Predicting Vulnerable Software Components - CCS 2007
by Stephan Neuhaus, Thomas Zimmermann, Christian Holler, Andreas Zeller

Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

See also

More information is available at http://www.st.cs.uni-saarland.de/softevo/.

Abstract

We introduce Vulture, a new approach and tool to predict vulnerable components in large software systems. Vulture relates a software project's version archive to its vulnerability database to find those components that had vulnerabilities in the past. It then analyzes the import structure of software components and uses a support vector machine to learn and predict which imports are most important for a component to be vulnerable. We evaluated Vulture on the C++ codebase of Mozilla and found that Vulture correctly identifies about two thirds of all vulnerable components. This allows developers and project managers to focus their testing and inspection efforts: "We should look at nsXPInstallManager more closely, because it is likely to contain yet unknown vulnerabilities."

BibTeX Entry

@inproceedings{neuhaus-ccs-2007,
    title = "Predicting Vulnerable Software Components",
    author = "Stephan Neuhaus and Thomas Zimmermann and Christian Holler and Andreas Zeller",
    year = "2007",
    month = oct,
    booktitle = "Proceedings of the 14th ACM Conference on Computer and Communications Security",
    location = "Alexandria, VA, USA",
}

Show all publications of the Software Engineering Chair.