Software Security; Vulnerabilities; Common Vulnerability Exposures; Software Metrics
Résumé :
[en] Vulnerabilities are one of the main concerns faced by practitioners when working with security critical applications. Unfortunately, developers and security teams, even experienced ones, fail to identify many of them with severe consequences. Vulnerabilities are hard to discover since they appear in various forms, caused by many different issues and their identification requires an attacker’s mindset. In this paper, we aim at increasing the understanding of vulnerabilities by investigating their characteristics on two major open-source software systems, i.e., the Linux kernel and OpenSSL. In particular, we seek to analyse and build a profile for vulnerable code, which can ultimately help researchers in building automated approaches like vulnerability prediction models. Thus, we examine the location, criticality and category of vulnerable code along with its relation with software metrics. To do so, we collect more than 2,200 vulnerable files accounting for 863 vulnerabilities and compute more than 35 software metrics. Our results indicate that while 9 Common Weakness Enumeration (CWE) types of vulnerabilities are prevalent, only 3 of them are critical in OpenSSL and 2 of them in the Linux kernel. They also indicate that different types of vulnerabilities have different characteristics, i.e., metric profiles, and that vulnerabilities of the same type have different profiles in the two projects we examined. We also found that the file structure of the projects can provide useful information related to the vulnerabilities. Overall, our results demonstrate the need for making project specific approaches that focus on specific types of vulnerabilities.
Centre de recherche :
ULHPC - University of Luxembourg: High Performance Computing
Disciplines :
Sciences informatiques
Auteur, co-auteur :
JIMENEZ, Matthieu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
PAPADAKIS, Mike ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
LE TRAON, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
An Empirical Analysis of Vulnerabilities in OpenSSL and the Linux Kernel
Bug in openssl opens two-thirds of the web to eavesdropping. [Online]. Available: http://arstechnica. com/security/2014/04/ critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
G. McGraw and B. Potter, "Software security testing, " IEEE Security & Privacy, vol. 2, 2004.
Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, "Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities, " IEEE TSE, vol. 37, Nov. 2011.
S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, "Predicting vulnerable software components, " in CCS'07.
R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen, "Predicting Vulnerable Software Components via Text Mining, " IEEE TSE, vol. 40, Oct. 2014.
J. Walden, J. Stuckman, and R. Scandariato, "Predicting Vulnerable Components: Software Metrics vs Text Mining, " in ISSRE'14.
Linux procedure for security bugs report. [Online]. Available: https://www. kernel. org/doc/Documentation/SecurityBugs
Openssl procedure for security bugs report. [Online]. Available: https://www. openssl. org/news/vulnerabilities. html
L. Tan, C. Liu, Z. Li, X. Wang, Y. Zhou, and C. Zhai, "Bug characteristics in open source software, " Empirical Software Engineering, vol. 19, no. 6, 2014.
Ics/scada top 10 most dangerous software weaknesses. [Online]. Available: http://www. toolswatch. org/wp-content/uploads/2015/ 11/ICSSCADA-Top-10-Most-Dangerous-Software-Weaknesses. pdf
Definition of vulnerability. [Online]. Available: https://cve. mitre. org/ about/terminology. html
Cwe home page. [Online]. Available: https://cwe. mitre. org/data/
Heartbleed home page. [Online]. Available: http://heartbleed. com
Y. Shin and L. Williams, "Can traditional fault prediction models be used for vulnerability prediction?" Empirical Software Engineering, vol. 18, pp. 25-59, Feb. 2013.
I. Chowdhury and M. Zulkernine, "Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?" in SAC'10.
"Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities, " Journal of Systems Architecture, vol. 57, 2011.
M. Jimenez, M. Papadakis, and Y. L. Traon, "Vulnerability prediction models: A case study on the linux kernel, " in SCAM'16, 2016.
A. Bosu, J. C. Carver, M. Hafiz, P. Hilley, and D. Janni, "Identifying the characteristics of vulnerable code changes: an empirical study, " in FSE'14, 2014.
A. Milenkoski, B. Payne, N. Antunes, M. Vieira, and S. Kounev, "Experience report: An analysis of hypercall handler vulnerabilities, " in ISSRE'14.
J. Fonseca, N. Seixas, M. Vieira, and H. Madeira, "Analysis of field data on web security vulnerabilities, " Dependable and Secure Computing, IEEE Transactions on, vol. 11, no. 2, March 2014.
M. Jimenez, M. Papadakis, T. F. Bissyande, and J. Klein, "Profiling android vulnerabilities, " in QRS'16. IEEE, 2016.
P. Morrison, K. Herzig, B. Murphy, and L. Williams, "Challenges with applying vulnerability prediction models, " in HotSoS'15.
A. Sanfeliu and K. Fu, "A distance measure between attributed relational graphs for pattern recognition, " IEEE Trans. Systems, Man, and Cybernetics, vol. 13, 1983.
X. Gao, B. Xiao, D. Tao, and X. Li, "A survey of graph edit distance, " Pattern Analysis and Applications, vol. 13, 2010.
