The Challenges of Labeling Vulnerability-Contributing Commits

被引：6

作者：

Hogan, Kevin ^{[1
]}

Warford, Noel ^{[1
]}

Morrison, Robert ^{[1
]}

Miller, David ^{[1
]}

Malone, Sean ^{[1
]}

Purtilo, James ^{[1
]}

机构：

[1] Univ Maryland, Dept Comp Sci, College Pk, MD 20742 USA

来源：

2019 IEEE 30TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING WORKSHOPS (ISSREW 2019) | 2019年

关键词：

vulnerability-contributing commit; fix commit; CVE;

D O I：

10.1109/ISSREW.2019.00083

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Software projects developed using version control are enhanced incrementally through commits, some of which inevitably introduce security vulnerabilities. The features of these vulnerability-contributing commits (VCCs) could be used to train a VCC detector or to inform software development best-practices. Previous work has attempted to label VCCs in open-source software projects for this purpose. We present a manual approach to VCC labeling using the fix commits listed in Common Vulnerabilities and Exposures (CVEs). We show that a published automated method of VCC labeling disagrees with our manual method on 42% of VCCs. We argue that the automated method, while effective in scaling VCC labeling, is therefore not sufficiently accurate. Finally, we discuss the benefits and drawbacks of trying to predict vulnerable software components rather than VCCs.

引用

页码：270 / 275

页数：6

共 7 条

[1] When Do Changes Induce Software Vulnerabilities? [J].

Alohaly, Manar ;

Takabi, Hassan .

2017 IEEE 3RD INTERNATIONAL CONFERENCE ON COLLABORATION AND INTERNET COMPUTING (CIC), 2017, :59-66

[2]

Meneely Andrew, 2013, 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), P65, DOI 10.1109/ESEM.2013.19

[3]

Neuhaus S, 2007, CCS'07: PROCEEDINGS OF THE 14TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, P529

[4]

Nguyen V. H., 2010, P 6 INT WORKSHOP SEC, P1, DOI DOI 10.1145/1853919.1853923

[5] VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits [J].

Perl, Henning ;

Dechand, Sergej ;

Smith, Matthew ;

Arp, Daniel ;

Yamaguchi, Fabian ;

Rieck, Konrad ;

Fahl, Sascha ;

Acar, Yasemin .

CCS'15: PROCEEDINGS OF THE 22ND ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2015, :426-437

[6] Predicting Vulnerable Software Components via Text Mining [J].

Scandariato, Riccardo ;

Walden, James ;

Hovsepyan, Aram ;

Joosen, Wouter .

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2014, 40 (10) :993-1006

[7] Predicting Vulnerable Components: Software Metrics vs Text Mining [J].

Walden, James ;

Stuckman, Jeff ;

Scandariato, Riccardo .

2014 IEEE 25TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING (ISSRE), 2014, :23-33

← 1 →