{"title":"软件度量和安全漏洞:数据集和探索性研究","authors":"Henrique Alves, B. Neto, Nuno Antunes","doi":"10.1109/EDCC.2016.34","DOIUrl":null,"url":null,"abstract":"Code with certain characteristics is more prone to have security vulnerabilities. In fact, studies show that code not following best practices is harder to verify and maintain, and consequently is more probable to have vulnerabilities left unnoticed or inadvertently introduced. In this experience report, we study whether software metrics can reflect such characteristics, thus having some correlation with the existence of vulnerabilities. The analysis is based on 2875 security patches, used to build a dataset with metrics and vulnerabilities for all the functions, classes and files of 5750 versions of five widely used projects that are exposed to attacks: Linux Kernel, Mozilla, Xen Hypervisor, httpd and glibc. We calculated software metrics from their sources and used correlation algorithm and statistical tests on these metrics in order to identify relations between them and the existing vulnerabilities. Results show that software metrics are able to discriminate vulnerable and non vulnerable functions, but it is not possible to find strong correlations between these metrics and the number of vulnerabilities existing in the analyzed functions. Finally, the results indicate that vulnerable functions are probable to have other vulnerabilities in the future.","PeriodicalId":166039,"journal":{"name":"2016 12th European Dependable Computing Conference (EDCC)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"47","resultStr":"{\"title\":\"Software Metrics and Security Vulnerabilities: Dataset and Exploratory Study\",\"authors\":\"Henrique Alves, B. Neto, Nuno Antunes\",\"doi\":\"10.1109/EDCC.2016.34\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Code with certain characteristics is more prone to have security vulnerabilities. In fact, studies show that code not following best practices is harder to verify and maintain, and consequently is more probable to have vulnerabilities left unnoticed or inadvertently introduced. In this experience report, we study whether software metrics can reflect such characteristics, thus having some correlation with the existence of vulnerabilities. The analysis is based on 2875 security patches, used to build a dataset with metrics and vulnerabilities for all the functions, classes and files of 5750 versions of five widely used projects that are exposed to attacks: Linux Kernel, Mozilla, Xen Hypervisor, httpd and glibc. We calculated software metrics from their sources and used correlation algorithm and statistical tests on these metrics in order to identify relations between them and the existing vulnerabilities. Results show that software metrics are able to discriminate vulnerable and non vulnerable functions, but it is not possible to find strong correlations between these metrics and the number of vulnerabilities existing in the analyzed functions. Finally, the results indicate that vulnerable functions are probable to have other vulnerabilities in the future.\",\"PeriodicalId\":166039,\"journal\":{\"name\":\"2016 12th European Dependable Computing Conference (EDCC)\",\"volume\":\"42 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"47\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 12th European Dependable Computing Conference (EDCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/EDCC.2016.34\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 12th European Dependable Computing Conference (EDCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EDCC.2016.34","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Software Metrics and Security Vulnerabilities: Dataset and Exploratory Study
Code with certain characteristics is more prone to have security vulnerabilities. In fact, studies show that code not following best practices is harder to verify and maintain, and consequently is more probable to have vulnerabilities left unnoticed or inadvertently introduced. In this experience report, we study whether software metrics can reflect such characteristics, thus having some correlation with the existence of vulnerabilities. The analysis is based on 2875 security patches, used to build a dataset with metrics and vulnerabilities for all the functions, classes and files of 5750 versions of five widely used projects that are exposed to attacks: Linux Kernel, Mozilla, Xen Hypervisor, httpd and glibc. We calculated software metrics from their sources and used correlation algorithm and statistical tests on these metrics in order to identify relations between them and the existing vulnerabilities. Results show that software metrics are able to discriminate vulnerable and non vulnerable functions, but it is not possible to find strong correlations between these metrics and the number of vulnerabilities existing in the analyzed functions. Finally, the results indicate that vulnerable functions are probable to have other vulnerabilities in the future.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
