More Web Proxy on the site http://driver.im/

Article

Predicting vulnerable software components

Authors:

Stephan Neuhaus,

Thomas Zimmermann,

Christian Holler,

Andreas ZellerAuthors Info & Claims

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Pages 529 - 540

https://doi.org/10.1145/1315245.1315311

Published: 28 October 2007 Publication History

Abstract

Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable.

In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable.

Based on this observation, we were able to extend Vulture by a simple predictor that correctly predicts about half of all vulnerable components, and about two thirds of all predictions are correct. This allows developers and project managers to focus their their efforts where it is needed most: "We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities.".

References

[1]

Rakesh Agrawal and Ramakrishnan Srikant. Fast algorithms for mining association rules. In Jorge B. Bocca, Matthias Jarke, and Carlo Zaniolo, editors, Proc. 20th Int'l Conf. on Very Large Data Bases, VLDB, pages 487--499. Morgan Kaufmann, September 1994.

Digital Library

[2]

Omar Alhazmi, Yashwant Malaiya, and Indrajit Ray. Security Vulnerabilities in Software Systems: A Quantitative Perspective, volume 3645/2005 of Lecture Notes in Computer Science, pages 281--294. Springer Verlag, Berlin, Heidelberg, August 2005.

Digital Library

[3]

Hao Chen, Drew Dean, and David Wagner. Model checking one million lines of C code. In Proc. 11th Annual Network and Distributed System Security Symposium (NDSS), pages 171--185, February 2004.

[4]

Hao Chen and David Wagner. MOPS: An infrastructure for examining security properties of software. In Proc. 9th ACM Conf. on Computer and Communications Security (CCS), pages 235--244, November 2002.

Digital Library

[5]

Crispin Cowan. Apparmor linux application security. http://www.novell.com/linux/security/apparmor/, January 2007.

[6]

Crispin Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conf., pages 63--78, San Antonio, Texas, January 1998.

Digital Library

[7]

Davor Cubranic, Gail C. Murphy, Janice Singer, and Kellogg S. Booth. Hipikat: A project memory for software development. IEEE Transactions on Software Engineering, 31(6):446--465, June 2005.

Digital Library

[8]

Dan DaCosta, Christopher Dahn, Spiros Mancoridis, and Vassilis Prevelakis. Characterizing the security vulnerability likelihood of software functions. In IEEE Proc. 2003 Int'l Conf. on Software Maintenance (ICSM'03), September 2003.

Digital Library

[9]

Evgenia Dimitriadou, Kurt Hornik, Friedrich Leisch, David Meyer, and Andreas Weingessel. e1071: Misc Functions Department of Statistics (e1071), TU Wien, 2006. R package version 1.5-13.

[10]

Michael Fischer, Martin Pinzger, and Harald Gall. Populating a release history database from version control and bug tracking systems. In Proc. Int'l Conf. on Software Maintenance (ICSM'03), Amsterdam, Netherlands, September 2003. IEEE.

Digital Library

[11]

Pascal Fradet, Ronan Caugne, and Daniel Le Métayer. Static detection of pointer errors: An axiomatisation and a checking algorithm. In European Symposium on Programming, pages 125--140, 1996.

Digital Library

[12]

Vinod Ganapathy, Somesh Jha, David Chandler, David Melski, and David Vitek. Buffer overrun detection using linear programming and static analysis. In 10th ACM Conf. on Computer and Communications Security (CCS), October 2003.

Digital Library

[13]

Trevor Hastie, Robert Tibshirani, and Jerome Friedman. The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer Series in Statistics. Springer Verlag, 2001.

[14]

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy. May 2006.

Digital Library

[15]

Roger Koenker and Pin Ng. SparseM: Sparse Linear Algebra. R package version 0.73.

[16]

David Larochelle and David Evans. Statically detecting likely buffer overflow vulnerabilities. In 10th USENIX Security Symposium, pages 177--190, August 2001.

Digital Library

[17]

Zhenmin Li, Lin Tan, Xuanhui Wang, Shan Lu, Yuanyuan Zhou, and Chengxiang Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Proc. Workshop on Architectural and System Support for Improving Software Dependability 2006, pages 25--33. ACM Press, October 2006.

Digital Library

[18]

Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo. Efficient algorithms for discovering association rules. In Knowledge Discovery in Databases: Papers from the 1994 AAAI Workshop, pages 181--192, 1994.

[19]

Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study reliability of UNIX utilities. Communications, 33(12):32--44, 1990.

Digital Library

[20]

K. W. Miller, L. J. Morell, R. E. Noonan, S. K. Park, D. M. Nicol, B. W. Murrill, and M. Voas. Estimating the probability of failure when testing reveals no failures. IEEE Transactions on Software Engineering, 18(1):33--43, January 1992.

Digital Library

[21]

Nachiappan Nagappan, Thomas Ball, and Andreas Zeller. Mining metrics to predict component failures. In Proc. 29th Int'l Conf. on Software Engineering. ACM Press, November 2005.

Digital Library

[22]

National Security Agency. Security-enhanced linux. http://www.nsa.gov/selinux/, January 2007.

[23]

Andy Ozment and Stuart E. Schechter. Milk or wine: Does software security improve with age? In Proc. 15th Usenix Security Symposium, pages 93--104, August 2006.

Digital Library

[24]

R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2006. ISBN 3-900051-07-0.

[25]

Eric Rescorla. Is finding security holes a good idea? IEEE Security and Privacy, 3(1):14--19, 2005.

Digital Library

[26]

Radu Rugina and Martin Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proc. ACM SIGPLAN '00 conference on Programming language design and implementation, pages 182--195. ACM Press, 2000.

Digital Library

[27]

Bruce Schneier. Do we really need a security industry? Wired, May 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/%05/securitymatters_0503.

[28]

Berhard Scholz, Johann Blieberger, and Thomas Fahringer. Symbolic pointer analysis for detecting memory leaks. In Proc. 2000 ACM SIGPLAN workshop on Partial evaluation and semantics-based program manipulation, pages 104--113. ACM Press, 1999.

Digital Library

[29]

Adrian Schröter, Thomas Zimmermann, and Andreas Zeller. Predicting component failures at design time. In Proc. 5th Int'l Symposium on Empirical Software Engineering, pages 18--27, New York, NY, USA, September 2006.

Digital Library

[30]

Jacek Śliwerski, Thomas Zimmermann, and Andreas Zeller. When do changes induce fixes? In Proc. Second Int'l Workshop on Mining Software Repositories, pages 24--28, May 2005.

Digital Library

[31]

Gregor Snelting, Torsten Robschink, and Jens Krinke. Efficient path conditions in dependence graphs for software safety analysis. In Proc. 24th Int'l Conf. on Software Engineering, New York, NY, USA, May 2002. ACM Press.

Digital Library

[32]

The Mozilla Foundation. Bugzilla. http://www.bugzilla.org, January 2007.

[33]

The Mozilla Foundation. Mozilla foundation security advisories. http://www.mozilla.org/projects/security/known-vulnerabilities.html, January 2007.

[34]

The Mozilla Foundation. Mozilla project website. http://www.mozilla.org/, January 2007.

[35]

Chris Tofts and Brian Monahan. Towards an analytic model of security flaws. Technical Report 2004-224, HP Trusted Systems Laboratory, Bristol, UK, December 2004.

[36]

Vladimir Naumovich Vapnik. The Nature of Statistical Learning Theory. Springer Verlag, Berlin, 1995.

Digital Library

[37]

John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. Token-based scanning of source code for security problems. ACM Transaction on Information and System Security, 5(3):238--261, 2002.

Digital Library

[38]

Jeffrey Voas and Gary McGraw. Software Fault Injection: Innoculating Programs Against Errors. John Wiley & Sons, 1997.

Digital Library

[39]

Jian Yin, Chunqiang Tang, Xiaolan Zhang, and Michael McIntosh. On estimating the security risks of composite software services. In Proc. PASSWORD Workshop, June 2006.

Cited By

Nguyen HHoang TDam HGhose A(2025)Graph-based explainable vulnerability predictionInformation and Software Technology10.1016/j.infsof.2024.107566177:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.infsof.2024.107566
Du XZhou YDu H(2025)DMVL4AVD: a deep multi-view learning model for automated vulnerability detectionNeural Computing and Applications10.1007/s00521-024-10892-xOnline publication date: 6-Jan-2025
https://doi.org/10.1007/s00521-024-10892-x
Chughtai MBibi IKarim SShah SLaghari AKhan A(2024)Deep learning trends and future perspectives of web security and vulnerabilitiesJournal of High Speed Networks10.3233/JHS-23003730:1(115-146)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.3233/JHS-230037
Show More Cited By

Index Terms

Predicting vulnerable software components

Recommendations

Predicting vulnerable software components with dependency graphs
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and Metrics

Security metrics and vulnerability prediction for software have gained a lot of interests from the community. Many software security metrics have been proposed e.g., complexity metrics, cohesion and coupling metrics. In this paper, we propose a novel ...
Predicting Severity of Software Vulnerability Based on Grey System Theory
Proceedings of the ICA3PP International Workshops and Symposiums on Algorithms and Architectures for Parallel Processing - Volume 9532

Vulnerabilities usually represents the risk level of software, therefore, it is of high value to predict vulnerabilities so as to evaluate the security level of software. Current researches mainly focus on predicting the number of vulnerabilities or the ...
To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Not all vulnerabilities are equal. Some recent studies have shown that only a small fraction of vulnerabilities that have been reported has actually been exploited. Since finding and addressing potential vulnerabilities in a program can take ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

October 2007

628 pages

ISBN:9781595937032

DOI:10.1145/1315245

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Sabrina De Capitani di Vimercati
University of Milan, Italy
,
Paul Syverson
Naval Research Laboratory, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2 - October 31, 2007

Virginia, Alexandria, USA

Acceptance Rates

CCS '07 Paper Acceptance Rate 55 of 302 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

275
Total Citations
View Citations
2,199
Total Downloads

Downloads (Last 12 months)86
Downloads (Last 6 weeks)10

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen HHoang TDam HGhose A(2025)Graph-based explainable vulnerability predictionInformation and Software Technology10.1016/j.infsof.2024.107566177:COnline publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1016/j.infsof.2024.107566
Du XZhou YDu H(2025)DMVL4AVD: a deep multi-view learning model for automated vulnerability detectionNeural Computing and Applications10.1007/s00521-024-10892-xOnline publication date: 6-Jan-2025
https://doi.org/10.1007/s00521-024-10892-x
Chughtai MBibi IKarim SShah SLaghari AKhan A(2024)Deep learning trends and future perspectives of web security and vulnerabilitiesJournal of High Speed Networks10.3233/JHS-23003730:1(115-146)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.3233/JHS-230037
Bagheri AHegedűs P(2024)Towards a Block-Level ML-Based Python Vulnerability Detection ToolActa Cybernetica10.14232/actacyb.29966726:3(323-371)Online publication date: 22-Jul-2024
https://doi.org/10.14232/actacyb.299667
Le TBabar M(2024)Automatic Data Labeling for Software Vulnerability Prediction Models: How Far Are We?Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686675(131-142)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686675
Jiang ZSun WGu XWu JWen THu HYan M(2024)DFEPT: Data Flow Embedding for Enhancing Pre-Trained Model Based Vulnerability DetectionProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3671388(95-104)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3671388
Nguyen VLe TTantithamthavorn CGrundy JPhung D(2024)Deep Domain Adaptation With Max-Margin Principle for Cross-Project Imbalanced Software Vulnerability DetectionACM Transactions on Software Engineering and Methodology10.1145/366460233:6(1-34)Online publication date: 27-Jun-2024
https://dl.acm.org/doi/10.1145/3664602
Qiu FLiu ZHu XXia XChen GWang X(2024)Vulnerability Detection via Multiple-Graph-Based Code RepresentationIEEE Transactions on Software Engineering10.1109/TSE.2024.342781550:8(2178-2199)Online publication date: Aug-2024
https://doi.org/10.1109/TSE.2024.3427815
Wen XGao CLuo FWang HLi GLiao Q(2024)LIVABLE: Exploring Long-Tailed Classification of Software Vulnerability TypesIEEE Transactions on Software Engineering10.1109/TSE.2024.338236150:6(1325-1339)Online publication date: Jun-2024
https://doi.org/10.1109/TSE.2024.3382361
Wen XGao CYe JLi YTian ZJia YWang X(2024)Meta-Path Based Attentional Graph Learning Model for Vulnerability DetectionIEEE Transactions on Software Engineering10.1109/TSE.2023.334026750:3(360-375)Online publication date: Mar-2024
https://doi.org/10.1109/TSE.2023.3340267
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents