S. Sargsyan, Movses Tovmasyan, J. Hakobyan, H. Aslanyan, S. Kurmangaleev
{"title":"对已知软件缺陷进行系统调查的框架","authors":"S. Sargsyan, Movses Tovmasyan, J. Hakobyan, H. Aslanyan, S. Kurmangaleev","doi":"10.1109/ivmem53963.2021.00019","DOIUrl":null,"url":null,"abstract":"It is common practice to use third-party software in projects, which can lead to security problems. There are numerous cases when the known vulnerability was fixed in the upstream repository of the project but still exists in other projects. We present a framework for systematic analysis and detection of publicly known vulnerabilities in a large codebase. On the first stage, the vast codebase of open-source projects and known vulnerabilities are collected. On the second stage, for each known vulnerability, we try to find the corresponding source repository and extract the fixing patch. Based on extracted patches we construct possible vulnerable code fragments and try to find all their clones in the collected codebase. During the experimental setup, we have collected more than 42k open-source packages from Debian OS distribution. Analysis of these packages allowed us to detect more than four hundred copies of unfixed vulnerabilities, seven of them have already been approved and fixed by the vendors.","PeriodicalId":360766,"journal":{"name":"2021 Ivannikov Memorial Workshop (IVMEM)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A framework for a systematic survey of known software defects\",\"authors\":\"S. Sargsyan, Movses Tovmasyan, J. Hakobyan, H. Aslanyan, S. Kurmangaleev\",\"doi\":\"10.1109/ivmem53963.2021.00019\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"It is common practice to use third-party software in projects, which can lead to security problems. There are numerous cases when the known vulnerability was fixed in the upstream repository of the project but still exists in other projects. We present a framework for systematic analysis and detection of publicly known vulnerabilities in a large codebase. On the first stage, the vast codebase of open-source projects and known vulnerabilities are collected. On the second stage, for each known vulnerability, we try to find the corresponding source repository and extract the fixing patch. Based on extracted patches we construct possible vulnerable code fragments and try to find all their clones in the collected codebase. During the experimental setup, we have collected more than 42k open-source packages from Debian OS distribution. Analysis of these packages allowed us to detect more than four hundred copies of unfixed vulnerabilities, seven of them have already been approved and fixed by the vendors.\",\"PeriodicalId\":360766,\"journal\":{\"name\":\"2021 Ivannikov Memorial Workshop (IVMEM)\",\"volume\":\"27 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 Ivannikov Memorial Workshop (IVMEM)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ivmem53963.2021.00019\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 Ivannikov Memorial Workshop (IVMEM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ivmem53963.2021.00019","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A framework for a systematic survey of known software defects
It is common practice to use third-party software in projects, which can lead to security problems. There are numerous cases when the known vulnerability was fixed in the upstream repository of the project but still exists in other projects. We present a framework for systematic analysis and detection of publicly known vulnerabilities in a large codebase. On the first stage, the vast codebase of open-source projects and known vulnerabilities are collected. On the second stage, for each known vulnerability, we try to find the corresponding source repository and extract the fixing patch. Based on extracted patches we construct possible vulnerable code fragments and try to find all their clones in the collected codebase. During the experimental setup, we have collected more than 42k open-source packages from Debian OS distribution. Analysis of these packages allowed us to detect more than four hundred copies of unfixed vulnerabilities, seven of them have already been approved and fixed by the vendors.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
