After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes
作者: Viet Hung Nguyen , Fabio Massacci , Stephan Neuhaus
关键词: Past history 、 Empirical evidence 、 Source code 、 Computer science 、 Software security assurance 、 World Wide Web 、 Market share 、 Codebase 、 Computer security 、 Secure coding 、 Code (cryptography)
摘要: We study the interplay in evolution of Firefox source code and known vulnerabilities over six major versions (v1.0, v1.5, v2.0, v3.0, v3.5, v3.6) spanning almost ten years development, integrating a numbers sources (NVD, CVE, MFSA, CVS). conclude that large fraction apply to is no longer maintained older versions. call these after-life vulnerabilities. This complements Milk-or-Wine Ozment Schechter--which we also partly confirm--as look at reference frame code, revealing vulnerabilitiy's future, while they looked its past history. Through an analysis code's market share, vulnerable still very much use both terms instances as global codebase: CVS evidence suggests evolves relatively slowly.This empirical software-evolution-assecurity solution--patching software automatic updates--might not work, will have be mitigated by other means.
springer.com
acm.org
sci-hub.st 参考文章(23)
Andy Ozment, Stuart E. Schechter, Milk or wine: does software security improve with age? usenix security symposium. pp. 7- ,(2006)
Michael Howard, Steve Lipner, The security development lifecycle : SDL, a process for developing demonstrably more secure software Microsoft Press. ,(2006)
O.H. Alhazmi, Y.K. Malaiya, Modeling the vulnerability discovery process international symposium on software reliability engineering. pp. 129- 138 ,(2005) , 10.1109/ISSRE.2005.30
Thomas Zimmermann, Nachiappan Nagappan, Predicting defects with program dependencies empirical software engineering and measurement. pp. 435- 438 ,(2009) , 10.1109/ESEM.2009.5316024
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
Istehad Chowdhury, Mohammad Zulkernine, Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities Journal of Systems Architecture. ,vol. 57, pp. 294- 313 ,(2011) , 10.1016/J.SYSARC.2010.06.003
Mason Brown, Alan Paller, Secure software development: Why the development world awoke to the challenge Information Security Technical Report. ,vol. 13, pp. 40- 43 ,(2008) , 10.1016/J.ISTR.2008.03.001
Yonghee Shin, Laurie Williams, Is complexity really the enemy of software security? Proceedings of the 4th ACM workshop on Quality of protection - QoP '08. pp. 47- 50 ,(2008) , 10.1145/1456362.1456372
Fabio Massacci, Viet Hung Nguyen, None, Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox international workshop on security. pp. 4- ,(2010) , 10.1145/1853919.1853925
Michael Gegick, Pete Rotella, Laurie Williams, Predicting Attack-prone Components international conference on software testing, verification, and validation. pp. 181- 190 ,(2009) , 10.1109/ICST.2009.36