More Web Proxy on the site http://driver.im/

extended-abstract

Employing different program analysis methods to study bug evolution

Author:

Charalambos MitropoulosAuthors Info & Claims

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 1202 - 1204

https://doi.org/10.1145/3338906.3342489

Published: 12 August 2019 Publication History

Abstract

The evolution of software bugs has been a well-studied topic in software engineering. We used three different program analysis tools to examine the different versions of two popular sets of programming tools (gnu Binary and Core utilities), and check if their bugs increase or decrease over time. Each tool is based on a different approach, namely: static analysis, symbolic execution, and fuzzing. In this way we can observe potential differences on the kinds of bugs that each tool detects and examine their effectiveness. To do so, we have performed a qualitative analysis on the results. Overall, our results indicate that we cannot say if bugs either decrease or increase over time and that the tools identify different bug types based on the method they follow.

References

[1]

Andrew Austin and Laurie Williams. 2011. One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques. In Proceedings of the 2011 International Symposium on Empirical Software Engineering and Measurement (ESEM ’11). IEEE Computer Society, Washington, DC, USA, 97–106.

Digital Library

[2]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs. In 8th USENIX Symposium on Operating Systems Design and Implementation (USENIX-SS’08). USENIX Association, San Diego, CA, USA.

Digital Library

[3]

Brian Chess and Gary McGraw. 2004. Static Analysis for Security. IEEE Security and Privacy 2, 6 (Nov. 2004), 76–79.

Digital Library

[4]

Nigel Edwards and Liqun Chen. 2012. An historical examination of open source releases and their vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS ’12). ACM, New York, NY, USA, 183–194.

Digital Library

[5]

Patrice Godefroid, Michael Y. Levin, and David Molnar. 2012. SAGE: Whitebox Fuzzing for Security Testing. Queue 10, 1, Article 20 (Jan. 2012), 8 pages.

Digital Library

[6]

Lanyue Lu, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, Shan Lu. 2013. A Study of Linux File System Evolution. In Proceedings of the 11th Conference on File and Storage Technologies (FAST ’13). San Jose, California.

Digital Library

[7]

Fabio Massacci, Stephan Neuhaus, and Viet Hung Nguyen. 2011. After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes. In Proceedings of the Third international conference on Engineering secure software and systems (ESSoS’11). Springer-Verlag, Berlin, Heidelberg, 195–208.

Digital Library

[8]

Dimitris Mitropoulos, Vassilios Karakoidas, Panos Louridas, Georgios Gousios, and Diomidis Spinellis. 2013. Dismal Code: Studying the Evolution of Security Bugs. In Proceedings of the Learning from Authoritative Security Experiment Results (LASER) Workshop 2013,. USENIX, 37–48.

[9]

Dimitris Mitropoulos, Panos Louridas, Vitalis Salis, and Diomidis Spinellis. 2019. Time Present and Time Past: Analyzing the Evolution of JavaScript Code in the Wild. In 16th International Conference on Mining Software Repositories: Technical Track (MSR ’19). IEEE.

Digital Library

[10]

Dimitris Mitropoulos and Diomidis Spinellis. 2017. Fatal injection: a survey of modern code injection attack countermeasures. PeerJ Computer Science 3 (Nov. 2017), e136.

[11]

Andy Ozment and Stuart E. Schechter. 2006. Milk or wine: does software security improve with age?. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15 (USENIX-SS’06). USENIX Association, Berkeley, CA, USA.

Digital Library

[12]

Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster. 2004. A Comparison of Bug Finding Tools for Java. In Proceedings of the 15th International Symposium on Software Reliability Engineering (ISSRE ’04). IEEE Computer Society, Washington, DC, USA, 245–256.

Digital Library

[13]

Muhammad Shahzad, Muhammad Zubair Shafiq, and Alex X. Liu. 2012. A large scale exploratory analysis of software vulnerability life cycles. In Proceedings of the 2012 International Conference on Software Engineering (ICSE 2012). IEEE Press, Piscataway, NJ, USA, 771–781.

Digital Library

[14]

Jaime Spacco, David Hovemeyer, and William Pugh. 2006. Tracking defect warnings across versions. In Proceedings of the 2006 international workshop on Mining software repositories (MSR ’06). ACM, New York, NY, USA, 133–136.

Digital Library

[15]

David A. Wheeler. 2015. Flawfinder. https://dwheeler.com/flawfinder/. {Online; accessed 03-June-2019}.

[16]

Michal Zalewski. 2015. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl/. {Online; accessed 03-June-2019}. Abstract 1 Introduction 2 Methodology 3 Analysis and Results 4 Related Work 5 Conclusions References

Cited By

Martins VT. Ramalho CCordeiro Marques LAlves Pereira JGarcia ALucena CFeijó BL. Furtado A(2023)Analyzing a Semantics-Aware Bug Seeding Tool's Efficacy: A qualitative study with the SemSeed toolProceedings of the XXXVII Brazilian Symposium on Software Engineering10.1145/3613372.3613412(246-256)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1145/3613372.3613412
Harzevili NShin JWang JWang SNagappan N(2023)Automatic Static Vulnerability Detection for Machine Learning Libraries: Are We There Yet?2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00042(795-806)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00042
Omar MShiaeles S(2023)VulDetect: A novel technique for detecting software vulnerabilities using Language Models2023 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR57506.2023.10224924(105-110)Online publication date: 31-Jul-2023
https://doi.org/10.1109/CSR57506.2023.10224924

Index Terms

Employing different program analysis methods to study bug evolution
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation

Recommendations

Bug synthesis: challenging bug-finding tools with deep faults
ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

In spite of decades of research in bug detection tools, there is a surprising dearth of ground-truth corpora that can be used to evaluate the efficacy of such tools. Recently, systems such as LAVA and EvilCoder have been proposed to automatically inject ...
How many of all bugs do we find? a study of static bug detectors
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

Static bug detectors are becoming increasingly popular and are widely used by professional software developers. While most work on bug detectors focuses on whether they find bugs at all, and on how many false positives they report in addition to ...
Striking a new balance between program instrumentation and debugging time
EuroSys '11: Proceedings of the sixth conference on Computer systems

Although they are helpful in many cases, state-of-the-art bug reporting systems may impose excessive overhead on users, leak private information, or provide little help to the developer in locating the problem. In this paper, we explore a new approach ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 2019

1264 pages

ISBN:9781450355728

DOI:10.1145/3338906

General Chairs:
Marlon Dumas
University of Tartu, Estonia
,
Dietmar Pfahl
University of Tartu, Estonia
,
Program Chairs:
Sven Apel
Saarland University, Germany
,
Alessandra Russo
Imperial College, UK

Copyright © 2019 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 August 2019

Check for updates

Author Tags

Qualifiers

Extended-abstract

Conference

ESEC/FSE '19

Sponsor:

SIGSOFT

ESEC/FSE '19: 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 26 - 30, 2019

Tallinn, Estonia

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
153
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Martins VT. Ramalho CCordeiro Marques LAlves Pereira JGarcia ALucena CFeijó BL. Furtado A(2023)Analyzing a Semantics-Aware Bug Seeding Tool's Efficacy: A qualitative study with the SemSeed toolProceedings of the XXXVII Brazilian Symposium on Software Engineering10.1145/3613372.3613412(246-256)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1145/3613372.3613412
Harzevili NShin JWang JWang SNagappan N(2023)Automatic Static Vulnerability Detection for Machine Learning Libraries: Are We There Yet?2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00042(795-806)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00042
Omar MShiaeles S(2023)VulDetect: A novel technique for detecting software vulnerabilities using Language Models2023 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR57506.2023.10224924(105-110)Online publication date: 31-Jul-2023
https://doi.org/10.1109/CSR57506.2023.10224924

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents