An Exploratory Study on Regression Vulnerabilities

Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement Pub Date : 2022-07-05 DOI:10.1145/3544902.3546250

Larissa Braz, Enrico Fregnan, Vivek Arora, Alberto Bacchelli

{"title":"An Exploratory Study on Regression Vulnerabilities","authors":"Larissa Braz, Enrico Fregnan, Vivek Arora, Alberto Bacchelli","doi":"10.1145/3544902.3546250","DOIUrl":null,"url":null,"abstract":"Background: Security regressions are vulnerabilities introduced in a previously unaffected software system. They often happen as a result of code changes (e.g., a bug fix) and can have severe effects. Aims: We aim to increase the understanding of security regressions. Method: To this aim, we perform an exploratory, mixed-method case study of Mozilla. First, we analyze 78 regression vulnerabilities and 72 bug reports where a bug fix introduced a regression vulnerability at Mozilla. We investigate how developers interact in these bug reports, how they perform the changes, and under what conditions they introduce these regressions. Second, we conduct five semi-structured interviews with as many Mozilla developers involved in the vulnerability-inducing fixes. Results: Security is not discussed during bug fixes. Developers’ main concerns are the complexity of the bug at hand and the community pressure to fix it. Developers do not to worry about regression vulnerabilities and assume tools will detect them. Indeed, dynamic analysis tools helped finding around 30% of these regressions. Conclusions: Although tool support helps identify regression vulnerabilities, it may not be enough to ensure security during bug fixes. Furthermore, our results call for further work on the security tooling support and their integration during bug fixes. Preprint: https://arxiv.org/abs/2207.01942 Data and materials: https://doi.org/10.5281/zenodo.6792317","PeriodicalId":220679,"journal":{"name":"Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3544902.3546250","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Background: Security regressions are vulnerabilities introduced in a previously unaffected software system. They often happen as a result of code changes (e.g., a bug fix) and can have severe effects. Aims: We aim to increase the understanding of security regressions. Method: To this aim, we perform an exploratory, mixed-method case study of Mozilla. First, we analyze 78 regression vulnerabilities and 72 bug reports where a bug fix introduced a regression vulnerability at Mozilla. We investigate how developers interact in these bug reports, how they perform the changes, and under what conditions they introduce these regressions. Second, we conduct five semi-structured interviews with as many Mozilla developers involved in the vulnerability-inducing fixes. Results: Security is not discussed during bug fixes. Developers’ main concerns are the complexity of the bug at hand and the community pressure to fix it. Developers do not to worry about regression vulnerabilities and assume tools will detect them. Indeed, dynamic analysis tools helped finding around 30% of these regressions. Conclusions: Although tool support helps identify regression vulnerabilities, it may not be enough to ensure security during bug fixes. Furthermore, our results call for further work on the security tooling support and their integration during bug fixes. Preprint: https://arxiv.org/abs/2207.01942 Data and materials: https://doi.org/10.5281/zenodo.6792317

查看原文本刊更多论文

回归漏洞的探索性研究

背景:安全回归是在以前未受影响的软件系统中引入的漏洞。它们通常是代码更改(例如，bug修复)的结果，并且可能产生严重的影响。目标:我们的目标是增加对安全回归的理解。方法:为此，我们对Mozilla进行了一个探索性的、混合方法的案例研究。首先，我们分析了78个回归漏洞和72个错误报告，其中一个错误修复引入了Mozilla的回归漏洞。我们调查开发人员如何在这些bug报告中进行交互，他们如何执行更改，以及在什么条件下引入这些回归。其次，我们进行了五次半结构化访谈，采访了尽可能多的参与漏洞修复的Mozilla开发人员。结果:在bug修复期间不讨论安全性。开发人员主要担心的是当前bug的复杂性以及社区要求修复它的压力。开发人员不必担心回归漏洞，并假设工具会检测到它们。事实上，动态分析工具帮助发现了大约30%的回归。结论:尽管工具支持有助于识别回归漏洞，但它可能不足以确保错误修复期间的安全性。此外，我们的结果要求在错误修复期间对安全工具支持及其集成进行进一步的工作。预印本:https://arxiv.org/abs/2207.01942数据资料:https://doi.org/10.5281/zenodo.6792317

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement

自引率

0.00%

发文量