描述软件功能的“安全漏洞可能性”

International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings. Pub Date : 2003-09-22 DOI:10.1109/ICSM.2003.1235429

D. DaCosta, C. Dahn, S. Mancoridis, V. Prevelakis

{"title":"描述软件功能的“安全漏洞可能性”","authors":"D. DaCosta, C. Dahn, S. Mancoridis, V. Prevelakis","doi":"10.1109/ICSM.2003.1235429","DOIUrl":null,"url":null,"abstract":"Software maintainers and auditors would benefit from a tool to help them focus their attention on functions that are likely to be the source of security vulnerabilities. However, the existence of such a tool is predicated on the ability to characterize a function's 'security vulnerability likelihood'. Our hypothesis is that functions near a source of input are most likely to contain security vulnerability. These functions should be a small percentage of the total number of functions in the system. To validate this hypothesis, we performed an experiment involving thirty one vulnerabilities in thirty open source systems. This paper describes the experiment, its outcome, and the tools used to conduct it. It also describes the FLF (front line functions) finder, which is a tool that was developed using knowledge gathered from the outcome of the experiment. This tool automates the detection of high-risk functions. To demonstrate the effectiveness of the FLF finder, three open source applications with known vulnerabilities were tested. In addition to this test, a case study was performed on the privilege separation code in the OpenSSH server daemon.","PeriodicalId":141256,"journal":{"name":"International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings.","volume":"33 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-09-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"42","resultStr":"{\"title\":\"Characterizing the 'security vulnerability likelihood' of software functions\",\"authors\":\"D. DaCosta, C. Dahn, S. Mancoridis, V. Prevelakis\",\"doi\":\"10.1109/ICSM.2003.1235429\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Software maintainers and auditors would benefit from a tool to help them focus their attention on functions that are likely to be the source of security vulnerabilities. However, the existence of such a tool is predicated on the ability to characterize a function's 'security vulnerability likelihood'. Our hypothesis is that functions near a source of input are most likely to contain security vulnerability. These functions should be a small percentage of the total number of functions in the system. To validate this hypothesis, we performed an experiment involving thirty one vulnerabilities in thirty open source systems. This paper describes the experiment, its outcome, and the tools used to conduct it. It also describes the FLF (front line functions) finder, which is a tool that was developed using knowledge gathered from the outcome of the experiment. This tool automates the detection of high-risk functions. To demonstrate the effectiveness of the FLF finder, three open source applications with known vulnerabilities were tested. In addition to this test, a case study was performed on the privilege separation code in the OpenSSH server daemon.\",\"PeriodicalId\":141256,\"journal\":{\"name\":\"International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings.\",\"volume\":\"33 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2003-09-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"42\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSM.2003.1235429\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSM.2003.1235429","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 42

摘要

软件维护人员和审计人员将受益于一种工具，它可以帮助他们将注意力集中在可能成为安全漏洞来源的功能上。然而，这种工具的存在是基于描述功能的“安全漏洞可能性”的能力。我们的假设是，靠近输入源的函数最有可能包含安全漏洞。这些函数应该只占系统中函数总数的一小部分。为了验证这个假设，我们在30个开源系统中进行了一个涉及31个漏洞的实验。本文描述了该实验，其结果，以及用于进行实验的工具。它还描述了FLF(前线功能)查找器，这是一种使用从实验结果中收集的知识开发的工具。该工具可以自动检测高风险功能。为了证明FLF查找器的有效性，测试了三个具有已知漏洞的开源应用程序。除了这个测试之外，还对OpenSSH服务器守护进程中的特权分离代码执行了一个案例研究。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Characterizing the 'security vulnerability likelihood' of software functions

Software maintainers and auditors would benefit from a tool to help them focus their attention on functions that are likely to be the source of security vulnerabilities. However, the existence of such a tool is predicated on the ability to characterize a function's 'security vulnerability likelihood'. Our hypothesis is that functions near a source of input are most likely to contain security vulnerability. These functions should be a small percentage of the total number of functions in the system. To validate this hypothesis, we performed an experiment involving thirty one vulnerabilities in thirty open source systems. This paper describes the experiment, its outcome, and the tools used to conduct it. It also describes the FLF (front line functions) finder, which is a tool that was developed using knowledge gathered from the outcome of the experiment. This tool automates the detection of high-risk functions. To demonstrate the effectiveness of the FLF finder, three open source applications with known vulnerabilities were tested. In addition to this test, a case study was performed on the privilege separation code in the OpenSSH server daemon.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings.

自引率

0.00%

发文量