An automatic method for assessing the versions affected by a vulnerability

V.H. Nguyen, S. Dashevskyi, F. Massacci

Research output: Contribution to JournalArticleAcademicpeer-review

Abstract

© 2015, Springer Science+Business Media New York.Vulnerability data sources are used by academics to build models, and by industry and government to assess compliance. Errors in such data sources therefore not only are threats to validity in scientific studies, but also might cause organizations, which rely on retro versions of software, to lose compliance. In this work, we propose an automated method to determine the code evidence for the presence of vulnerabilities in retro software versions. The method scans the code base of each retro version of software for the code evidence to determine whether a retro version is vulnerable or not. It identifies the lines of code that were changed to fix vulnerabilities. If an earlier version contains these deleted lines, it is highly likely that this version is vulnerable. To show the scalability of the method we performed a large scale experiments on Chrome and Firefox (spanning 7,236 vulnerable files and approximately 9,800 vulnerabilities) on the National Vulnerability Database (NVD). The elimination of spurious vulnerability claims (e.g. entries to a vulnerability database such as NVD) found by our method may change the conclusions of studies on the prevalence of foundational vulnerabilities.
Original languageEnglish
Pages (from-to)2268-2297
JournalEmpirical Software Engineering
Volume21
Issue number6
DOIs
Publication statusPublished - 1 Dec 2016
Externally publishedYes

Fingerprint

Dive into the research topics of 'An automatic method for assessing the versions affected by a vulnerability'. Together they form a unique fingerprint.

Cite this