Estimating Software Vulnerabilities: A Case Study Based on the Misclassification of Bugs in MySQL Server

2013 International Conference on Availability, Reliability and Security Pub Date : 2013-09-02 DOI:10.1109/ARES.2013.14

Jason L. Wright, Jason W. Larsen, M. McQueen

{"title":"Estimating Software Vulnerabilities: A Case Study Based on the Misclassification of Bugs in MySQL Server","authors":"Jason L. Wright, Jason W. Larsen, M. McQueen","doi":"10.1109/ARES.2013.14","DOIUrl":null,"url":null,"abstract":"Software vulnerabilities are an important part of the modern software economy. Being able to accurately classify software defects as a vulnerability, or not, allows developers and end users to expend appropriately more effort on fixing those defects which have security implications. However, we demonstrate in this paper that the expected number of misclassified bugs (those not marked as also being vulnerabilities) may be quite high and thus human efforts to classify bug reports as vulnerabilities appears to be quite ineffective. We conducted an experiment using the MySQL bug report database to estimate the number of misclassified bugs yet to be identified as vulnerabilities. The MySQL database server versions we evaluated currently have 76 publicly reported vulnerabilities. Yet our experimental results show, with 95% confidence, that the MySQL bug database has between 499 and 587 misclassified bugs for the same software. This is an estimated increase of vulnerabilities between657% and 772% over the number currently identified and publicly reported in the National Vulnerability Database and the Open Source Vulnerability Database.","PeriodicalId":302747,"journal":{"name":"2013 International Conference on Availability, Reliability and Security","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2013.14","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Software vulnerabilities are an important part of the modern software economy. Being able to accurately classify software defects as a vulnerability, or not, allows developers and end users to expend appropriately more effort on fixing those defects which have security implications. However, we demonstrate in this paper that the expected number of misclassified bugs (those not marked as also being vulnerabilities) may be quite high and thus human efforts to classify bug reports as vulnerabilities appears to be quite ineffective. We conducted an experiment using the MySQL bug report database to estimate the number of misclassified bugs yet to be identified as vulnerabilities. The MySQL database server versions we evaluated currently have 76 publicly reported vulnerabilities. Yet our experimental results show, with 95% confidence, that the MySQL bug database has between 499 and 587 misclassified bugs for the same software. This is an estimated increase of vulnerabilities between657% and 772% over the number currently identified and publicly reported in the National Vulnerability Database and the Open Source Vulnerability Database.

查看原文本刊更多论文

软件漏洞评估:基于MySQL服务器错误分类的案例研究

软件漏洞是现代软件经济的重要组成部分。能够准确地将软件缺陷分类为漏洞，或者不是，允许开发人员和最终用户花费更多的精力来修复那些具有安全含义的缺陷。然而，我们在本文中证明，错误分类的bug(那些没有标记为漏洞的bug)的预期数量可能相当高，因此人类将bug报告分类为漏洞的努力似乎是相当无效的。我们使用MySQL bug报告数据库进行了一项实验，以估计尚未被识别为漏洞的错误分类bug的数量。我们评估的MySQL数据库服务器版本目前有76个公开报告的漏洞。然而，我们的实验结果显示，95%的置信度，MySQL错误数据库有499到587之间的错误分类的同一软件。与目前在国家漏洞数据库和开源漏洞数据库中识别和公开报告的数量相比，这一漏洞估计增加了657%至772%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 International Conference on Availability, Reliability and Security

自引率

0.00%

发文量