wine: Does software security improve with age? In Proc. 15th Usenix Security Symposium, pages 93--104, August 2006. Google ScholarDigital Library
R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2006. ISBN 3-900051-07-0.Google Scholar
Eric Rescorla. Is finding security holes a good idea? IEEE Security and Privacy, 3(1):14--19, 2005. Google ScholarDigital Library
Radu Rugina and Martin Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proc. ACM SIGPLAN '00 conference on Programming language design and implementation, pages 182--195. ACM Press, 2000. Google ScholarDigital Library
Bruce Schneier. Do we really need a security industry? Wired, May 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/%05/securitymatters_0503.Google Scholar
Berhard Scholz, Johann Blieberger, and Thomas Fahringer. Symbolic pointer analysis for detecting memory leaks. In Proc. 2000 ACM SIGPLAN workshop on Partial evaluation and semantics-based program manipulation, pages 104--113. ACM Press, 1999. Google ScholarDigital Library
Adrian Schröter, Thomas Zimmermann, and Andreas Zeller. Predicting component failures at design time. In Proc. 5th Int'l Symposium on Empirical Software Engineering, pages 18--27, New York, NY, USA, September 2006. Google ScholarDigital Library
Jacek Śliwerski, Thomas Zimmermann, and Andreas Zeller. When do changes induce fixes? In Proc. Second Int'l Workshop on Mining Software Repositories, pages 24--28, May 2005. Google ScholarDigital Library
Gregor Snelting, Torsten Robschink, and Jens Krinke. Efficient path conditions in dependence graphs for software safety analysis. In Proc. 24th Int'l Conf. on Software Engineering, New York, NY, USA, May 2002. ACM Press. Google ScholarDigital Library
The Mozilla Foundation. Bugzilla. http://www.bugzilla.org, January 2007.Google Scholar
The Mozilla Foundation. Mozilla foundation security advisories. http://www.mozilla.org/projects/security/known-vulnerabilities.html, January 2007.Google Scholar
The Mozilla Foundation. Mozilla project website. http://www.mozilla.org/, January 2007.Google Scholar
Chris Tofts and Brian Monahan. Towards an analytic model of security flaws. Technical Report 2004-224, HP Trusted Systems Laboratory, Bristol, UK, December 2004.Google Scholar
Vladimir Naumovich Vapnik. The Nature of Statistical Learning Theory. Springer Verlag, Berlin, 1995. Google ScholarDigital Library
John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. Token-based scanning of source code for security problems. ACM Transaction on Information and System Security, 5(3):238--261, 2002. Google ScholarDigital Library
Jeffrey Voas and Gary McGraw. Software Fault Injection: Innoculating Programs Against Errors. John Wiley & Sons, 1997. Google ScholarDigital Library
Jian Yin, Chunqiang Tang, Xiaolan Zhang, and Michael McIntosh. On estimating the security risks of composite software services. In Proc. PASSWORD Workshop, June 2006.Google Scholar

Index Terms

Predicting vulnerable software components

Recommendations

Predicting vulnerable software components with dependency graphs
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and Metrics

Security metrics and vulnerability prediction for software have gained a lot of interests from the community. Many software security metrics have been proposed e.g., complexity metrics, cohesion and coupling metrics. In this paper, we propose a novel ...
Read More
Predicting Severity of Software Vulnerability Based on Grey System Theory
Proceedings of the ICA3PP International Workshops and Symposiums on Algorithms and Architectures for Parallel Processing - Volume 9532

Vulnerabilities usually represents the risk level of software, therefore, it is of high value to predict vulnerabilities so as to evaluate the security level of software. Current researches mainly focus on predicting the number of vulnerabilities or the ...
Read More
To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Not all vulnerabilities are equal. Some recent studies have shown that only a small fraction of vulnerabilities that have been reported has actually been exploited. Since finding and addressing potential vulnerabilities in a program can take ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security
October 2007
628 pages
ISBN:9781595937032
DOI:10.1145/1315245
General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Sabrina De Capitani di Vimercati
University of Milan, Italy
,
Paul Syverson
Naval Research Laboratory, USA
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 October 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
prediction
software security
Qualifiers
- Article
Conference

Acceptance Rates
CCS '07 Paper Acceptance Rate55of302submissions,18%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 260
  Total Citations
  View Citations
- 2,143
  Total Downloads
- Downloads (Last 12 months)102
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Predicting vulnerable software components

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Predicting vulnerable software components with dependency graphs

Predicting Severity of Software Vulnerability Based on Grey System Theory

To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit