#ifdefs是否会影响漏洞的发生?Linux内核的实证研究

Proceedings of the 20th International Systems and Software Product Line Conference Pub Date : 2016-05-23 DOI:10.1145/2934466.2934467

G. Ferreira, M. Malik, Christian Kästner, J. Pfeffer, S. Apel

{"title":"#ifdefs是否会影响漏洞的发生?Linux内核的实证研究","authors":"G. Ferreira, M. Malik, Christian Kästner, J. Pfeffer, S. Apel","doi":"10.1145/2934466.2934467","DOIUrl":null,"url":null,"abstract":"Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.","PeriodicalId":128559,"journal":{"name":"Proceedings of the 20th International Systems and Software Product Line Conference","volume":"59 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"27","resultStr":"{\"title\":\"Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel\",\"authors\":\"G. Ferreira, M. Malik, Christian Kästner, J. Pfeffer, S. Apel\",\"doi\":\"10.1145/2934466.2934467\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.\",\"PeriodicalId\":128559,\"journal\":{\"name\":\"Proceedings of the 20th International Systems and Software Product Line Conference\",\"volume\":\"59 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-05-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"27\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 20th International Systems and Software Product Line Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2934466.2934467\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 20th International Systems and Software Product Line Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2934466.2934467","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 27

摘要

预处理器通过#ifdefs支持软件产品的多样化，但也需要开发人员付出额外的努力来维护和理解变量代码。我们推测，#ifdefs会导致开发人员生成更脆弱的代码，因为他们需要同时推断多个特性，并维护可配置代码依赖关系的复杂心智模型。我们在Linux内核的所有配置中提取了一个变分调用图，并使用配置复杂性指标来比较易受攻击和非易受攻击的函数，考虑它们的漏洞历史。我们的目标是了解我们是否可以观察到配置复杂性对漏洞发生的可测量的影响。我们的结果表明，除其他外，脆弱函数比非脆弱函数具有更高的可变性，并且也受到较少配置选项的限制。这表明开发人员倾向于注意在频繁编译的产品变体中出现的函数。我们的目标是提高开发人员更系统地处理可变性的意识，因为配置复杂性是软件产品线的一个重要的，但经常被忽视的方面。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel

Preprocessors support the diversification of software products with #ifdefs, but also require additional effort from developers to maintain and understand variable code. We conjecture that #ifdefs cause developers to produce more vulnerable code because they are required to reason about multiple features simultaneously and maintain complex mental models of dependencies of configurable code. We extracted a variational call graph across all configurations of the Linux kernel, and used configuration complexity metrics to compare vulnerable and non-vulnerable functions considering their vulnerability history. Our goal was to learn about whether we can observe a measurable influence of configuration complexity on the occurrence of vulnerabilities. Our results suggest, among others, that vulnerable functions have higher variability than non-vulnerable ones and are also constrained by fewer configuration options. This suggests that developers are inclined to notice functions appear in frequently-compiled product variants. We aim to raise developers' awareness to address variability more systematically, since configuration complexity is an important, but often ignored aspect of software product lines.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 20th International Systems and Software Product Line Conference

自引率

0.00%

发文量