Reference : An Empirical Analysis of Vulnerabilities in OpenSSL and the Linux Kernel
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/28628
An Empirical Analysis of Vulnerabilities in OpenSSL and the Linux Kernel
English
Jimenez, Matthieu mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Papadakis, Mike mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Le Traon, Yves mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Dec-2016
2016 Asia-Pacific Software Engineering Conference (APSEC)
Yes
No
International
23rd Asia-Pacific Software Engineering Conference
6th-9th December 2016
University of Waikato
Hamilton
New Zealand
[en] Software Security ; Vulnerabilities ; Common Vulnerability Exposures ; Software Metrics
[en] Vulnerabilities are one of the main concerns faced by practitioners when working with security critical applications. Unfortunately, developers and security teams, even experienced ones, fail to identify many of them with severe consequences. Vulnerabilities are hard to discover since they appear in various forms, caused by many different issues and their identification requires an attacker’s mindset. In this paper, we aim at increasing the understanding of vulnerabilities by investigating their characteristics on two major open-source software systems, i.e., the Linux kernel and OpenSSL. In particular, we seek to analyse and build a profile for vulnerable code, which can ultimately help researchers in building automated approaches like vulnerability prediction models. Thus, we examine the location, criticality and category of vulnerable code along with its relation with software metrics. To do so, we collect more than 2,200 vulnerable files accounting for 863 vulnerabilities and compute more than 35 software metrics. Our results indicate that while 9 Common Weakness Enumeration (CWE) types of vulnerabilities are prevalent, only 3 of them are critical in OpenSSL and 2 of them in the Linux kernel. They also indicate that different types of vulnerabilities have different characteristics, i.e., metric profiles, and that vulnerabilities of the same type have different profiles in the two projects we examined. We also found that the file structure of the projects can provide useful information related to the vulnerabilities. Overall, our results demonstrate the need for making project specific approaches that focus on specific types of vulnerabilities.
University of Luxembourg: High Performance Computing - ULHPC
http://hdl.handle.net/10993/28628

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Limited access
EmpiricalAnalysisAPSEC16.pdfAuthor preprint225.86 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.