skip to main content
10.1145/2382196.2382218acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

An historical examination of open source releases and their vulnerabilities

Published: 16 October 2012 Publication History

Abstract

This paper examines historical releases of Sendmail, Postfix, Apache httpd and OpenSSL by using static source code analysis and the entry-rate in the Common Vulnerabilities and Exposures dictionary (CVE) for a release, which we take as a measure of the rate of discovery of exploitable bugs. We show that the change in number and density of issues reported by the source code analyzer is indicative of the change in rate of discovery of exploitable bugs for new releases --- formally we demonstrate a statistically significant correlation of moderate strength. The strength of the correlation is an artifact of other factors such as the degree of scrutiny: the number of security analysts investigating the software. This also demonstrates that static source code analysis can be used to make some assessment of risk even when constraints do not permit human review of the issues identified by the analysis.
We find only a weak correlation between absolute values measured by the source code analyzer and rate of discovery of exploitable bugs, so in general it is unsafe to use absolute values of number of issues or issue densities to compare different applications or software. Our results demonstrate that software quality, as measured by the number of issues, issue density or number of exploitable bugs, does not always improve with each new release. However, generally the rate of discovery of exploitable bugs begins to drop three to five years after the initial release.

References

[1]
O. H. Alhazmi and Y. K. Malaiya. Quantitative vulnerability assessment of systems software. In Proceedings of the IEEE Reliability and Maintainability Symposium, pp615--620, 2005.
[2]
Apache release history. http://www.apachehaus.com/.
[3]
N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Zhou. Evaluating static analysis defect warnings on production software. In PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp1--8, 2007.
[4]
F. P. Brooks. The Mythical Man Month and Other Essays on Software Engineering. Addison Wesley, 1975, 1995(2nd Ed.).
[5]
B. Chess and J. West. Secure Programming with Static Analysis. Pearson Education Inc., Boston, Massachusetts, 2007.
[6]
B. V. Chess. Improving computer security using extended static checking. In Proceedings of IEEE Symposium on Security and Privacy, pp160--173, 2002.
[7]
S. Clark, S. Frei, M. Blaze, and J. Smith. Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities. In ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference, pp251--260, December 2010.
[8]
M. Doyle and J. Walden. An empirical study of the evolution of PHP web application security. In International Workshop On Security Measurments and Metrics, MetriSec, 2011.
[9]
N. Falliere, L. O. Murchu, and E. Chien. W32.stuxnet dossier, version 1.4 (February 2011). http://www.symantec.com/.
[10]
R. Gopalakrishna and E. H. Spafford. A trend analysis of vulnerabilities. In Technical Report 2005-05, CERIAS, Purdue University, May 2005.
[11]
W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 4(1):323--337, December 1992.
[12]
The common vulnerabilities and exposures dictionary. http://cve.mitre.org/.
[13]
N. Nagappan and T. Ball. Static analysis tools as early indicators of pre-release defect density. In ICSE '05 Proceedings of the 27th international conference on Software engineering, pp580--586, 2005.
[14]
National vulnerability database. http://nvd.nist.gov/.
[15]
October 2011 web server survey. http://news.netcraft.com/.
[16]
F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer-Verlag, Berlin, Germany, 2005, 2nd Ed.
[17]
V. Okun, W. Guthrie, R.Gaucher, and P. Black. Effect of static analysis tools on software security: preliminary investigation. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection pp1--5, October 2007.
[18]
A. Ozment. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In Workshop on the Economics of Information Security (WEIS), Cambridge, MA, USA, June 2005.
[19]
A. Ozment. Improving vulnerability discovery models. In QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection, pp6--11, October 2007.
[20]
A. Ozment and S. E. Schechter. Milk or wine: does software security improve with age? In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, pp93--104, 2006.
[21]
E. Rescorla. Is finding security holes a good idea? IEEE Security & Privacy, 3(1):14--19, February 2005.
[22]
H. Rice. Classes of recursively enumerable sets and their decision problems. Trans. Amer. Math. Soc., 74(2):358--366, March 1953.
[23]
N. Rutar, C. B. Almazan, and J. S. Foster. A comparison of bug finding tools for java. In ISSRE '04 Proceedings of the 15th International Symposium on Software Reliability Engineering, pp245--256, October 2007.
[24]
Securityfocus vulnerability database. http://www.securityfocus.com/vulnerabilities.
[25]
E. H. Spafford. The internet worm program: An analysis. ACM SIGCOMM Computer Communication Review, 19(1):17--57, January 1989.

Cited By

View all

Index Terms

  1. An historical examination of open source releases and their vulnerabilities

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security
      October 2012
      1088 pages
      ISBN:9781450316514
      DOI:10.1145/2382196
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 16 October 2012

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. open source software
      2. risk analysis
      3. static analysis

      Qualifiers

      • Research-article

      Conference

      CCS'12
      Sponsor:
      CCS'12: the ACM Conference on Computer and Communications Security
      October 16 - 18, 2012
      North Carolina, Raleigh, USA

      Acceptance Rates

      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)71
      • Downloads (Last 6 weeks)13
      Reflects downloads up to 05 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media