Paper published in a book (Scientific congresses, symposiums and conference proceedings)
An Empirical Analysis of Vulnerabilities in OpenSSL and the Linux Kernel
Jimenez, Matthieu; Papadakis, Mike; Le Traon, Yves
2016In 2016 Asia-Pacific Software Engineering Conference (APSEC)
Peer reviewed
 

Files


Full Text
EmpiricalAnalysisAPSEC16.pdf
Author preprint (231.28 kB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Software Security; Vulnerabilities; Common Vulnerability Exposures; Software Metrics
Abstract :
[en] Vulnerabilities are one of the main concerns faced by practitioners when working with security critical applications. Unfortunately, developers and security teams, even experienced ones, fail to identify many of them with severe consequences. Vulnerabilities are hard to discover since they appear in various forms, caused by many different issues and their identification requires an attacker’s mindset. In this paper, we aim at increasing the understanding of vulnerabilities by investigating their characteristics on two major open-source software systems, i.e., the Linux kernel and OpenSSL. In particular, we seek to analyse and build a profile for vulnerable code, which can ultimately help researchers in building automated approaches like vulnerability prediction models. Thus, we examine the location, criticality and category of vulnerable code along with its relation with software metrics. To do so, we collect more than 2,200 vulnerable files accounting for 863 vulnerabilities and compute more than 35 software metrics. Our results indicate that while 9 Common Weakness Enumeration (CWE) types of vulnerabilities are prevalent, only 3 of them are critical in OpenSSL and 2 of them in the Linux kernel. They also indicate that different types of vulnerabilities have different characteristics, i.e., metric profiles, and that vulnerabilities of the same type have different profiles in the two projects we examined. We also found that the file structure of the projects can provide useful information related to the vulnerabilities. Overall, our results demonstrate the need for making project specific approaches that focus on specific types of vulnerabilities.
Research center :
ULHPC - University of Luxembourg: High Performance Computing
Disciplines :
Computer science
Author, co-author :
Jimenez, Matthieu  ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Papadakis, Mike ;  University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Le Traon, Yves ;  University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
External co-authors :
no
Language :
English
Title :
An Empirical Analysis of Vulnerabilities in OpenSSL and the Linux Kernel
Publication date :
December 2016
Event name :
23rd Asia-Pacific Software Engineering Conference
Event organizer :
University of Waikato
Event place :
Hamilton, New Zealand
Event date :
6th-9th December 2016
Audience :
International
Main work title :
2016 Asia-Pacific Software Engineering Conference (APSEC)
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
Available on ORBilu :
since 14 October 2016

Statistics


Number of views
236 (15 by Unilu)
Number of downloads
292 (7 by Unilu)

Scopus citations®
 
17
Scopus citations®
without self-citations
15

Bibliography


Similar publications



Contact ORBilu