Mining Software Archives
Software Engineering Chair (Prof. Zeller)
Saarland University – Computer Science
Campus E1 1
66123 Saarbrücken, Germany
E-mail: zeller @ cs.uni-saarland.de
Phone: +49 681 302-70970
The Software Evolution project at the Software Engineering Chair, Saarland University, analyzes version and bug databases to predict failure-prone modules, related changes, and future development activities.
Tell me what you import, and I'll tell you how vulnerable you are.We observed that the domain—as expressed by the other components that are interacted with—characterizes a component's vulnerability. In case of Mozilla, for instance, we found that of the 14 components importing nsNodeUtils.h, 13 components (93%) had to be patched because of security leaks. The situation is even worse for those 15 components that import nsIContent.h, nsIInterfaceRequestorUtils.h and nsContentUtils.h together, because they all had vulnerabilities. In other words: "Tell me what you import, and I'll tell you how vulnerable you are."
Our technique allows us to map related source files (called components) to vulnerabilities. When we do that, we get a map that tells us how vulnerable components have been in the past. (Click the map for a larger version; the map is also available in PDF.)
In this map, components with no known vulnerabilities appear in white, and components with vulnerabilities appear in shades of red: the redder a component, the more vulnerabilities it has had in the past.
Additionally, this allows us to create a predictor that assesses new components as they are added to the Mozilla source code. In an evaluation, we found that we can correctly identify about half of the vulnerable components and that about 70% of our predictions are correct, for a false positive rate of about 30%. This compares very well to other approaches.
In January, we created a list of 10 components that our method flagged as most likely to be vulnerable. In the meantime, 5 of those components needed to be fixed because of vulnerabilities; see the following table. This shows that we can actually predict unknown vulnerabilities.
Would a new Mozilla component importing nsNodeUtils.h be prone to vulnerabilities as well? Read more...
Interested in the raw data that was used for the statistical analysis? Just drop me a note.
Keep me posted
People<email@example.com> · http://www.st.cs.uni-saarland.de/softevo/vulnerabilities.php · Updated: 2010-01-28 15:24