Predicting Vulnerable Software Components
- Technical Report
by
Stephan Neuhaus, Thomas Zimmermann, Andreas Zeller
Universität des Saarlandes, Saarbrücken, Germany, February 2007. Accepted at ACM CCS 2007. Please cite the conference paper..
See also
More information is available at http://www.st.cs.uni-saarland.de/publications/details/neuhaus-ccs-2007/.
Abstract
We introduce Vulture, a new approach and tool to predict vulnerable components in large software systems. Vulture relates a software project's version archive to its vulnerability database to find those components that had vulnerabilities in the past. It then analyzes the import structure of software components and uses a support vector machine to learn and predict which imports are most important for a component to be vulnerable. We evaluated Vulture on the C++ codebase of Mozilla and found that Vulture correctly identifies about two thirds of all vulnerable components. This allows developers and project managers to focus their testing and inspection efforts: "We should look at nsXPInstallManager more closely, because it is likely to contain yet unknown vulnerabilities."
BibTeX Entry
@techreport{neuhaus-tr-2007, title = "Predicting Vulnerable Software Components", author = "Stephan Neuhaus and Thomas Zimmermann and Andreas Zeller", year = "2007", month = feb, institution = "Universität des Saarlandes, Saarbrücken, Germany", }